In the Linux kernel, the following vulnerability has been resolved:
net: enetc: fix NTMP DMA use-after-free issue
The AI-generated review reported a potential DMA use-after-free issue [1]. If netcxmitntmpcmd() times out and returns an error, the pending command is not explicitly aborted, while ntmpfreedatamem() unconditionally frees the DMA buffer. If the buffer has already been reallocated elsewhere, this may lead to silent memory corruption. Because the hardware eventually processes the pending command and perform a DMA write of the response to the physical address of the freed buffer.
To resolve this issue, this patch does the following modifications:
The lock was originally a spinlock in case NTMP operations might be invoked from atomic context. After downstream support for all NTMP tables, no such usage has materialized. A mutex lock is now required because the driver now needs to reclaim used BDs and release associated DMA memory within the lock's context, while dmafreecoherent() might sleep.
The hardware write-back overwrites the addr and len fields of the BD, so the driver cannot rely on the hardware BD to free the associated DMA memory. The driver now maintains a software shadow BD storing the DMA buffer pointer, DMA address, and size. And netcxmitntmpcmd() only reclaims older BDs when the number of used BDs reaches NETCCBDRCLEANWORK (16). The software BD enables correct DMA memory release. With this, struct ntmpdmabuf and ntmpfreedata_mem() are no longer needed and are removed.
netcxmitntmpcmd() releases the ringlock before the caller finishes consuming the response. At this point, if a concurrent thread submits a new command, it may trigger ntmpcleancbdr() and free the DMA buffer while it is still in use. Move ringlock ownership to the caller to ensure the response buffer cannot be reclaimed prematurely. So the helpers ntmpselectandlockcbdr() and ntmpunlock_cbdr() are added.
These changes eliminate the DMA use-after-free condition and ensure safe and consistent BD reclamation and DMA buffer lifecycle management.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53300.json",
"cna_assigner": "Linux"
}