git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Erni Sri Satya Vennela <ernis@linux.microsoft.com>
	Thu, 14 May 2026 19:41:51 +0000 (12:41 -0700)
committer	Paolo Abeni <pabeni@redhat.com>
	Tue, 19 May 2026 11:00:28 +0000 (13:00 +0200)
commit	35f0f0a2536a4d604b4dbad92c85c4a8fdebb870
tree	bb99a197da32fa777d99376535c57d84bb9cc6dc	tree \| snapshot
parent	2d85ae5d0f39c715277bcf0b4e65d2eed39c34bb	commit \| diff

net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer

In mana_hwc_rx_event_handler(), resp->response.hwc_msg_id is read from
DMA-coherent memory and bounds-checked, then mana_hwc_handle_resp()
re-reads the same field from the same DMA buffer for test_bit() and
pointer arithmetic.

DMA-coherent memory is mapped uncacheable on x86 and is shared,
unencrypted, in Confidential VMs (SEV-SNP/TDX), so each load goes
directly to host-visible memory. A H/W can modify the value
between the check and the use, bypassing the bounds validation.

Fix this by reading hwc_msg_id exactly once using READ_ONCE() into a
stack-local variable in mana_hwc_rx_event_handler(), and passing the
validated value as a parameter to mana_hwc_handle_resp().

Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)")
Signed-off-by: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
Link: https://patch.msgid.link/20260514194156.466823-1-ernis@linux.microsoft.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>