Ding Hui

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.3.0 **Description** The vulnerability is related to a use-after-free issue in the `svc tcp listen data ready()` function. This occurs when the listener `svc sock` is freed, and before invoking `svc tcp accept()` for the established child sock, there is a window where the newsock retains a freed listener `svc sock` in `sk user data`, which is cloned from the parent. If data is received on the newsock during this race window, a use-after-free report will be observed in `svc tcp listen data ready()`. The issue can be reproduced by running two tasks: `while :; do rpc.nfsd 0 ; rpc.nfsd; done` and `while :; do echo "" | ncat -4 127.0.0.1 2049 ; done`. **Recommendations** To resolve the issue, apply the fix by doing nothing in `svc tcp listen data ready()` if the state is not `TCP LISTEN`, which will avoid dereferencing `svsk` for all child sockets. Update to a version of the Linux kernel that includes this fix, such as version 6.3.0 or later.