Merge: Updates for ibmvinic skb

MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6829

Description: Updates for ibmvinic skb

JIRA: https://issues.redhat.com/browse/RHEL-83359

CVE: CVE-2025-21855

Build Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=67512942

Tested: Verified Brew build test kernel RPMs

Signed-off-by: Mamatha Inamdar <minamdar@redhat.com>

commit bdf5d13
Author: Nick Child <nnac123@linux.ibm.com>
Date:   Fri Feb 14 09:52:33 2025 -0600

    ibmvnic: Don't reference skb after sending to VIOS

    Previously, after successfully flushing the xmit buffer to VIOS,
    the tx_bytes stat was incremented by the length of the skb.

    It is invalid to access the skb memory after sending the buffer to
    the VIOS because, at any point after sending, the VIOS can trigger
    an interrupt to free this memory. A race between reading skb->len
    and freeing the skb is possible (especially during LPM) and will
    result in use-after-free:
     ==================================================================
     BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic]
     Read of size 4 at addr c00000024eb48a70 by task hxecom/14495
     <...>
     Call Trace:
     [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable)
     [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0
     [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8
     [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0
     [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic]
     [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358
     <...>
     Freed by task 0:
     kasan_save_stack+0x34/0x68
     kasan_save_track+0x2c/0x50
     kasan_save_free_info+0x64/0x108
     __kasan_mempool_poison_object+0x148/0x2d4
     napi_skb_cache_put+0x5c/0x194
     net_tx_action+0x154/0x5b8
     handle_softirqs+0x20c/0x60c
     do_softirq_own_stack+0x6c/0x88
     <...>
     The buggy address belongs to the object at c00000024eb48a00 which
      belongs to the cache skbuff_head_cache of size 224
    ==================================================================

    Fixes: 032c5e8 ("Driver for IBM System i/p VNIC protocol")
    Signed-off-by: Nick Child <nnac123@linux.ibm.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20250214155233.235559-1-nnac123@linux.ibm.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Signed-off-by: Mamatha Inamdar <minamdar@redhat.com>

Approved-by: Steve Best <sbest@redhat.com>
Approved-by: Izabela Bakollari <ibakolla@redhat.com>
Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>
Approved-by: Ivan Vecera <ivecera@redhat.com>

Merged-by: Augusto Caringi <acaringi@redhat.com>

Author: caringi

drivers/net/ethernet/ibm/ibmvnic.c

@@ -2201,6 +2201,7 @@ static netdev_tx_t ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev)
 	dma_addr_t data_dma_addr;
 	struct netdev_queue *txq;
 	unsigned long lpar_rc;
+	unsigned int skblen;
 	union sub_crq tx_crq;
 	unsigned int offset;
 	bool use_scrq_send_direct = false;
@@ -2314,6 +2315,7 @@ static netdev_tx_t ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev)
 	tx_buff->skb = skb;
 	tx_buff->index = bufidx;
 	tx_buff->pool_index = queue_num;
+	skblen = skb->len;
 
 	memset(&tx_crq, 0, sizeof(tx_crq));
 	tx_crq.v1.first = IBMVNIC_CRQ_CMD;
@@ -2404,7 +2406,7 @@ static netdev_tx_t ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev)
 	}
 
 	tx_packets++;
-	tx_bytes += skb->len;
+	tx_bytes += skblen;
 	txq_trans_cond_update(txq);
 	ret = NETDEV_TX_OK;
 	goto out;