In the Linux kernel, the following vulnerability has been resolved:
net: atlantic: Fix DMA mapping for PTP hwts ring
Function aqringhwtsrxalloc() maps extra AQCFGRXDSDEF bytes for PTP HWTS ring but then generic aqring_free() does not take this into account. Create and use a specific function to free HWTS ring to fix this issue.
Trace: [ 215.351607] ------------[ cut here ]------------ [ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes] [ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 checkunmap+0xa6f/0x2360 ... [ 215.581176] Call Trace: [ 215.583632] <TASK> [ 215.585745] ? showtraceloglvl+0x1c4/0x2df [ 215.590114] ? showtraceloglvl+0x1c4/0x2df [ 215.594497] ? debugdmafreecoherent+0x196/0x210 [ 215.599305] ? checkunmap+0xa6f/0x2360 [ 215.603147] ? _warn+0xca/0x1d0 [ 215.606391] ? checkunmap+0xa6f/0x2360 [ 215.610237] ? reportbug+0x1ef/0x370 [ 215.613921] ? handlebug+0x3c/0x70 [ 215.617423] ? excinvalidop+0x14/0x50 [ 215.621269] ? asmexcinvalidop+0x16/0x20 [ 215.625480] ? checkunmap+0xa6f/0x2360 [ 215.629331] ? marklock.part.0+0xca/0xa40 [ 215.633445] debugdmafreecoherent+0x196/0x210 [ 215.638079] ? _pfxdebugdmafreecoherent+0x10/0x10 [ 215.643242] ? slabfreefreelisthook+0x11d/0x1d0 [ 215.648060] dmafreeattrs+0x6d/0x130 [ 215.651834] aqringfree+0x193/0x290 [atlantic] [ 215.656487] aqptpringfree+0x67/0x110 [atlantic] ... [ 216.127540] ---[ end trace 6467e5964dd2640b ]--- [ 216.132160] DMA-API: Mapped at: [ 216.132162] debugdmaalloccoherent+0x66/0x2f0 [ 216.132165] dmaallocattrs+0xf5/0x1b0 [ 216.132168] aqringhwtsrxalloc+0x150/0x1f0 [atlantic] [ 216.132193] aqptpringalloc+0x1bb/0x540 [atlantic] [ 216.132213] aqnicinit+0x4a1/0x760 [atlantic]