In the Linux kernel, the following vulnerability has been resolved:
ibmvnic: Don't reference skb after sending to VIOS
Previously, after successfully flushing the xmit buffer to VIOS, the tx_bytes stat was incremented by the length of the skb.
It is invalid to access the skb memory after sending the buffer to the VIOS because, at any point after sending, the VIOS can trigger an interrupt to free this memory. A race between reading skb->len and freeing the skb is possible (especially during LPM) and will result in use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ibmvnicxmit+0x75c/0x1808 [ibmvnic] Read of size 4 at addr c00000024eb48a70 by task hxecom/14495 <...> Call Trace: [c000000118f66cf0] [c0000000018cba6c] dumpstacklvl+0x84/0xe8 (unreliable) [c000000118f66d20] [c0000000006f0080] printreport+0x1a8/0x7f0 [c000000118f66df0] [c0000000006f08f0] kasanreport+0x128/0x1f8 [c000000118f66f00] [c0000000006f2868] _asanload4+0xac/0xe0 [c000000118f66f20] [c0080000046eac84] ibmvnicxmit+0x75c/0x1808 [ibmvnic] [c000000118f67340] [c0000000014be168] devhardstartxmit+0x150/0x358 <...> Freed by task 0: kasansavestack+0x34/0x68 kasansavetrack+0x2c/0x50 kasansavefreeinfo+0x64/0x108 _kasanmempoolpoisonobject+0x148/0x2d4 napiskbcacheput+0x5c/0x194 nettxaction+0x154/0x5b8 handlesoftirqs+0x20c/0x60c dosoftirqown_stack+0x6c/0x88 <...> The buggy address belongs to the object at c00000024eb48a00 which