CVE-2022-49968

In the Linux kernel, the following vulnerability has been resolved:

ieee802154/adf7242: defer destroy_workqueue call

There is a possible race condition (use-after-free) like below

(FREE) | (USE) adf7242remove | adf7242channel canceldelayedworksync | destroyworkqueue (1) | adf7242cmdrx | moddelayedwork (2) |

The root cause for this race is that the upper layer (ieee802154) is unaware of this detaching event and the function adf7242_channel can be called without any checks.

To fix this, we can add a flag write at the beginning of adf7242remove and add flag check in adf7242channel. Or we can just defer the destructive operation like other commit 3e0588c291d6 ("hamradio: defer ax25 kfree after unregisternetdev") which let the ieee802154unregister_hw() to handle the synchronization. This patch takes the second option.

runs")