* Re: [PATCH] wifi: iwlwifi: ptp: Fix potential race condition in PTP removal
2026-01-15 16:15 [PATCH] wifi: iwlwifi: ptp: Fix potential race condition in PTP removal Junjie Cao
@ 2026-01-19 17:29 ` Simon Horman
2026-01-19 21:32 ` Vadim Fedorenko
2026-02-09 8:32 ` Korenblit, Miriam Rachel
2 siblings, 0 replies; 7+ messages in thread
From: Simon Horman @ 2026-01-19 17:29 UTC (permalink / raw)
To: Junjie Cao
Cc: Miri Korenblit, Johannes Berg, linux-wireless, Richard Cochran,
netdev, linux-kernel, Yedidya Benshimol, Avraham Stern,
Daniel Gabay, Krishnanand Prabhu, Luca Coelho, Gregory Greenman,
stable, Yao Zi, Benjamin Berg
+ Yao Zi and Benjamin Berg
On Fri, Jan 16, 2026 at 12:15:29AM +0800, Junjie Cao wrote:
> iwl_mvm_ptp_remove() and iwl_mld_ptp_remove() call
> cancel_delayed_work_sync() only after ptp_clock_unregister() and after
> partially clearing ptp_data state.
>
> This creates a race where the delayed work (iwl_mvm_ptp_work /
> iwl_mld_ptp_work) can run while teardown is in progress and observe a
> partially modified PTP state. In addition, the work may re-arm itself,
> extending the teardown window and risking execution after driver
> resources have been released.
>
> Move cancel_delayed_work_sync() before ptp_clock_unregister() to ensure
> the delayed work is fully stopped before any PTP cleanup begins. This
> follows the standard pattern used by other Intel PTP drivers such as
> e1000e, igb, ixgbe, and ice.
>
> Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver")
> Fixes: 1595ecce1cf3 ("wifi: iwlwifi: mvm: add support for PTP HW clock (PHC)")
> Cc: stable@vger.kernel.org
> Signed-off-by: Junjie Cao <junjie.cao@intel.com>
Thinking out loud: The two cited commits were introduced in
the same upstream release - v6.4 - so from a backporting PoV
it seems reasonable to address these issues in one patch.
Though I do think it would be best to think of these
as two things and thus warranting two patches.
That notwithstanding, the changes look good to me.
Reviewed-by: Simon Horman <horms@kernel.org>
Context left intact below for the benefit of Yao Zi and Benjamin Berg.
> ---
> drivers/net/wireless/intel/iwlwifi/mld/ptp.c | 2 +-
> drivers/net/wireless/intel/iwlwifi/mvm/ptp.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/intel/iwlwifi/mld/ptp.c b/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
> index 231920425c06..b40182320801 100644
> --- a/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
> +++ b/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
> @@ -319,10 +319,10 @@ void iwl_mld_ptp_remove(struct iwl_mld *mld)
> mld->ptp_data.ptp_clock_info.name,
> ptp_clock_index(mld->ptp_data.ptp_clock));
>
> + cancel_delayed_work_sync(&mld->ptp_data.dwork);
> ptp_clock_unregister(mld->ptp_data.ptp_clock);
> mld->ptp_data.ptp_clock = NULL;
> mld->ptp_data.last_gp2 = 0;
> mld->ptp_data.wrap_counter = 0;
> - cancel_delayed_work_sync(&mld->ptp_data.dwork);
> }
> }
> diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c b/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
> index 1da6260e238c..2b01ca36a1b5 100644
> --- a/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
> +++ b/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
> @@ -325,11 +325,11 @@ void iwl_mvm_ptp_remove(struct iwl_mvm *mvm)
> mvm->ptp_data.ptp_clock_info.name,
> ptp_clock_index(mvm->ptp_data.ptp_clock));
>
> + cancel_delayed_work_sync(&mvm->ptp_data.dwork);
> ptp_clock_unregister(mvm->ptp_data.ptp_clock);
> mvm->ptp_data.ptp_clock = NULL;
> memset(&mvm->ptp_data.ptp_clock_info, 0,
> sizeof(mvm->ptp_data.ptp_clock_info));
> mvm->ptp_data.last_gp2 = 0;
> - cancel_delayed_work_sync(&mvm->ptp_data.dwork);
> }
> }
> --
> 2.43.0
>
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] wifi: iwlwifi: ptp: Fix potential race condition in PTP removal
2026-01-15 16:15 [PATCH] wifi: iwlwifi: ptp: Fix potential race condition in PTP removal Junjie Cao
2026-01-19 17:29 ` Simon Horman
@ 2026-01-19 21:32 ` Vadim Fedorenko
2026-02-09 8:32 ` Korenblit, Miriam Rachel
2 siblings, 0 replies; 7+ messages in thread
From: Vadim Fedorenko @ 2026-01-19 21:32 UTC (permalink / raw)
To: Junjie Cao, Miri Korenblit, Johannes Berg, linux-wireless,
Richard Cochran
Cc: Simon Horman, netdev, linux-kernel, Yedidya Benshimol,
Avraham Stern, Daniel Gabay, Krishnanand Prabhu, Luca Coelho,
Gregory Greenman, stable
On 15/01/2026 16:15, Junjie Cao wrote:
> iwl_mvm_ptp_remove() and iwl_mld_ptp_remove() call
> cancel_delayed_work_sync() only after ptp_clock_unregister() and after
> partially clearing ptp_data state.
