On 1/20/2025 4:46 AM, Denis Arefev wrote: > From: Nick Child <nnac123@xxxxxxxxxxxxx> > > From: Nick Child <nnac123@xxxxxxxxxxxxx> > > commit 0983d288caf984de0202c66641577b739caad561 upstream. > > Below is a summary of how the driver stores a reference to an skb during > transmit: > tx_buff[free_map[consumer_index]]->skb = new_skb; > free_map[consumer_index] = IBMVNIC_INVALID_MAP; > consumer_index ++; > Where variable data looks like this: > free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3] > consumer_index^ > tx_buff == [skb=null, skb=<ptr>, skb=<ptr>, skb=null, skb=null] > > The driver has checks to ensure that free_map[consumer_index] pointed to > a valid index but there was no check to ensure that this index pointed > to an unused/null skb address. So, if, by some chance, our free_map and > tx_buff lists become out of sync then we were previously risking an > skb memory leak. This could then cause tcp congestion control to stop > sending packets, eventually leading to ETIMEDOUT. > > Therefore, add a conditional to ensure that the skb address is null. If > not then warn the user (because this is still a bug that should be > patched) and free the old pointer to prevent memleak/tcp problems. > > Signed-off-by: Nick Child <nnac123@xxxxxxxxxxxxx> > Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx> > [Denis: minor fix to resolve merge conflict.] > Signed-off-by: Denis Arefev <arefev@xxxxxxxxx> > --- I thought the process asked to have the stable tag, i.e. Cc: <stable@xxxxxxxxxxxxxxx> # 5.10.x Anyways, this looks good to me, and seems like a good candidate for backporting. Reviewed-by: Jacob Keller <jacob.e.keller@xxxxxxxxx> Thanks, Jake > Backport fix for CVE-2024-41066 > Link: https://nvd.nist.gov/vuln/detail/CVE-2024-41066 > --- > drivers/net/ethernet/ibm/ibmvnic.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > > diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c > index 84da6ccaf339..439796975cbf 100644 > --- a/drivers/net/ethernet/ibm/ibmvnic.c > +++ b/drivers/net/ethernet/ibm/ibmvnic.c > @@ -1625,6 +1625,18 @@ static netdev_tx_t ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev) > (tx_pool->consumer_index + 1) % tx_pool->num_buffers; > > tx_buff = &tx_pool->tx_buff[index]; > + > + /* Sanity checks on our free map to make sure it points to an index > + * that is not being occupied by another skb. If skb memory is > + * not freed then we see congestion control kick in and halt tx. > + */ > + if (unlikely(tx_buff->skb)) { > + dev_warn_ratelimited(dev, "TX free map points to untracked skb (%s %d idx=%d)\n", > + skb_is_gso(skb) ? "tso_pool" : "tx_pool", > + queue_num, bufidx); > + dev_kfree_skb_any(tx_buff->skb); > + } > + > tx_buff->skb = skb; > tx_buff->data_dma[0] = data_dma_addr; > tx_buff->data_len[0] = skb->len;
