From: Simon Horman <horms@kernel.org>
To: Hyunwoo Kim <imv4bel@gmail.com>
Cc: steffen.klassert@secunet.com, herbert@gondor.apana.org.au,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, netdev@vger.kernel.org,
Sabrina Dubroca <sd@queasysnail.net>
Subject: Re: [PATCH net v2] espintcp: Fix race condition in espintcp_close()
Date: Wed, 18 Feb 2026 09:44:16 +0000 [thread overview]
Message-ID: <aZWJ8KeUttdEIi3v@horms.kernel.org> (raw)
In-Reply-To: <aZSie7rEdh9Nu0eM@v4bel>
+ Sabrina
On Wed, Feb 18, 2026 at 02:16:43AM +0900, Hyunwoo Kim wrote:
> This issue was discovered during a code audit.
>
> After cancel_work_sync() is called from espintcp_close(),
> espintcp_tx_work() can still be scheduled from paths such as
> the Delayed ACK handler or ksoftirqd.
> As a result, the espintcp_tx_work() worker may dereference a
> freed espintcp ctx or sk.
>
> The following is a simple race scenario:
>
> cpu0 cpu1
>
> espintcp_close()
> cancel_work_sync(&ctx->work);
> espintcp_write_space()
> schedule_work(&ctx->work);
>
> To prevent this race condition, cancel_work_sync() is
> replaced with disable_work_sync().
>
> Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)")
> Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
> ---
> Changes in v2:
> - Shorten the patch subject
> - Target the net tree
> - Add the bug discovery background and the race scenario to the commit message
> - v1: https://lore.kernel.org/all/aZLmvv51f5Iu9G7b@v4bel/
Thanks for taking my review into account [1].
This version looks good to me.
Reviewed-by: Simon Horman <horms@kernel.org>
It seems that get_maintainer.pl highlights that Sabrina is also a
maintainer, so I have CCed here and left the full context of the
patch in place for her convenience.
[1] https://lore.kernel.org/netdev/aZSbSOVuRgkjeezg@v4bel/
> ---
> net/xfrm/espintcp.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/xfrm/espintcp.c b/net/xfrm/espintcp.c
> index bf744ac9d5a7..8709df716e98 100644
> --- a/net/xfrm/espintcp.c
> +++ b/net/xfrm/espintcp.c
> @@ -536,7 +536,7 @@ static void espintcp_close(struct sock *sk, long timeout)
> sk->sk_prot = &tcp_prot;
> barrier();
>
> - cancel_work_sync(&ctx->work);
> + disable_work_sync(&ctx->work);
> strp_done(&ctx->strp);
>
> skb_queue_purge(&ctx->out_queue);
> --
> 2.43.0
>
next prev parent reply other threads:[~2026-02-18 9:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 17:16 [PATCH net v2] espintcp: Fix race condition in espintcp_close() Hyunwoo Kim
2026-02-18 9:44 ` Simon Horman [this message]
2026-02-19 22:40 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aZWJ8KeUttdEIi3v@horms.kernel.org \
--to=horms@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=imv4bel@gmail.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sd@queasysnail.net \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox