Thread (9 messages) 9 messages, 4 authors, 2026-03-30

RE: [PATCH] wifi: iwlwifi: ptp: Fix potential race condition in PTP removal

From: "Korenblit, Miriam Rachel" <miriam.rachel.korenblit@intel.com>
Date: 2026-02-09 08:32:09
Also in: linux-wireless, lkml, stable

-----Original Message-----
From: Cao, Junjie <redacted>
Sent: Thursday, January 15, 2026 6:15 PM
To: Korenblit, Miriam Rachel <miriam.rachel.korenblit@intel.com>; Berg,
Johannes [off-list ref]; linux-wireless@vger.kernel.org; Richard
Cochran [off-list ref]
Cc: Simon Horman <horms@kernel.org>; netdev@vger.kernel.org; linux-
kernel@vger.kernel.org; Ben Shimol, Yedidya [off-list ref];
Stern, Avraham [off-list ref]; Gabay, Daniel
[off-list ref]; Prabhu, Krishnanand
[off-list ref]; Coelho, Luciano [off-list ref];
Gregory Greenman [off-list ref]; stable@vger.kernel.org
Subject: [PATCH] wifi: iwlwifi: ptp: Fix potential race condition in PTP removal

iwl_mvm_ptp_remove() and iwl_mld_ptp_remove() call
cancel_delayed_work_sync() only after ptp_clock_unregister() and after partially
clearing ptp_data state.

This creates a race where the delayed work (iwl_mvm_ptp_work /
iwl_mld_ptp_work) can run while teardown is in progress and observe a partially
modified PTP state. In addition, the work may re-arm itself, extending the
teardown window and risking execution after driver resources have been
released.
Not sure I understand how is the fact that work re-arm itself is related/makes the bug worse?
quoted hunk ↗ jump to hunk
Move cancel_delayed_work_sync() before ptp_clock_unregister() to ensure the
delayed work is fully stopped before any PTP cleanup begins. This follows the
standard pattern used by other Intel PTP drivers such as e1000e, igb, ixgbe, and
ice.

Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver")
Fixes: 1595ecce1cf3 ("wifi: iwlwifi: mvm: add support for PTP HW clock (PHC)")
Cc: stable@vger.kernel.org
Signed-off-by: Junjie Cao <redacted>
---
 drivers/net/wireless/intel/iwlwifi/mld/ptp.c | 2 +-
drivers/net/wireless/intel/iwlwifi/mvm/ptp.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
b/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
index 231920425c06..b40182320801 100644
--- a/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
+++ b/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
@@ -319,10 +319,10 @@ void iwl_mld_ptp_remove(struct iwl_mld *mld)
 			       mld->ptp_data.ptp_clock_info.name,
 			       ptp_clock_index(mld->ptp_data.ptp_clock));

+		cancel_delayed_work_sync(&mld->ptp_data.dwork);
 		ptp_clock_unregister(mld->ptp_data.ptp_clock);
 		mld->ptp_data.ptp_clock = NULL;
 		mld->ptp_data.last_gp2 = 0;
 		mld->ptp_data.wrap_counter = 0;
-		cancel_delayed_work_sync(&mld->ptp_data.dwork);
 	}
 }
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
b/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
index 1da6260e238c..2b01ca36a1b5 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
@@ -325,11 +325,11 @@ void iwl_mvm_ptp_remove(struct iwl_mvm *mvm)
 			       mvm->ptp_data.ptp_clock_info.name,
 			       ptp_clock_index(mvm->ptp_data.ptp_clock));

+		cancel_delayed_work_sync(&mvm->ptp_data.dwork);
 		ptp_clock_unregister(mvm->ptp_data.ptp_clock);
 		mvm->ptp_data.ptp_clock = NULL;
 		memset(&mvm->ptp_data.ptp_clock_info, 0,
 		       sizeof(mvm->ptp_data.ptp_clock_info));
 		mvm->ptp_data.last_gp2 = 0;
-		cancel_delayed_work_sync(&mvm->ptp_data.dwork);
 	}
 }
--
2.43.0
  
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help