From: Yousef Alhouseen <[email protected]>
Date: Tue, 30 Jun 2026 23:18:08 +0200
> Queue wake, stop, and disable paths walk local->interfaces under RCU.
> The bulk hardware teardown path removes entries with list_del() and

The problematic part is list_del(), not unregister_netdevice().


> immediately unregisters their netdevices, so an asynchronous transmit

not immediately, unregister_netdevice() waits inflight RCU readers.
So, synchronize_rcu() should be unnecessary.

(Same remark for ieee802154_if_remove())

> completion can follow a poisoned list node in ieee802154_wake_queue().
> 
> Match ieee802154_if_remove(): use list_del_rcu() and wait for existing
> readers before unregistering each interface.
> 
> Fixes: 592dfbfc72f5 ("mac820154: move interface unregistration into iface")
> Reported-by: [email protected]
> Closes: https://syzkaller.appspot.com/bug?extid=36256deb69a588e9290e
> Cc: [email protected]
> Signed-off-by: Yousef Alhouseen <[email protected]>
> ---
>  net/mac802154/iface.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
> index 000be60d9580..73d82a015184 100644
> --- a/net/mac802154/iface.c
> +++ b/net/mac802154/iface.c
> @@ -703,7 +703,8 @@ void ieee802154_remove_interfaces(struct ieee802154_local 
> *local)
>  
>       mutex_lock(&local->iflist_mtx);
>       list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
> -             list_del(&sdata->list);
> +             list_del_rcu(&sdata->list);
> +             synchronize_rcu();
>  
>               unregister_netdevice(sdata->dev);
>       }
> -- 

Reply via email to