Linux Kernel Race Condition Vulnerability in Ethernet OA_TC6 Component

A race condition vulnerability has been identified in the Linux kernel's Ethernet OA_TC6 component, specifically related to the management of transmission socket buffers (SKBs) between two pointers: 'waiting_tx_skb' and 'ongoing_tx_skb'. This vulnerability arises from the concurrent handling of SKBs in different threads without proper synchronization. When the 'ongoing_tx_skb' is processed, the next SKB is moved from 'waiting_tx_skb' to 'ongoing_tx_skb' without checking if 'waiting_tx_skb' is NULL. This oversight can lead to one SKB being left unprocessed, causing packet loss and a memory leak.

Impact

The vulnerability can result in packet loss and a memory leak, as unprocessed SKBs accumulate in memory.

Reproduction

The vulnerability can be reproduced by enqueuing a new transmission SKB while another SKB is being processed. If the 'waiting_tx_skb' pointer is NULL, the 'ongoing_tx_skb' pointer can also be set to NULL, overwriting the reference to the SKB that is currently being handled. This scenario creates a race condition where one SKB is left unprocessed.

Remediation

The vulnerability can be addressed by implementing proper synchronization when moving SKB references between the 'waiting_tx_skb' and 'ongoing_tx_skb' pointers, ensuring that one thread cannot access 'waiting_tx_skb' until the current operation is complete.