Netdev List
 help / color / mirror / Atom feed
* [PATCH net] mac802154: wait for RCU readers when removing interfaces
@ 2026-06-30 21:18 Yousef Alhouseen
  2026-06-30 21:46 ` Kuniyuki Iwashima
  2026-07-01 16:42 ` [PATCH net v2] mac802154: remove interfaces with RCU list deletion Yousef Alhouseen
  0 siblings, 2 replies; 4+ messages in thread
From: Yousef Alhouseen @ 2026-06-30 21:18 UTC (permalink / raw)
  To: Alexander Aring, Stefan Schmidt, Miquel Raynal
  Cc: David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Simon Horman, Marcel Holtmann, linux-wpan, netdev, linux-kernel,
	stable, syzbot+36256deb69a588e9290e, Yousef Alhouseen

Queue wake, stop, and disable paths walk local->interfaces under RCU.
The bulk hardware teardown path removes entries with list_del() and
immediately unregisters their netdevices, so an asynchronous transmit
completion can follow a poisoned list node in ieee802154_wake_queue().

Match ieee802154_if_remove(): use list_del_rcu() and wait for existing
readers before unregistering each interface.

Fixes: 592dfbfc72f5 ("mac820154: move interface unregistration into iface")
Reported-by: syzbot+36256deb69a588e9290e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=36256deb69a588e9290e
Cc: stable@vger.kernel.org
Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
---
 net/mac802154/iface.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index 000be60d9580..73d82a015184 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -703,7 +703,8 @@ void ieee802154_remove_interfaces(struct ieee802154_local *local)
 
 	mutex_lock(&local->iflist_mtx);
 	list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
-		list_del(&sdata->list);
+		list_del_rcu(&sdata->list);
+		synchronize_rcu();
 
 		unregister_netdevice(sdata->dev);
 	}
-- 
2.55.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH net] mac802154: wait for RCU readers when removing interfaces
  2026-06-30 21:18 [PATCH net] mac802154: wait for RCU readers when removing interfaces Yousef Alhouseen
@ 2026-06-30 21:46 ` Kuniyuki Iwashima
  2026-07-01 16:42 ` [PATCH net v2] mac802154: remove interfaces with RCU list deletion Yousef Alhouseen
  1 sibling, 0 replies; 4+ messages in thread
From: Kuniyuki Iwashima @ 2026-06-30 21:46 UTC (permalink / raw)
  To: alhouseenyousef
  Cc: alex.aring, davem, edumazet, horms, kuba, linux-kernel,
	linux-wpan, marcel, miquel.raynal, netdev, pabeni, stable, stefan,
	syzbot+36256deb69a588e9290e

From: Yousef Alhouseen <alhouseenyousef@gmail.com>
Date: Tue, 30 Jun 2026 23:18:08 +0200
> Queue wake, stop, and disable paths walk local->interfaces under RCU.
> The bulk hardware teardown path removes entries with list_del() and

The problematic part is list_del(), not unregister_netdevice().


> immediately unregisters their netdevices, so an asynchronous transmit

not immediately, unregister_netdevice() waits inflight RCU readers.
So, synchronize_rcu() should be unnecessary.

(Same remark for ieee802154_if_remove())

