In the Linux kernel, the following vulnerability has been resolved:
ravb: Fix use-after-free issue in ravbtxtimeout_work()
The ravbstop() should call cancelworksync(). Otherwise, ravbtxtimeoutwork() is possible to use the freed priv after ravb_remove() was called like below:
CPU0 CPU1 ravbtxtimeout() ravbremove() unregisternetdev() freenetdev(ndev) // free priv ravbtxtimeoutwork() // use priv
unregisternetdev() will call .ndostop() so that ravbstop() is called. And, after phystop() is called, netifcarrieroff() is also called. So that .ndotxtimeout() will not be called after phy_stop().