CVE-2026-53300
Gravedad CVSS v3.1:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
26/06/2026
Última modificación:
30/06/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: enetc: fix NTMP DMA use-after-free issue<br />
<br />
The AI-generated review reported a potential DMA use-after-free issue<br />
[1]. If netc_xmit_ntmp_cmd() times out and returns an error, the pending<br />
command is not explicitly aborted, while ntmp_free_data_mem()<br />
unconditionally frees the DMA buffer. If the buffer has already been<br />
reallocated elsewhere, this may lead to silent memory corruption. Because<br />
the hardware eventually processes the pending command and perform a DMA<br />
write of the response to the physical address of the freed buffer.<br />
<br />
To resolve this issue, this patch does the following modifications:<br />
<br />
1. Convert cbdr->ring_lock from a spinlock to a mutex<br />
<br />
The lock was originally a spinlock in case NTMP operations might be<br />
invoked from atomic context. After downstream support for all NTMP<br />
tables, no such usage has materialized. A mutex lock is now required<br />
because the driver now needs to reclaim used BDs and release associated<br />
DMA memory within the lock&#39;s context, while dma_free_coherent() might<br />
sleep.<br />
<br />
2. Introduce software command BD (struct netc_swcbd)<br />
<br />
The hardware write-back overwrites the addr and len fields of the BD,<br />
so the driver cannot rely on the hardware BD to free the associated DMA<br />
memory. The driver now maintains a software shadow BD storing the DMA<br />
buffer pointer, DMA address, and size. And netc_xmit_ntmp_cmd() only<br />
reclaims older BDs when the number of used BDs reaches<br />
NETC_CBDR_CLEAN_WORK (16). The software BD enables correct DMA memory<br />
release. With this, struct ntmp_dma_buf and ntmp_free_data_mem() are no<br />
longer needed and are removed.<br />
<br />
3. Require callers to hold ring_lock across netc_xmit_ntmp_cmd()<br />
<br />
netc_xmit_ntmp_cmd() releases the ring_lock before the caller finishes<br />
consuming the response. At this point, if a concurrent thread submits<br />
a new command, it may trigger ntmp_clean_cbdr() and free the DMA buffer<br />
while it is still in use. Move ring_lock ownership to the caller to<br />
ensure the response buffer cannot be reclaimed prematurely. So the<br />
helpers ntmp_select_and_lock_cbdr() and ntmp_unlock_cbdr() are added.<br />
<br />
These changes eliminate the DMA use-after-free condition and ensure safe<br />
and consistent BD reclamation and DMA buffer lifecycle management.
Impacto
Puntuación base 3.x
7.80
Gravedad 3.x
ALTA



