From: Eric Dumazet <eduma...@google.com> Date: Tue, 5 Feb 2019 15:38:44 -0800
> Since mISDN_close() uses dev->pending to iterate over active > timers, there is a chance that one timer got removed from the > ->pending list in dev_expire_timer() but that the thread > has not called yet wake_up_interruptible() > > So mISDN_close() could miss this and free dev before > completion of at least one dev_expire_timer() > > syzbot was able to catch this race : ... > Signed-off-by: Eric Dumazet <eduma...@google.com> > Cc: Karsten Keil <i...@linux-pingi.de> > Reported-by: syzbot <syzkal...@googlegroups.com> Applied.