> completion can follow a poisoned list node in ieee802154_wake_queue().
> 
> Match ieee802154_if_remove(): use list_del_rcu() and wait for existing
> readers before unregistering each interface.
> 
> Fixes: 592dfbfc72f5 ("mac820154: move interface unregistration into iface")
> Reported-by: syzbot+36256deb69a588e9290e@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=36256deb69a588e9290e
> Cc: stable@vger.kernel.org
> Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
> ---
>  net/mac802154/iface.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
> index 000be60d9580..73d82a015184 100644
> --- a/net/mac802154/iface.c
> +++ b/net/mac802154/iface.c
> @@ -703,7 +703,8 @@ void ieee802154_remove_interfaces(struct ieee802154_local *local)
>  
>  	mutex_lock(&local->iflist_mtx);
>  	list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
> -		list_del(&sdata->list);
> +		list_del_rcu(&sdata->list);
> +		synchronize_rcu();
>  
>  		unregister_netdevice(sdata->dev);
>  	}
> -- 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH net v2] mac802154: remove interfaces with RCU list deletion
  2026-06-30 21:18 [PATCH net] mac802154: wait for RCU readers when removing interfaces Yousef Alhouseen
  2026-06-30 21:46 ` Kuniyuki Iwashima
@ 2026-07-01 16:42 ` Yousef Alhouseen
  2026-07-01 21:49   ` Kuniyuki Iwashima
  1 sibling, 1 reply; 4+ messages in thread
From: Yousef Alhouseen @ 2026-07-01 16:42 UTC (permalink / raw)
  To: alex.aring, stefan, miquel.raynal
  Cc: davem, edumazet, kuba, pabeni, horms, marcel, kuniyu, linux-wpan,
	netdev, linux-kernel, stable, syzbot+36256deb69a588e9290e,
	Yousef Alhouseen

Queue wake, stop, and disable paths walk local->interfaces under RCU.
The bulk hardware teardown path removes entries with list_del(), so an
asynchronous transmit completion can follow a poisoned list node in
ieee802154_wake_queue().

Use list_del_rcu() as in the single-interface removal path. The following
unregister_netdevice() waits for in-flight RCU readers before freeing the
netdevice, so no separate grace-period wait is needed.

Fixes: 592dfbfc72f5 ("mac820154: move interface unregistration into iface")
Reported-by: syzbot+36256deb69a588e9290e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=36256deb69a588e9290e
Cc: stable@vger.kernel.org
Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
---
Changes in v2:
- Drop the redundant synchronize_rcu() noted by Kuniyuki Iwashima.
- Clarify that unregister_netdevice() supplies the required RCU wait.
- Narrow the subject and commit message to the list deletion bug.

 net/mac802154/iface.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index 000be60d9580..b823720630e7 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -703,7 +703,7 @@ void ieee802154_remove_interfaces(struct ieee802154_local *local)
 
 	mutex_lock(&local->iflist_mtx);
 	list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
-		list_del(&sdata->list);
+		list_del_rcu(&sdata->list);
 
 		unregister_netdevice(sdata->dev);
 	}
-- 
2.55.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH net v2] mac802154: remove interfaces with RCU list deletion
  2026-07-01 16:42 ` [PATCH net v2] mac802154: remove interfaces with RCU list deletion Yousef Alhouseen
@ 2026-07-01 21:49   ` Kuniyuki Iwashima
  0 siblings, 0 replies; 4+ messages in thread
From: Kuniyuki Iwashima @ 2026-07-01 21:49 UTC (permalink / raw)
  To: Yousef Alhouseen
  Cc: alex.aring, stefan, miquel.raynal, davem, edumazet, kuba, pabeni,
	horms, marcel, linux-wpan, netdev, linux-kernel, stable,
	syzbot+36256deb69a588e9290e

On Wed, Jul 1, 2026 at 9:42 AM Yousef Alhouseen
<alhouseenyousef@gmail.com> wrote:
>
> Queue wake, stop, and disable paths walk local->interfaces under RCU.
> The bulk hardware teardown path removes entries with list_del(), so an
> asynchronous transmit completion can follow a poisoned list node in
> ieee802154_wake_queue().
>
> Use list_del_rcu() as in the single-interface removal path. The following
> unregister_netdevice() waits for in-flight RCU readers before freeing the
> netdevice, so no separate grace-period wait is needed.
>
> Fixes: 592dfbfc72f5 ("mac820154: move interface unregistration into iface")
> Reported-by: syzbot+36256deb69a588e9290e@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=36256deb69a588e9290e
> Cc: stable@vger.kernel.org
> Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>

Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-07-01 21:50 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-30 21:18 [PATCH net] mac802154: wait for RCU readers when removing interfaces Yousef Alhouseen
2026-06-30 21:46 ` Kuniyuki Iwashima
2026-07-01 16:42 ` [PATCH net v2] mac802154: remove interfaces with RCU list deletion Yousef Alhouseen
2026-07-01 21:49   ` Kuniyuki Iwashima

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox