Commit adb45999 authored May 20, 2026 by Wei Fang Committed by Jakub Kicinski May 21, 2026

net: enetc: fix DMA write to freed memory in enetc_msg_free_mbx()



The teardown sequence in enetc_msg_psi_free() frees the DMA buffer before
clearing the device's DMA address registers. If a VF sends a message or a
pending DMA transfer completes within this window, the hardware will
perform a DMA write into the kernel memory that has already been returned
to the allocator.

The result is silent memory corruption that can affect arbitrary kernel
data structures. Therefore, clear the DMA address registers before the
DMA buffer is freed.

Fixes: beb74ac8 ("enetc: Add vf to pf messaging support")
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Reviewed-by: Harshitha Ramamurthy <hramamurthy@google.com>
Link: https://patch.msgid.link/20260520064421.91569-7-wei.fang@nxp.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent f262f5d8

drivers/net/ethernet/freescale/enetc/enetc_msg.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -96,12 +96,12 @@ static void enetc_msg_free_mbx(struct enetc_si *si, int idx)
		struct enetc_hw *hw = &si->hw;
		struct enetc_msg_swbd *msg;

		enetc_wr(hw, ENETC_PSIVMSGRCVAR0(idx), 0);
		enetc_wr(hw, ENETC_PSIVMSGRCVAR1(idx), 0);

		msg = &pf->rxmsg[idx];
		dma_free_coherent(&si->pdev->dev, msg->size, msg->vaddr, msg->dma);
		memset(msg, 0, sizeof(*msg));

		enetc_wr(hw, ENETC_PSIVMSGRCVAR0(idx), 0);
		enetc_wr(hw, ENETC_PSIVMSGRCVAR1(idx), 0);
		}

		int enetc_msg_psi_init(struct enetc_pf *pf)