Am 01.03.2018 um 10:30 schrieb Johannes Berg:
> Hi,
>
>> syzbot hit the following crash on upstream commit
>> f3afe530d644488a074291da04a69a296ab63046 (Tue Feb 27 22:02:39 2018 +0000)
>> Merge branch 'fixes-v4.16-rc4' of  
>> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
>>
>> So far this crash happened 4 times on upstream.
>> Unfortunately, I don't have any reproducer for this crash yet.
>> Raw console output is attached.
> That's ... a pretty complex scenario.
>
> Looks like we have a race between destroying a network namespace, which
> moves everything back into the init_ns and may have to rename objects
> asynchronously (cleanup_net), with destroying the radio in hwsim that's
> also asynchronous (destroy_radio).
>
> Benjamin, would you be able to take a look at this? I'm preparing for a
> trip and will leave Saturday for a week so I don't think I'll be able
> to really dig into this before mid-March.
>
> johannes
>
Could you give me a link to or forward the original email ? I googled
"KASAN: use-after-free Read in mac80211_hwsim_del_radio", but only your
answer (without the logs) appears. I try to have a look then in the next
few days.

kind regards

Benjamin

-- 
M.Sc. Benjamin Beichler

Universität Rostock, Fakultät für Informatik und Elektrotechnik
Institut für Angewandte Mikroelektronik und Datentechnik

University of Rostock, Department of CS and EE
Institute of Applied Microelectronics and CE

Richard-Wagner-Straße 31
18119 Rostock
Deutschland/Germany

phone: +49 (0) 381 498 - 7278
email: Benjamin.Beichler@uni-rostock.de
www: http://www.imd.uni-rostock.de/