CVE-2024-41066

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ibmvnic: Add tx check to prevent skb leak<br /> <br /> Below is a summary of how the driver stores a reference to an skb during<br /> transmit:<br /> tx_buff[free_map[consumer_index]]-&gt;skb = new_skb;<br /> free_map[consumer_index] = IBMVNIC_INVALID_MAP;<br /> consumer_index ++;<br /> Where variable data looks like this:<br /> free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3]<br /> consumer_index^<br /> tx_buff == [skb=null, skb=, skb=, skb=null, skb=null]<br /> <br /> The driver has checks to ensure that free_map[consumer_index] pointed to<br /> a valid index but there was no check to ensure that this index pointed<br /> to an unused/null skb address. So, if, by some chance, our free_map and<br /> tx_buff lists become out of sync then we were previously risking an<br /> skb memory leak. This could then cause tcp congestion control to stop<br /> sending packets, eventually leading to ETIMEDOUT.<br /> <br /> Therefore, add a conditional to ensure that the skb address is null. If<br /> not then warn the user (because this is still a bug that should be<br /> patched) and free the old pointer to prevent memleak/tcp problems.