From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 164423EE1D8
	for <linux-cve-announce@vger.kernel.org>; Fri,  8 May 2026 14:22:52 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778250172; cv=none; b=G3fqYoWWCVvA1mYpcWMJIzYCK4Dr7K5ICAUjdgONl9Kfj7qf/CQ4wix87Ct1DWbp1JEZm5s5Ra8y/OHrZ+X4JmaTIxJSVm3hZ+6GlsZ9ZOrPrysub9mEyH4+YcsWSjeNopyQMrQrcj6zYBFz0Hg9B1i+Amzn0YSGsU1XfGW5K6s=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778250172; c=relaxed/simple;
	bh=MyGdcGIX1pYLcwJKS7whU5HmDbuZgoHdKxRmkjEMtoo=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Vtfz7uU5n+xL9z6DWCAaSWh1COqLB49BPpTPeSscMz/HEnT1Q9nxT/F5MkP8ONZ/JOdCBitxFvbZjgJvnx9ayCAXLS/CbU4jG/6dP3J2f9QCPvZpVUxtTKRM6YpTOi5lTcZLYQErBmsFoLgdChbb3gRZDbIvXk9xQRxasptIZeE=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=gdOd/6ly; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="gdOd/6ly"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id A5370C2BCB0;
	Fri,  8 May 2026 14:22:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
	s=korg; t=1778250172;
	bh=MyGdcGIX1pYLcwJKS7whU5HmDbuZgoHdKxRmkjEMtoo=;
	h=From:To:Cc:Subject:Date:Reply-To:From;
	b=gdOd/6lyw7BHLybNGhhwEFkuT11RFb392ioRkx+5aDBaTGQ7rxPO0mX8aL0FnBFUm
	 C7TIS692JCi8e3ZRPGZ9b8aF6C8GXRzWNtV0+vU94JxS56d+o9UNBTnJGf4K35cfjY
	 ShouI8WXLgzBORyd86ob8ZgnJR2K8G7DKmvorxKQ=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-cve-announce@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@kernel.org>
Subject: CVE-2026-43371: net: macb: Shuffle the tx ring before enabling tx
Date: Fri,  8 May 2026 16:21:40 +0200
Message-ID: <2026050829-CVE-2026-43371-a288@gregkh>
X-Mailer: git-send-email 2.54.0
Reply-To: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Precedence: bulk
X-Mailing-List: linux-cve-announce@vger.kernel.org
List-Id: <linux-cve-announce.vger.kernel.org>
List-Subscribe: <mailto:linux-cve-announce+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-cve-announce+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=4281; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=439uHIM2OkbtSyXCYQoZbaBgv+cW8XKrOv6Y5ndF5Es=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/P2bemeN47v5yi2lFB1p33ZXuyVgikuwq6NfW/KXnP ZMH4/uIjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZhIBS/DPAvFhhurxUqTw6yl uv6ZXVjId1XpJMN8d0almXkTG1MvF+9QMN76QSPf4PROAA==
X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29
Content-Transfer-Encoding: 8bit

From: Greg Kroah-Hartman <gregkh@kernel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

net: macb: Shuffle the tx ring before enabling tx

Quanyang observed that when using an NFS rootfs on an AMD ZynqMp board,
the rootfs may take an extended time to recover after a suspend.
Upon investigation, it was determined that the issue originates from a
problem in the macb driver.

According to the Zynq UltraScale TRM [1], when transmit is disabled,
the transmit buffer queue pointer resets to point to the address
specified by the transmit buffer queue base address register.

In the current implementation, the code merely resets `queue->tx_head`
and `queue->tx_tail` to '0'. This approach presents several issues:

- Packets already queued in the tx ring are silently lost,
  leading to memory leaks since the associated skbs cannot be released.

- Concurrent write access to `queue->tx_head` and `queue->tx_tail` may
  occur from `macb_tx_poll()` or `macb_start_xmit()` when these values
  are reset to '0'.

- The transmission may become stuck on a packet that has already been sent
  out, with its 'TX_USED' bit set, but has not yet been processed. However,
  due to the manipulation of 'queue->tx_head' and 'queue->tx_tail',
  `macb_tx_poll()` incorrectly assumes there are no packets to handle
  because `queue->tx_head == queue->tx_tail`. This issue is only resolved
  when a new packet is placed at this position. This is the root cause of
  the prolonged recovery time observed for the NFS root filesystem.

To resolve this issue, shuffle the tx ring and tx skb array so that
the first unsent packet is positioned at the start of the tx ring.
Additionally, ensure that updates to `queue->tx_head` and
`queue->tx_tail` are properly protected with the appropriate lock.

[1] https://docs.amd.com/v/u/en-US/ug1085-zynq-ultrascale-trm

The Linux kernel CVE team has assigned CVE-2026-43371 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 6.1.165 with commit d89b8b17057e16fad4564c71160e68ca549c1b42 and fixed in 6.1.167 with commit c6783bfa31a59f34fe4feb1bdbf67791ef3fb0b7
	Issue introduced in 6.6.128 with commit ec4445ae9e58aed88561d3d1dfa849b039c7782e and fixed in 6.6.130 with commit 0a47c3889fcd843c72aa57fa8c4d06f5801fced4
	Issue introduced in 6.12.75 with commit 6e704e89f16fd4a1145756210bc210f14f174f94 and fixed in 6.12.78 with commit 88f974fe118cb4653f029929ecbca7cfe06132ae
	Issue introduced in 6.18.16 with commit 316d9fe71fb18bc9b1dba464fdb68dd201315eba and fixed in 6.18.20 with commit 58f5d34f88e8f00910b692537f7b2efdb8c3705d
	Issue introduced in 6.19.6 with commit b3a7aa33ca7d46be513fccf832d3540acfe587d0 and fixed in 6.19.9 with commit 403182e0771b250cfde0fe7e1081d095ceaf8230

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2026-43371
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/net/ethernet/cadence/macb_main.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/c6783bfa31a59f34fe4feb1bdbf67791ef3fb0b7
	https://git.kernel.org/stable/c/0a47c3889fcd843c72aa57fa8c4d06f5801fced4
	https://git.kernel.org/stable/c/88f974fe118cb4653f029929ecbca7cfe06132ae
	https://git.kernel.org/stable/c/58f5d34f88e8f00910b692537f7b2efdb8c3705d
	https://git.kernel.org/stable/c/403182e0771b250cfde0fe7e1081d095ceaf8230
	https://git.kernel.org/stable/c/881a0263d502e1a93ebc13a78254e9ad19520232