[PATCH v3 net 6/9] net: enetc: fix DMA write to freed memory in enetc_msg_free_mbx()

Netdev List
 help / color / mirror / Atom feed

From: Wei Fang <wei.fang@nxp.com>
To: claudiu.manoil@nxp.com, vladimir.oltean@nxp.com,
	xiaoning.wang@nxp.com, andrew+netdev@lunn.ch,
	davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
	pabeni@redhat.com, hramamurthy@google.com
Cc: imx@lists.linux.dev, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org, catalin.horghidan@nxp.com
Subject: [PATCH v3 net 6/9] net: enetc: fix DMA write to freed memory in enetc_msg_free_mbx()
Date: Wed, 20 May 2026 14:44:18 +0800	[thread overview]
Message-ID: <20260520064421.91569-7-wei.fang@nxp.com> (raw)
In-Reply-To: <20260520064421.91569-1-wei.fang@nxp.com>

The teardown sequence in enetc_msg_psi_free() frees the DMA buffer before
clearing the device's DMA address registers. If a VF sends a message or a
pending DMA transfer completes within this window, the hardware will
perform a DMA write into the kernel memory that has already been returned
to the allocator.

The result is silent memory corruption that can affect arbitrary kernel
data structures. Therefore, clear the DMA address registers before the
DMA buffer is freed.

Fixes: beb74ac878c8 ("enetc: Add vf to pf messaging support")
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Reviewed-by: Harshitha Ramamurthy <hramamurthy@google.com>
---
 drivers/net/ethernet/freescale/enetc/enetc_msg.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/freescale/enetc/enetc_msg.c b/drivers/net/ethernet/freescale/enetc/enetc_msg.c
index 40d22ebe9224..b4d7457097e6 100644
--- a/drivers/net/ethernet/freescale/enetc/enetc_msg.c
+++ b/drivers/net/ethernet/freescale/enetc/enetc_msg.c
@@ -96,12 +96,12 @@ static void enetc_msg_free_mbx(struct enetc_si *si, int idx)
 	struct enetc_hw *hw = &si->hw;
 	struct enetc_msg_swbd *msg;
 
+	enetc_wr(hw, ENETC_PSIVMSGRCVAR0(idx), 0);
+	enetc_wr(hw, ENETC_PSIVMSGRCVAR1(idx), 0);
+
 	msg = &pf->rxmsg[idx];
 	dma_free_coherent(&si->pdev->dev, msg->size, msg->vaddr, msg->dma);
 	memset(msg, 0, sizeof(*msg));
-
-	enetc_wr(hw, ENETC_PSIVMSGRCVAR0(idx), 0);
-	enetc_wr(hw, ENETC_PSIVMSGRCVAR1(idx), 0);
 }
 
 int enetc_msg_psi_init(struct enetc_pf *pf)
-- 
2.34.1

next prev parent reply	other threads:[~2026-05-20  6:42 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-20  6:44 [PATCH v3 net 0/9] net: enetc: SR-IOV robustness and security fixes Wei Fang
2026-05-20  6:44 ` [PATCH v3 net 1/9] net: enetc: fix incorrect mailbox message status returned to VFs Wei Fang
2026-05-20  6:44 ` [PATCH v3 net 2/9] net: enetc: fix missing error code when pf->vf_state allocation fails Wei Fang
2026-05-20  6:44 ` [PATCH v3 net 3/9] net: enetc: add ratelimiting to VF mailbox error messages Wei Fang
2026-05-20  6:44 ` [PATCH v3 net 4/9] net: enetc: fix TOCTOU race and validate VF MAC address Wei Fang
2026-05-20  6:44 ` [PATCH v3 net 5/9] net: enetc: fix race condition in VF MAC address configuration Wei Fang
2026-05-20  6:44 ` Wei Fang [this message]
2026-05-20  6:44 ` [PATCH v3 net 7/9] net: enetc: fix unbounded loop and interrupt handling in VF-to-PF messaging Wei Fang
2026-05-20  6:44 ` [PATCH v3 net 8/9] net: enetc: fix init and teardown order to prevent use of unsafe resources Wei Fang
2026-05-20  6:44 ` [PATCH v3 net 9/9] net: enetc: avoid VF->PF mailbox timeout during SR-IOV teardown Wei Fang

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:40d22ebe922 dfblob:b4d7457097e )
 OR (
bs:"[PATCH v3 net 6/9] net: enetc: fix DMA write to freed memory in enetc_msg_free_mbx()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260520064421.91569-7-wei.fang@nxp.com \
    --to=wei.fang@nxp.com \
    --cc=andrew+netdev@lunn.ch \
    --cc=catalin.horghidan@nxp.com \
    --cc=claudiu.manoil@nxp.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=hramamurthy@google.com \
    --cc=imx@lists.linux.dev \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=vladimir.oltean@nxp.com \
    --cc=xiaoning.wang@nxp.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox