In the Linux kernel, the following vulnerability has been resolved:
net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast
syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb. This is the sequence of events that leads to the warning:
rtl8150_start_xmit() { netif_stop_queue(); usb_submit_urb(dev->tx_urb); }
rtl8150_set_multicast() { netif_stop_queue(); netif_wake_queue(); <– wakes up TX queue before URB is done }
rtl8150_start_xmit() { netif_stop_queue(); usb_submit_urb(dev->tx_urb); <– double submission }
rtl8150_set_multicast being the ndo_set_rx_mode callback should not be calling netif_stop_queue and notif_start_queue as these handle TX queue synchronization.
The net core function dev_set_rx_mode handles the synchronization for rtl8150_set_multicast making it safe to remove these locks.