Description
In the Linux kernel, the following vulnerability has been resolved: tls: Fix race condition in tls_sw_cancel_work_tx() This issue was discovered during a code audit. After cancel_delayed_work_sync() is called from tls_sk_proto_close(), tx_work_handler() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the tx_work_handler() worker may dereference a freed TLS object. The following is a simple race scenario: cpu0 cpu1 tls_sk_proto_close() tls_sw_cancel_work_tx() tls_write_space() tls_sw_write_space() if (!test_and_set_bit(BIT_TX_SCHEDULED, &tx_ctx->tx_bitmask)) set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask); cancel_delayed_work_sync(&ctx->tx_work.work); schedule_delayed_work(&tx_ctx->tx_work.work, 0); To prevent this race condition, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync().
Product status
f87e62d45e51b12d48d2cb46b5cde8f83b866bc4 (git) before a5de36d6cee74a92c1a21b260bc507e64bc451de
f87e62d45e51b12d48d2cb46b5cde8f83b866bc4 (git) before 854cd32bc74fe573353095e90958490e4e4d641b
f87e62d45e51b12d48d2cb46b5cde8f83b866bc4 (git) before 17153f154f80be2b47ebf52840f2d8f724eb2f3b
f87e62d45e51b12d48d2cb46b5cde8f83b866bc4 (git) before 7bb09315f93dce6acc54bf59e5a95ba7365c2be4
5.3
Any version before 5.3
6.12.75 (semver)
6.18.16 (semver)
6.19.6 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/a5de36d6cee74a92c1a21b260bc507e64bc451de
git.kernel.org/...c/854cd32bc74fe573353095e90958490e4e4d641b
git.kernel.org/...c/17153f154f80be2b47ebf52840f2d8f724eb2f3b
git.kernel.org/...c/7bb09315f93dce6acc54bf59e5a95ba7365c2be4