From: Taehee Yoo <ap420...@gmail.com>
Date: Tue, 16 Jun 2020 16:04:00 +0000
> In the datapath, the ip6gre_tunnel_lookup() is used and it internally uses
> fallback tunnel device pointer, which is fb_tunnel_dev.
> This pointer variable should be set to NULL when a fb interface is deleted.
> But there is no routine to set fb_tunnel_dev pointer to NULL.
> So, this pointer will be still used after interface is deleted and
> it eventually results in the use-after-free problem.
>
> Test commands:
...
> Splat looks like:
...
> Suggested-by: Eric Dumazet <eric.duma...@gmail.com>
> Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
> Signed-off-by: Taehee Yoo <ap420...@gmail.com>
Applied and queued up for -stable.
