net: enetc: fix DMA write to freed memory in enetc_msg_free_mbx()

The teardown sequence in enetc_msg_psi_free() frees the DMA buffer before
clearing the device's DMA address registers. If a VF sends a message or a
pending DMA transfer completes within this window, the hardware will
perform a DMA write into the kernel memory that has already been returned
to the allocator.

The result is silent memory corruption that can affect arbitrary kernel
data structures. Therefore, clear the DMA address registers before the
DMA buffer is freed.

Fixes: beb74ac878c8 ("enetc: Add vf to pf messaging support")
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Reviewed-by: Harshitha Ramamurthy <hramamurthy@google.com>
Link: https://patch.msgid.link/20260520064421.91569-7-wei.fang@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/drivers/net/ethernet/freescale/enetc/enetc_msg.c b/drivers/net/ethernet/freescale/enetc/enetc_msg.c
index 40d22ebe9224f5823929a3513193d92dd1a19661..b4d7457097e60d096198f5e2cd534f59f73f861f 100644 (file)
--- a/drivers/net/ethernet/freescale/enetc/enetc_msg.c
+++ b/drivers/net/ethernet/freescale/enetc/enetc_msg.c
@@ -96,12 +96,12 @@ static void enetc_msg_free_mbx(struct enetc_si *si, int idx)
        struct enetc_hw *hw = &si->hw;
        struct enetc_msg_swbd *msg;
 
+       enetc_wr(hw, ENETC_PSIVMSGRCVAR0(idx), 0);
+       enetc_wr(hw, ENETC_PSIVMSGRCVAR1(idx), 0);
+
        msg = &pf->rxmsg[idx];
        dma_free_coherent(&si->pdev->dev, msg->size, msg->vaddr, msg->dma);
        memset(msg, 0, sizeof(*msg));
-
-       enetc_wr(hw, ENETC_PSIVMSGRCVAR0(idx), 0);
-       enetc_wr(hw, ENETC_PSIVMSGRCVAR1(idx), 0);
 }
 
 int enetc_msg_psi_init(struct enetc_pf *pf)