cve/published/2025/CVE-2025-21855.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21855: ibmvnic: Don't reference skb after sending to VIOS

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ibmvnic: Don't reference skb after sending to VIOS

 Previously, after successfully flushing the xmit buffer to VIOS,
 the tx_bytes stat was incremented by the length of the skb.

 It is invalid to access the skb memory after sending the buffer to
 the VIOS because, at any point after sending, the VIOS can trigger
 an interrupt to free this memory. A race between reading skb->len
 and freeing the skb is possible (especially during LPM) and will
 result in use-after-free:
  ==================================================================
  BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic]
  Read of size 4 at addr c00000024eb48a70 by task hxecom/14495
  <...>
  Call Trace:
  [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable)
  [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0
  [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8
  [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0
  [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic]
  [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358
  <...>
  Freed by task 0:
  kasan_save_stack+0x34/0x68
  kasan_save_track+0x2c/0x50
  kasan_save_free_info+0x64/0x108
  __kasan_mempool_poison_object+0x148/0x2d4
  napi_skb_cache_put+0x5c/0x194
  net_tx_action+0x154/0x5b8
  handle_softirqs+0x20c/0x60c
  do_softirq_own_stack+0x6c/0x88
  <...>
  The buggy address belongs to the object at c00000024eb48a00 which
   belongs to the cache skbuff_head_cache of size 224
 ==================================================================

 The Linux kernel CVE team has assigned CVE-2025-21855 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.5 with commit 032c5e82847a2214c3196a90f0aeba0ce252de58 and fixed in 6.1.130 with commit 501ac6a7e21b82e05207c6b4449812d82820f306
 	Issue introduced in 4.5 with commit 032c5e82847a2214c3196a90f0aeba0ce252de58 and fixed in 6.6.80 with commit 093b0e5c90592773863f300b908b741622eef597
 	Issue introduced in 4.5 with commit 032c5e82847a2214c3196a90f0aeba0ce252de58 and fixed in 6.12.17 with commit 25dddd01dcc8ef3acff964dbb32eeb0d89f098e9
 	Issue introduced in 4.5 with commit 032c5e82847a2214c3196a90f0aeba0ce252de58 and fixed in 6.13.5 with commit abaff2717470e4b5b7c0c3a90e128b211a23da09
 	Issue introduced in 4.5 with commit 032c5e82847a2214c3196a90f0aeba0ce252de58 and fixed in 6.14 with commit bdf5d13aa05ec314d4385b31ac974d6c7e0997c9

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21855
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/ibm/ibmvnic.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/501ac6a7e21b82e05207c6b4449812d82820f306
 	https://git.kernel.org/stable/c/093b0e5c90592773863f300b908b741622eef597
 	https://git.kernel.org/stable/c/25dddd01dcc8ef3acff964dbb32eeb0d89f098e9
 	https://git.kernel.org/stable/c/abaff2717470e4b5b7c0c3a90e128b211a23da09
 	https://git.kernel.org/stable/c/bdf5d13aa05ec314d4385b31ac974d6c7e0997c9
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21855: ibmvnic: Don't reference skb after sending to VIOS

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ibmvnic: Don't reference skb after sending to VIOS

	Previously, after successfully flushing the xmit buffer to VIOS,
	the tx_bytes stat was incremented by the length of the skb.

	It is invalid to access the skb memory after sending the buffer to
	the VIOS because, at any point after sending, the VIOS can trigger
	an interrupt to free this memory. A race between reading skb->len
	and freeing the skb is possible (especially during LPM) and will
	result in use-after-free:
	==================================================================
	BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic]
	Read of size 4 at addr c00000024eb48a70 by task hxecom/14495
	<...>
	Call Trace:
	[c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable)
	[c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0
	[c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8
	[c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0
	[c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic]
	[c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358
	<...>
	Freed by task 0:
	kasan_save_stack+0x34/0x68
	kasan_save_track+0x2c/0x50
	kasan_save_free_info+0x64/0x108
	__kasan_mempool_poison_object+0x148/0x2d4
	napi_skb_cache_put+0x5c/0x194
	net_tx_action+0x154/0x5b8
	handle_softirqs+0x20c/0x60c
	do_softirq_own_stack+0x6c/0x88
	<...>
	The buggy address belongs to the object at c00000024eb48a00 which
	belongs to the cache skbuff_head_cache of size 224
	==================================================================

	The Linux kernel CVE team has assigned CVE-2025-21855 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.5 with commit 032c5e82847a2214c3196a90f0aeba0ce252de58 and fixed in 6.1.130 with commit 501ac6a7e21b82e05207c6b4449812d82820f306
	Issue introduced in 4.5 with commit 032c5e82847a2214c3196a90f0aeba0ce252de58 and fixed in 6.6.80 with commit 093b0e5c90592773863f300b908b741622eef597
	Issue introduced in 4.5 with commit 032c5e82847a2214c3196a90f0aeba0ce252de58 and fixed in 6.12.17 with commit 25dddd01dcc8ef3acff964dbb32eeb0d89f098e9
	Issue introduced in 4.5 with commit 032c5e82847a2214c3196a90f0aeba0ce252de58 and fixed in 6.13.5 with commit abaff2717470e4b5b7c0c3a90e128b211a23da09
	Issue introduced in 4.5 with commit 032c5e82847a2214c3196a90f0aeba0ce252de58 and fixed in 6.14 with commit bdf5d13aa05ec314d4385b31ac974d6c7e0997c9

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21855
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/ibm/ibmvnic.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/501ac6a7e21b82e05207c6b4449812d82820f306
	https://git.kernel.org/stable/c/093b0e5c90592773863f300b908b741622eef597
	https://git.kernel.org/stable/c/25dddd01dcc8ef3acff964dbb32eeb0d89f098e9
	https://git.kernel.org/stable/c/abaff2717470e4b5b7c0c3a90e128b211a23da09
	https://git.kernel.org/stable/c/bdf5d13aa05ec314d4385b31ac974d6c7e0997c9