Hello,
> Queue wake, stop, and disable paths walk local->interfaces under RCU.
> The bulk hardware teardown path removes entries with list_del(), so an
> asynchronous transmit completion can follow a poisoned list node in
> ieee802154_wake_queue().
>
> Use list_del_rcu() as in the single-interface removal path. The following
> unregister_netdevice() waits for in-flight RCU readers before freeing the
> netdevice, so no separate grace-period wait is needed.
>
> Fixes: 592dfbfc72f5 ("mac820154: move interface unregistration into iface")
> Reported-by: [email protected]
> Closes: https://syzkaller.appspot.com/bug?extid=36256deb69a588e9290e
> Cc: [email protected]
> Signed-off-by: Yousef Alhouseen <[email protected]>
FWIU, looks correct.
Reviewed-by: Miquel Raynal <[email protected]>
Thanks,
Miquèl