>
> This creates a race where the delayed work (iwl_mvm_ptp_work /
> iwl_mld_ptp_work) can run while teardown is in progress and observe a
> partially modified PTP state. In addition, the work may re-arm itself,
> extending the teardown window and risking execution after driver
> resources have been released.
>
> Move cancel_delayed_work_sync() before ptp_clock_unregister() to ensure
> the delayed work is fully stopped before any PTP cleanup begins. This
> follows the standard pattern used by other Intel PTP drivers such as
> e1000e, igb, ixgbe, and ice.
>
> Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver")
> Fixes: 1595ecce1cf3 ("wifi: iwlwifi: mvm: add support for PTP HW clock (PHC)")
> Cc: stable@vger.kernel.org
> Signed-off-by: Junjie Cao <junjie.cao@intel.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
^ permalink raw reply [flat|nested] 7+ messages in thread* RE: [PATCH] wifi: iwlwifi: ptp: Fix potential race condition in PTP removal
2026-01-15 16:15 [PATCH] wifi: iwlwifi: ptp: Fix potential race condition in PTP removal Junjie Cao
2026-01-19 17:29 ` Simon Horman
2026-01-19 21:32 ` Vadim Fedorenko
@ 2026-02-09 8:32 ` Korenblit, Miriam Rachel
2026-02-12 10:24 ` Junjie Cao
2026-02-12 12:50 ` [PATCH v2 1/2] wifi: iwlwifi: mvm: fix " Junjie Cao
2 siblings, 2 replies; 7+ messages in thread
From: Korenblit, Miriam Rachel @ 2026-02-09 8:32 UTC (permalink / raw)
To: Cao, Junjie, Berg, Johannes, linux-wireless@vger.kernel.org,
Richard Cochran
Cc: Simon Horman, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, Ben Shimol, Yedidya, Stern, Avraham,
Gabay, Daniel, Prabhu, Krishnanand, Coelho, Luciano,
Gregory Greenman, stable@vger.kernel.org
> -----Original Message-----
> From: Cao, Junjie <junjie.cao@intel.com>
> Sent: Thursday, January 15, 2026 6:15 PM
> To: Korenblit, Miriam Rachel <miriam.rachel.korenblit@intel.com>; Berg,
> Johannes <johannes.berg@intel.com>; linux-wireless@vger.kernel.org; Richard
> Cochran <richardcochran@gmail.com>
> Cc: Simon Horman <horms@kernel.org>; netdev@vger.kernel.org; linux-
> kernel@vger.kernel.org; Ben Shimol, Yedidya <yedidya.ben.shimol@intel.com>;
> Stern, Avraham <avraham.stern@intel.com>; Gabay, Daniel
> <daniel.gabay@intel.com>; Prabhu, Krishnanand
> <krishnanand.prabhu@intel.com>; Coelho, Luciano <luciano.coelho@intel.com>;
> Gregory Greenman <gregory.greenman@intel.com>; stable@vger.kernel.org
> Subject: [PATCH] wifi: iwlwifi: ptp: Fix potential race condition in PTP removal
>
> iwl_mvm_ptp_remove() and iwl_mld_ptp_remove() call
> cancel_delayed_work_sync() only after ptp_clock_unregister() and after partially
> clearing ptp_data state.
