Queue wake, stop, and disable paths walk local->interfaces under RCU.
The bulk hardware teardown path removes entries with list_del() and
immediately unregisters their netdevices, so an asynchronous transmit
completion can follow a poisoned list node in ieee802154_wake_queue().

Match ieee802154_if_remove(): use list_del_rcu() and wait for existing
readers before unregistering each interface.

Fixes: 592dfbfc72f5 ("mac820154: move interface unregistration into iface")
Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=36256deb69a588e9290e
Cc: [email protected]
Signed-off-by: Yousef Alhouseen <[email protected]>
---
 net/mac802154/iface.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index 000be60d9580..73d82a015184 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -703,7 +703,8 @@ void ieee802154_remove_interfaces(struct ieee802154_local 
*local)
 
        mutex_lock(&local->iflist_mtx);
        list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
-               list_del(&sdata->list);
+               list_del_rcu(&sdata->list);
+               synchronize_rcu();
 
                unregister_netdevice(sdata->dev);
        }
-- 
2.55.0


Reply via email to