APPLIED: [SRU][J][PATCH 0/1] CVE-2025-21855

Stefan Bader stefan.bader at canonical.com
Fri Oct 24 14:04:10 UTC 2025 

On 23/10/2025 14:24, Alessio Faina wrote:
> https://ubuntu.com/security/CVE-2025-21855
> 
> [ Impact ]
> 
> ibmvnic: Don't reference skb after sending to VIOS
> Previously, after successfully flushing the xmit buffer to VIOS,
> the tx_bytes stat was incremented by the length of the skb.
> 
> It is invalid to access the skb memory after sending the buffer to
> the VIOS because, at any point after sending, the VIOS can trigger
> an interrupt to free this memory. A race between reading skb->len
> and freeing the skb is possible (especially during LPM) and will
> result in use-after-free:
>   ==================================================================
>   BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic]
>   Read of size 4 at addr c00000024eb48a70 by task hxecom/14495
>   <...>
>   Call Trace:
>   [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable)
>   [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0
>   [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8
>   [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0
>   [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic]
>   [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358
>   <...>
>   Freed by task 0:
>   kasan_save_stack+0x34/0x68
>   kasan_save_track+0x2c/0x50
>   kasan_save_free_info+0x64/0x108
>   __kasan_mempool_poison_object+0x148/0x2d4
>   napi_skb_cache_put+0x5c/0x194
>   net_tx_action+0x154/0x5b8
>   handle_softirqs+0x20c/0x60c
>   do_softirq_own_stack+0x6c/0x88
>   <...>
>   The buggy address belongs to the object at c00000024eb48a00 which
>    belongs to the cache skbuff_head_cache of size 224
> ==================================================================
> 
> Fixes: 032c5e82847a ("Driver for IBM System i/p VNIC protocol")
> Signed-off-by: Nick Child <nnac123 at linux.ibm.com>
> Reviewed-by: Simon Horman <horms at kernel.org>
> Link: https://patch.msgid.link/20250214155233.235559-1-nnac123@linux.ibm.com
> Signed-off-by: Jakub Kicinski <kuba at kernel.org>
> 
> [ Fix ]
> 
> Backport commit bdf5d13aa05e from upstream
> 
> Questing: not affected
> Plucky:   not affected
> Noble:    not affected
> Jammy:    backported from upstream
> Focal:    fixed separately
> Bionic:   fixed separately
> Xenial:   fixed separately
> Trusty:   not affected
> 
> [ Test plan ]
> 
> Compiled and boot tested
> 
> [ Regression potential ]
> 
> Small code fix, and can only affect using a IBM virtual NIC device,
> low regression potential
> 
> Nick Child (1):
>    ibmvnic: Don't reference skb after sending to VIOS
> 
>   drivers/net/ethernet/ibm/ibmvnic.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 


Applied to jammy:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251024/39ff5e25/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251024/39ff5e25/attachment-0001.sig>

More information about the kernel-team mailing list