{"id":"CVE-2026-53300","summary":"net: enetc: fix NTMP DMA use-after-free issue","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: fix NTMP DMA use-after-free issue\n\nThe AI-generated review reported a potential DMA use-after-free issue\n[1]. If netc_xmit_ntmp_cmd() times out and returns an error, the pending\ncommand is not explicitly aborted, while ntmp_free_data_mem()\nunconditionally frees the DMA buffer. If the buffer has already been\nreallocated elsewhere, this may lead to silent memory corruption. Because\nthe hardware eventually processes the pending command and perform a DMA\nwrite of the response to the physical address of the freed buffer.\n\nTo resolve this issue, this patch does the following modifications:\n\n1. Convert cbdr-\u003ering_lock from a spinlock to a mutex\n\nThe lock was originally a spinlock in case NTMP operations might be\ninvoked from atomic context. After downstream support for all NTMP\ntables, no such usage has materialized. A mutex lock is now required\nbecause the driver now needs to reclaim used BDs and release associated\nDMA memory within the lock's context, while dma_free_coherent() might\nsleep.\n\n2. Introduce software command BD (struct netc_swcbd)\n\nThe hardware write-back overwrites the addr and len fields of the BD,\nso the driver cannot rely on the hardware BD to free the associated DMA\nmemory. The driver now maintains a software shadow BD storing the DMA\nbuffer pointer, DMA address, and size. And netc_xmit_ntmp_cmd() only\nreclaims older BDs when the number of used BDs reaches\nNETC_CBDR_CLEAN_WORK (16). The software BD enables correct DMA memory\nrelease. With this, struct ntmp_dma_buf and ntmp_free_data_mem() are no\nlonger needed and are removed.\n\n3. Require callers to hold ring_lock across netc_xmit_ntmp_cmd()\n\nnetc_xmit_ntmp_cmd() releases the ring_lock before the caller finishes\nconsuming the response. At this point, if a concurrent thread submits\na new command, it may trigger ntmp_clean_cbdr() and free the DMA buffer\nwhile it is still in use. Move ring_lock ownership to the caller to\nensure the response buffer cannot be reclaimed prematurely. So the\nhelpers ntmp_select_and_lock_cbdr() and ntmp_unlock_cbdr() are added.\n\nThese changes eliminate the DMA use-after-free condition and ensure safe\nand consistent BD reclamation and DMA buffer lifecycle management.","modified":"2026-07-08T08:13:44.785710669Z","published":"2026-06-26T19:40:57.186Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53300.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/37c8933064be714ee672b0a0523c2fd045b73b3d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3cade698881eb238f88cbbfec82acc2110440a3f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/655d9ce9b1d3db0aa5271acb5e5101c66bd0d58b"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53300.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53300"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"4701073c3debd16d7f534f3eb808bd9b50601c0c"},{"fixed":"37c8933064be714ee672b0a0523c2fd045b73b3d"},{"fixed":"655d9ce9b1d3db0aa5271acb5e5101c66bd0d58b"},{"fixed":"3cade698881eb238f88cbbfec82acc2110440a3f"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53300.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.16.0"},{"fixed":"6.18.33"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53300.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}