espintcp: Fix race condition in espintcp_close() - linux - Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

diff options

author	Hyunwoo Kim <imv4bel@gmail.com>	2026-02-18 02:16:43 +0900
committer	Jakub Kicinski <kuba@kernel.org>	2026-02-19 14:27:40 -0800
commit	e1512c1db9e8794d8d130addd2615ec27231d994 (patch)
tree	934622153d95dbf721781cea80ac97a8fa9da7de /scripts/objdiff
parent	f891007ab1c77436950d10e09eae54507f1865ff (diff)
download	linux-e1512c1db9e8794d8d130addd2615ec27231d994.tar.gz linux-e1512c1db9e8794d8d130addd2615ec27231d994.zip

espintcp: Fix race condition in espintcp_close()

This issue was discovered during a code audit. After cancel_work_sync() is called from espintcp_close(), espintcp_tx_work() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the espintcp_tx_work() worker may dereference a freed espintcp ctx or sk. The following is a simple race scenario: cpu0 cpu1 espintcp_close() cancel_work_sync(&ctx->work); espintcp_write_space() schedule_work(&ctx->work); To prevent this race condition, cancel_work_sync() is replaced with disable_work_sync(). Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)") Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/aZSie7rEdh9Nu0eM@v4bel Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Diffstat (limited to 'scripts/objdiff')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: