CVE-2025-21855

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ibmvnic: Don&amp;#39;t reference skb after sending to VIOS<br /> <br /> Previously, after successfully flushing the xmit buffer to VIOS,<br /> the tx_bytes stat was incremented by the length of the skb.<br /> <br /> It is invalid to access the skb memory after sending the buffer to<br /> the VIOS because, at any point after sending, the VIOS can trigger<br /> an interrupt to free this memory. A race between reading skb-&gt;len<br /> and freeing the skb is possible (especially during LPM) and will<br /> result in use-after-free:<br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic]<br /> Read of size 4 at addr c00000024eb48a70 by task hxecom/14495<br /> <br /> Call Trace:<br /> [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable)<br /> [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0<br /> [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8<br /> [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0<br /> [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic]<br /> [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358<br /> <br /> Freed by task 0:<br /> kasan_save_stack+0x34/0x68<br /> kasan_save_track+0x2c/0x50<br /> kasan_save_free_info+0x64/0x108<br /> __kasan_mempool_poison_object+0x148/0x2d4<br /> napi_skb_cache_put+0x5c/0x194<br /> net_tx_action+0x154/0x5b8<br /> handle_softirqs+0x20c/0x60c<br /> do_softirq_own_stack+0x6c/0x88<br /> <br /> The buggy address belongs to the object at c00000024eb48a00 which<br /> belongs to the cache skbuff_head_cache of size 224<br /> ==================================================================