From: Taehee Yoo <ap420...@gmail.com>
Date: Tue, 16 Jun 2020 16:51:51 +0000
> In the datapath, the ip_tunnel_lookup() is used and it internally uses
> fallback tunnel device pointer, which is fb_tunnel_dev.
> This pointer variable should be set to NULL when a fb interface is deleted.
> But there is no routine to set fb_tunnel_dev pointer to NULL.
> So, this pointer will be still used after interface is deleted and
> it eventually results in the use-after-free problem.
>
> Test commands:
...
> Splat looks like:
...
> Suggested-by: Eric Dumazet <eric.duma...@gmail.com>
> Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
> Signed-off-by: Taehee Yoo <ap420...@gmail.com>
Applied and queued up for -stable.
