On 5/14/26 9:41 PM, Erni Sri Satya Vennela wrote: > In mana_hwc_rx_event_handler(), resp->response.hwc_msg_id is read from > DMA-coherent memory and bounds-checked, then mana_hwc_handle_resp() > re-reads the same field from the same DMA buffer for test_bit() and > pointer arithmetic. > > DMA-coherent memory is mapped uncacheable on x86 and is shared, > unencrypted, in Confidential VMs (SEV-SNP/TDX), so each load goes > directly to host-visible memory. A H/W can modify the value > between the check and the use, bypassing the bounds validation.
Sashiko noted there are more related issues in the nearby code: https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260514194156.466823-1-ernis%40linux.microsoft.com you may consider a follow-up. /P
