In the Linux kernel, the following vulnerability has been resolved:
cfg80211: fix race in netlink owner interface destruction
My previous fix here to fix the deadlock left a race where the exact same deadlock (see the original commit referenced below) can still happen if cfg80211destroyifaces() already runs while nl80211netlinknotify() is still marking some interfaces as nlownerdead.
The race happens because we have two loops here - first we dev_close() all the netdevs, and then we destroy them. If we also have two netdevs (first one need only be a wdev though) then we can find one during the first iteration, close it, and go to the second iteration -- but then find two, and try to destroy also the one we didn't close yet.
Fix this by only iterating once.