CVE-2026-53300

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/06/2026
Last modified:
30/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: enetc: fix NTMP DMA use-after-free issue<br /> <br /> The AI-generated review reported a potential DMA use-after-free issue<br /> [1]. If netc_xmit_ntmp_cmd() times out and returns an error, the pending<br /> command is not explicitly aborted, while ntmp_free_data_mem()<br /> unconditionally frees the DMA buffer. If the buffer has already been<br /> reallocated elsewhere, this may lead to silent memory corruption. Because<br /> the hardware eventually processes the pending command and perform a DMA<br /> write of the response to the physical address of the freed buffer.<br /> <br /> To resolve this issue, this patch does the following modifications:<br /> <br /> 1. Convert cbdr-&gt;ring_lock from a spinlock to a mutex<br /> <br /> The lock was originally a spinlock in case NTMP operations might be<br /> invoked from atomic context. After downstream support for all NTMP<br /> tables, no such usage has materialized. A mutex lock is now required<br /> because the driver now needs to reclaim used BDs and release associated<br /> DMA memory within the lock&amp;#39;s context, while dma_free_coherent() might<br /> sleep.<br /> <br /> 2. Introduce software command BD (struct netc_swcbd)<br /> <br /> The hardware write-back overwrites the addr and len fields of the BD,<br /> so the driver cannot rely on the hardware BD to free the associated DMA<br /> memory. The driver now maintains a software shadow BD storing the DMA<br /> buffer pointer, DMA address, and size. And netc_xmit_ntmp_cmd() only<br /> reclaims older BDs when the number of used BDs reaches<br /> NETC_CBDR_CLEAN_WORK (16). The software BD enables correct DMA memory<br /> release. With this, struct ntmp_dma_buf and ntmp_free_data_mem() are no<br /> longer needed and are removed.<br /> <br /> 3. Require callers to hold ring_lock across netc_xmit_ntmp_cmd()<br /> <br /> netc_xmit_ntmp_cmd() releases the ring_lock before the caller finishes<br /> consuming the response. At this point, if a concurrent thread submits<br /> a new command, it may trigger ntmp_clean_cbdr() and free the DMA buffer<br /> while it is still in use. Move ring_lock ownership to the caller to<br /> ensure the response buffer cannot be reclaimed prematurely. So the<br /> helpers ntmp_select_and_lock_cbdr() and ntmp_unlock_cbdr() are added.<br /> <br /> These changes eliminate the DMA use-after-free condition and ensure safe<br /> and consistent BD reclamation and DMA buffer lifecycle management.