On Wed, Jul 1, 2026 at 9:42 AM Yousef Alhouseen <[email protected]> wrote: > > Queue wake, stop, and disable paths walk local->interfaces under RCU. > The bulk hardware teardown path removes entries with list_del(), so an > asynchronous transmit completion can follow a poisoned list node in > ieee802154_wake_queue(). > > Use list_del_rcu() as in the single-interface removal path. The following > unregister_netdevice() waits for in-flight RCU readers before freeing the > netdevice, so no separate grace-period wait is needed. > > Fixes: 592dfbfc72f5 ("mac820154: move interface unregistration into iface") > Reported-by: [email protected] > Closes: https://syzkaller.appspot.com/bug?extid=36256deb69a588e9290e > Cc: [email protected] > Signed-off-by: Yousef Alhouseen <[email protected]>
Reviewed-by: Kuniyuki Iwashima <[email protected]>

