* [PATCH net] mac802154: wait for RCU readers when removing interfaces
@ 2026-06-30 21:18 Yousef Alhouseen
2026-06-30 21:46 ` Kuniyuki Iwashima
2026-07-01 16:42 ` [PATCH net v2] mac802154: remove interfaces with RCU list deletion Yousef Alhouseen
0 siblings, 2 replies; 4+ messages in thread
From: Yousef Alhouseen @ 2026-06-30 21:18 UTC (permalink / raw)
To: Alexander Aring, Stefan Schmidt, Miquel Raynal
Cc: David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Marcel Holtmann, linux-wpan, netdev, linux-kernel,
stable, syzbot+36256deb69a588e9290e, Yousef Alhouseen
Queue wake, stop, and disable paths walk local->interfaces under RCU.
The bulk hardware teardown path removes entries with list_del() and
immediately unregisters their netdevices, so an asynchronous transmit
completion can follow a poisoned list node in ieee802154_wake_queue().
Match ieee802154_if_remove(): use list_del_rcu() and wait for existing
readers before unregistering each interface.
Fixes: 592dfbfc72f5 ("mac820154: move interface unregistration into iface")
Reported-by: syzbot+36256deb69a588e9290e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=36256deb69a588e9290e
Cc: stable@vger.kernel.org
Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
---
net/mac802154/iface.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index 000be60d9580..73d82a015184 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -703,7 +703,8 @@ void ieee802154_remove_interfaces(struct ieee802154_local *local)
mutex_lock(&local->iflist_mtx);
list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
- list_del(&sdata->list);
+ list_del_rcu(&sdata->list);
+ synchronize_rcu();
unregister_netdevice(sdata->dev);
}
--
2.55.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH net] mac802154: wait for RCU readers when removing interfaces
2026-06-30 21:18 [PATCH net] mac802154: wait for RCU readers when removing interfaces Yousef Alhouseen
@ 2026-06-30 21:46 ` Kuniyuki Iwashima
2026-07-01 16:42 ` [PATCH net v2] mac802154: remove interfaces with RCU list deletion Yousef Alhouseen
1 sibling, 0 replies; 4+ messages in thread
From: Kuniyuki Iwashima @ 2026-06-30 21:46 UTC (permalink / raw)
To: alhouseenyousef
Cc: alex.aring, davem, edumazet, horms, kuba, linux-kernel,
linux-wpan, marcel, miquel.raynal, netdev, pabeni, stable, stefan,
syzbot+36256deb69a588e9290e
From: Yousef Alhouseen <alhouseenyousef@gmail.com>
Date: Tue, 30 Jun 2026 23:18:08 +0200
> Queue wake, stop, and disable paths walk local->interfaces under RCU.
> The bulk hardware teardown path removes entries with list_del() and
The problematic part is list_del(), not unregister_netdevice().
> immediately unregisters their netdevices, so an asynchronous transmit
not immediately, unregister_netdevice() waits inflight RCU readers.
So, synchronize_rcu() should be unnecessary.
(Same remark for ieee802154_if_remove())
> completion can follow a poisoned list node in ieee802154_wake_queue().
>
> Match ieee802154_if_remove(): use list_del_rcu() and wait for existing
> readers before unregistering each interface.
>
> Fixes: 592dfbfc72f5 ("mac820154: move interface unregistration into iface")
> Reported-by: syzbot+36256deb69a588e9290e@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=36256deb69a588e9290e
> Cc: stable@vger.kernel.org
> Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
> ---
> net/mac802154/iface.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
> index 000be60d9580..73d82a015184 100644
> --- a/net/mac802154/iface.c
> +++ b/net/mac802154/iface.c
> @@ -703,7 +703,8 @@ void ieee802154_remove_interfaces(struct ieee802154_local *local)
>
> mutex_lock(&local->iflist_mtx);
> list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
> - list_del(&sdata->list);
> + list_del_rcu(&sdata->list);
> + synchronize_rcu();
>
> unregister_netdevice(sdata->dev);
> }
> --
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH net v2] mac802154: remove interfaces with RCU list deletion
2026-06-30 21:18 [PATCH net] mac802154: wait for RCU readers when removing interfaces Yousef Alhouseen
2026-06-30 21:46 ` Kuniyuki Iwashima
@ 2026-07-01 16:42 ` Yousef Alhouseen
2026-07-01 21:49 ` Kuniyuki Iwashima
1 sibling, 1 reply; 4+ messages in thread
From: Yousef Alhouseen @ 2026-07-01 16:42 UTC (permalink / raw)
To: alex.aring, stefan, miquel.raynal
Cc: davem, edumazet, kuba, pabeni, horms, marcel, kuniyu, linux-wpan,
netdev, linux-kernel, stable, syzbot+36256deb69a588e9290e,
Yousef Alhouseen
Queue wake, stop, and disable paths walk local->interfaces under RCU.
The bulk hardware teardown path removes entries with list_del(), so an
asynchronous transmit completion can follow a poisoned list node in
ieee802154_wake_queue().
Use list_del_rcu() as in the single-interface removal path. The following
unregister_netdevice() waits for in-flight RCU readers before freeing the
netdevice, so no separate grace-period wait is needed.
Fixes: 592dfbfc72f5 ("mac820154: move interface unregistration into iface")
Reported-by: syzbot+36256deb69a588e9290e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=36256deb69a588e9290e
Cc: stable@vger.kernel.org
Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
---
Changes in v2:
- Drop the redundant synchronize_rcu() noted by Kuniyuki Iwashima.
- Clarify that unregister_netdevice() supplies the required RCU wait.
- Narrow the subject and commit message to the list deletion bug.
net/mac802154/iface.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index 000be60d9580..b823720630e7 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -703,7 +703,7 @@ void ieee802154_remove_interfaces(struct ieee802154_local *local)
mutex_lock(&local->iflist_mtx);
list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
- list_del(&sdata->list);
+ list_del_rcu(&sdata->list);
unregister_netdevice(sdata->dev);
}
--
2.55.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH net v2] mac802154: remove interfaces with RCU list deletion
2026-07-01 16:42 ` [PATCH net v2] mac802154: remove interfaces with RCU list deletion Yousef Alhouseen
@ 2026-07-01 21:49 ` Kuniyuki Iwashima
0 siblings, 0 replies; 4+ messages in thread
From: Kuniyuki Iwashima @ 2026-07-01 21:49 UTC (permalink / raw)
To: Yousef Alhouseen
Cc: alex.aring, stefan, miquel.raynal, davem, edumazet, kuba, pabeni,
horms, marcel, linux-wpan, netdev, linux-kernel, stable,
syzbot+36256deb69a588e9290e
On Wed, Jul 1, 2026 at 9:42 AM Yousef Alhouseen
<alhouseenyousef@gmail.com> wrote:
>
> Queue wake, stop, and disable paths walk local->interfaces under RCU.
> The bulk hardware teardown path removes entries with list_del(), so an
> asynchronous transmit completion can follow a poisoned list node in
> ieee802154_wake_queue().
>
> Use list_del_rcu() as in the single-interface removal path. The following
> unregister_netdevice() waits for in-flight RCU readers before freeing the
> netdevice, so no separate grace-period wait is needed.
>
> Fixes: 592dfbfc72f5 ("mac820154: move interface unregistration into iface")
> Reported-by: syzbot+36256deb69a588e9290e@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=36256deb69a588e9290e
> Cc: stable@vger.kernel.org
> Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-07-01 21:50 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-30 21:18 [PATCH net] mac802154: wait for RCU readers when removing interfaces Yousef Alhouseen
2026-06-30 21:46 ` Kuniyuki Iwashima
2026-07-01 16:42 ` [PATCH net v2] mac802154: remove interfaces with RCU list deletion Yousef Alhouseen
2026-07-01 21:49 ` Kuniyuki Iwashima
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox