Description
In the Linux kernel, the following vulnerability has been resolved: espintcp: Fix race condition in espintcp_close() This issue was discovered during a code audit. After cancel_work_sync() is called from espintcp_close(), espintcp_tx_work() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the espintcp_tx_work() worker may dereference a freed espintcp ctx or sk. The following is a simple race scenario: cpu0 cpu1 espintcp_close() cancel_work_sync(&ctx->work); espintcp_write_space() schedule_work(&ctx->work); To prevent this race condition, cancel_work_sync() is replaced with disable_work_sync().
Product status
e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 (git) before f7ad8b1d0e421c524604d5076b73232093490d5c
e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 (git) before 664e9df53226b4505a0894817ecad2c610ab11d8
e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 (git) before 022ff7f347588de6e17879a1da6019647b21321b
e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 (git) before e1512c1db9e8794d8d130addd2615ec27231d994
5.6
Any version before 5.6
6.12.75 (semver)
6.18.16 (semver)
6.19.6 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/f7ad8b1d0e421c524604d5076b73232093490d5c
git.kernel.org/...c/664e9df53226b4505a0894817ecad2c610ab11d8
git.kernel.org/...c/022ff7f347588de6e17879a1da6019647b21321b
git.kernel.org/...c/e1512c1db9e8794d8d130addd2615ec27231d994