CVE-2024-41088

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: mcp251xfd: fix infinite loop when xmit fails<br /> <br /> When the mcp251xfd_start_xmit() function fails, the driver stops<br /> processing messages, and the interrupt routine does not return,<br /> running indefinitely even after killing the running application.<br /> <br /> Error messages:<br /> [ 441.298819] mcp251xfd spi2.0 can0: ERROR in mcp251xfd_start_xmit: -16<br /> [ 441.306498] mcp251xfd spi2.0 can0: Transmit Event FIFO buffer not empty. (seq=0x000017c7, tef_tail=0x000017cf, tef_head=0x000017d0, tx_head=0x000017d3).<br /> ... and repeat forever.<br /> <br /> The issue can be triggered when multiple devices share the same SPI<br /> interface. And there is concurrent access to the bus.<br /> <br /> The problem occurs because tx_ring-&gt;head increments even if<br /> mcp251xfd_start_xmit() fails. Consequently, the driver skips one TX<br /> package while still expecting a response in<br /> mcp251xfd_handle_tefif_one().<br /> <br /> Resolve the issue by starting a workqueue to write the tx obj<br /> synchronously if err = -EBUSY. In case of another error, decrement<br /> tx_ring-&gt;head, remove skb from the echo stack, and drop the message.<br /> <br /> [mkl: use more imperative wording in patch description]