In the Linux kernel, the following vulnerability has been resolved:
ipv6: mcast: fix data-race in ipv6mcdown / mldifcwork
idev->mcifccount can be written over without proper locking.
Originally found by syzbot [1], fix this issue by encapsulating calls to mldifcstopwork() (and mldgqstopwork() for good measure) with mutexlock() and mutexunlock() accordingly as these functions should only be called with mc_lock per their declarations.
[1] BUG: KCSAN: data-race in ipv6mcdown / mldifcwork
write to 0xffff88813a80c832 of 1 bytes by task 3771 on cpu 0: mldifcstopwork net/ipv6/mcast.c:1080 [inline] ipv6mcdown+0x10a/0x280 net/ipv6/mcast.c:2725 addrconfifdown+0xe32/0xf10 net/ipv6/addrconf.c:3949 addrconfnotify+0x310/0x980 notifiercallchain kernel/notifier.c:93 [inline] rawnotifiercallchain+0x6b/0x1c0 kernel/notifier.c:461 _devnotifyflags+0x205/0x3d0 devchangeflags+0xab/0xd0 net/core/dev.c:8685 dosetlink+0x9f6/0x2430 net/core/rtnetlink.c:2916 rtnlgroupchangelink net/core/rtnetlink.c:3458 [inline] _rtnlnewlink net/core/rtnetlink.c:3717 [inline] rtnlnewlink+0xbb3/0x1670 net/core/rtnetlink.c:3754 rtnetlinkrcvmsg+0x807/0x8c0 net/core/rtnetlink.c:6558 netlinkrcvskb+0x126/0x220 net/netlink/afnetlink.c:2545 rtnetlinkrcv+0x1c/0x20 net/core/rtnetlink.c:6576 netlinkunicastkernel net/netlink/afnetlink.c:1342 [inline] netlinkunicast+0x589/0x650 net/netlink/afnetlink.c:1368 netlinksendmsg+0x66e/0x770 net/netlink/afnetlink.c:1910 ...
write to 0xffff88813a80c832 of 1 bytes by task 22 on cpu 1: mldifcwork+0x54c/0x7b0 net/ipv6/mcast.c:2653 processonework kernel/workqueue.c:2627 [inline] processscheduledworks+0x5b8/0xa30 kernel/workqueue.c:2700 worker_thread+0x525/0x730 kernel/workqueue.c:2781 ...