On Wed, Jul 1, 2026 at 9:42 AM Yousef Alhouseen
<[email protected]> wrote:
>
> Queue wake, stop, and disable paths walk local->interfaces under RCU.
> The bulk hardware teardown path removes entries with list_del(), so an
> asynchronous transmit completion can follow a poisoned list node in
> ieee802154_wake_queue().
>
> Use list_del_rcu() as in the single-interface removal path. The following
> unregister_netdevice() waits for in-flight RCU readers before freeing the
> netdevice, so no separate grace-period wait is needed.
>
> Fixes: 592dfbfc72f5 ("mac820154: move interface unregistration into iface")
> Reported-by: [email protected]
> Closes: https://syzkaller.appspot.com/bug?extid=36256deb69a588e9290e
> Cc: [email protected]
> Signed-off-by: Yousef Alhouseen <[email protected]>

Reviewed-by: Kuniyuki Iwashima <[email protected]>

Reply via email to