View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000624 | AlmaLinux-10 | General | public | 2026-05-21 06:02 | 2026-05-21 06:02 |
| Reporter | v-sriramsur | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | N/A |
| Status | new | Resolution | open | ||
| Summary | 0000624: [AlmaLinux][Backport][MANA] net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer | ||||
| Description | This is a Sev 2 on our side with customer facing issues. Problem Summary In mana_hwc_rx_event_handler(), resp->response.hwc_msg_id is read from DMA-coherent memory and bounds-checked, then mana_hwc_handle_resp() re-reads the same field from the same DMA buffer for test_bit() and pointer arithmetic. DMA-coherent memory is mapped uncacheable on x86 and is shared, unencrypted, in Confidential VMs (SEV-SNP/TDX), so each load goes directly to host-visible memory. A H/W can modify the value between the check and the use, bypassing the bounds validation. Fix this by reading hwc_msg_id exactly once using READ_ONCE() into a stack-local variable in mana_hwc_rx_event_handler(), and passing the validated value as a parameter to mana_hwc_handle_resp(). Impact on Customer VMs All VMs Requesting backport of the below fix to all LTS kernels. https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=35f0f0a2536a | ||||
| Tags | No tags attached. | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2026-05-21 06:02 | v-sriramsur | New Issue |
