From: Eric Dumazet <[email protected]> Date: Tue, 5 Feb 2019 15:38:44 -0800
> Since mISDN_close() uses dev->pending to iterate over active > timers, there is a chance that one timer got removed from the > ->pending list in dev_expire_timer() but that the thread > has not called yet wake_up_interruptible() > > So mISDN_close() could miss this and free dev before > completion of at least one dev_expire_timer() > > syzbot was able to catch this race : ... > Signed-off-by: Eric Dumazet <[email protected]> > Cc: Karsten Keil <[email protected]> > Reported-by: syzbot <[email protected]> Applied.
