In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: oa_tc6: fix tx skb race condition between reference pointers
There are two skb pointers to manage tx skb's enqueued from n/w stack. waitingtxskb pointer points to the tx skb which needs to be processed and ongoingtxskb pointer points to the tx skb which is being processed.
SPI thread prepares the tx data chunks from the tx skb pointed by the ongoingtxskb pointer. When the tx skb pointed by the ongoingtxskb is processed, the tx skb pointed by the waitingtxskb is assigned to ongoingtxskb and the waitingtxskb pointer is assigned with NULL. Whenever there is a new tx skb from n/w stack, it will be assigned to waitingtxskb pointer if it is NULL. Enqueuing and processing of a tx skb handled in two different threads.
Consider a scenario where the SPI thread processed an ongoingtxskb and it moves next tx skb from waitingtxskb pointer to ongoingtxskb pointer without doing any NULL check. At this time, if the waitingtxskb pointer is NULL then ongoingtxskb pointer is also assigned with NULL. After that, if a new tx skb is assigned to waitingtxskb pointer by the n/w stack and there is a chance to overwrite the tx skb pointer with NULL in the SPI thread. Finally one of the tx skb will be left as unhandled, resulting packet missing and memory leak.
In the oatc6preparespitxbuffortxskbs() ongoingtxskb = NULL; waitingtxskb = NULL;
Now the below bad case might happen,
Thread1 (oatc6startxmit) Thread2 (oatc6spithread_handler)
To overcome the above issue, protect the moving of tx skb reference from waitingtxskb pointer to ongoingtxskb pointer and assigning new tx skb to waitingtxskb pointer, so that the other thread can't access the waitingtxskb pointer until the current thread completes moving the tx skb reference safely.