In the Linux kernel, the following vulnerability has been resolved:
net: mana: Fix RX buf alloc_size alignment and atomic op panic
The MANA driver's RX buffer allocsize is passed into napibuildskb() to create SKB. skbshinfo(skb) is located at the end of skb, and its alignment is affected by the allocsize passed into napibuildskb(). The size needs to be aligned properly for better performance and atomic operations. Otherwise, on ARM64 CPU, for certain MTU settings like 4000, atomic operations may panic on the skbshinfo(skb)->dataref due to alignment fault.
To fix this bug, add proper alignment to the alloc_size calculation.
Sample panic info: [ 253.298819] Unable to handle kernel paging request at virtual address ffff000129ba5cce [ 253.300900] Mem abort info: [ 253.301760] ESR = 0x0000000096000021 [ 253.302825] EC = 0x25: DABT (current EL), IL = 32 bits [ 253.304268] SET = 0, FnV = 0 [ 253.305172] EA = 0, S1PTW = 0 [ 253.306103] FSC = 0x21: alignment fault Call trace: _skbclone+0xfc/0x198 skbclone+0x78/0xe0 raw6localdeliver+0xfc/0x228 ip6protocoldeliverrcu+0x80/0x500 ip6inputfinish+0x48/0x80 ip6input+0x48/0xc0 ip6sublistrcvfinish+0x50/0x78 ip6sublistrcv+0x1cc/0x2b8 ipv6listrcv+0x100/0x150 _netifreceiveskblistcore+0x180/0x220 netifreceiveskblistinternal+0x198/0x2a8 _napipoll+0x138/0x250 netrxaction+0x148/0x330 handlesoftirqs+0x12c/0x3a0