Currently, the implementation of command BD ring has two issues, one is that the driver may obtain wrong consumer index of the ring, because the driver does not mask out the SBE bit of the CIR value, so a wrong index will be obtained when a SBE error ouccrs. The other one is that the DMA buffer may be used after free. If netc_xmit_ntmp_cmd() times out and returns an error, the pending command is not explicitly aborted, while ntmp_free_data_mem() unconditionally frees the DMA buffer. If the buffer has already been reallocated elsewhere, this may lead to silent memory corruption. Because the hardware eventually processes the pending command and perform a DMA write of the response to the physical address of the freed buffer. So this patch set is to fix these two issues.
Wei Fang (2): net: enetc: correct the command BD ring consumer index net: enetc: fix NTMP DMA use-after-free issue drivers/net/ethernet/freescale/enetc/ntmp.c | 161 ++++++++++-------- .../ethernet/freescale/enetc/ntmp_private.h | 9 +- include/linux/fsl/ntmp.h | 9 +- 3 files changed, 96 insertions(+), 83 deletions(-) -- 2.34.1