>
> This creates a race where the delayed work (iwl_mvm_ptp_work /
> iwl_mld_ptp_work) can run while teardown is in progress and observe a partially
> modified PTP state. In addition, the work may re-arm itself, extending the
> teardown window and risking execution after driver resources have been
> released.
Not sure I understand how is the fact that work re-arm itself is related/makes the bug worse?
>
> Move cancel_delayed_work_sync() before ptp_clock_unregister() to ensure the
> delayed work is fully stopped before any PTP cleanup begins. This follows the
> standard pattern used by other Intel PTP drivers such as e1000e, igb, ixgbe, and
> ice.
>
> Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver")
> Fixes: 1595ecce1cf3 ("wifi: iwlwifi: mvm: add support for PTP HW clock (PHC)")
> Cc: stable@vger.kernel.org
> Signed-off-by: Junjie Cao <junjie.cao@intel.com>
> ---
> drivers/net/wireless/intel/iwlwifi/mld/ptp.c | 2 +-
> drivers/net/wireless/intel/iwlwifi/mvm/ptp.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
> b/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
> index 231920425c06..b40182320801 100644
> --- a/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
> +++ b/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
> @@ -319,10 +319,10 @@ void iwl_mld_ptp_remove(struct iwl_mld *mld)
> mld->ptp_data.ptp_clock_info.name,
> ptp_clock_index(mld->ptp_data.ptp_clock));
>
> + cancel_delayed_work_sync(&mld->ptp_data.dwork);
> ptp_clock_unregister(mld->ptp_data.ptp_clock);
> mld->ptp_data.ptp_clock = NULL;
> mld->ptp_data.last_gp2 = 0;
> mld->ptp_data.wrap_counter = 0;
> - cancel_delayed_work_sync(&mld->ptp_data.dwork);
> }
> }
> diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
> b/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
> index 1da6260e238c..2b01ca36a1b5 100644
> --- a/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
> +++ b/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
> @@ -325,11 +325,11 @@ void iwl_mvm_ptp_remove(struct iwl_mvm *mvm)
> mvm->ptp_data.ptp_clock_info.name,
> ptp_clock_index(mvm->ptp_data.ptp_clock));
>
> + cancel_delayed_work_sync(&mvm->ptp_data.dwork);
> ptp_clock_unregister(mvm->ptp_data.ptp_clock);
> mvm->ptp_data.ptp_clock = NULL;
> memset(&mvm->ptp_data.ptp_clock_info, 0,
> sizeof(mvm->ptp_data.ptp_clock_info));
> mvm->ptp_data.last_gp2 = 0;
> - cancel_delayed_work_sync(&mvm->ptp_data.dwork);
> }
> }
> --
> 2.43.0
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] wifi: iwlwifi: ptp: Fix potential race condition in PTP removal
2026-02-09 8:32 ` Korenblit, Miriam Rachel
@ 2026-02-12 10:24 ` Junjie Cao
2026-02-12 12:50 ` [PATCH v2 1/2] wifi: iwlwifi: mvm: fix " Junjie Cao
1 sibling, 0 replies; 7+ messages in thread
From: Junjie Cao @ 2026-02-12 10:24 UTC (permalink / raw)
To: miriam.rachel.korenblit, johannes.berg, linux-wireless,
richardcochran
Cc: horms, netdev, linux-kernel, yedidya.ben.shimol, avraham.stern,
daniel.gabay, krishnanand.prabhu, luciano.coelho,
gregory.greenman, stable
Hi Miri,
You're right -- cancel_delayed_work_sync() handles re-arming by design,
and the work is scheduled with a 1-hour delay (IWL_PTP_WRAP_TIME =
3600 * HZ), so it cannot realistically fire again during the
microsecond-scale teardown window.
The real issue is simply that the delayed work can execute between
ptp_clock_unregister() and cancel_delayed_work_sync(), observing
partially cleared PTP state.
I'll send a v2 with a corrected commit message, and also split the
patch into two (one per sub-driver) as Simon suggested.
Thanks for the review!
Junjie
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2 1/2] wifi: iwlwifi: mvm: fix race condition in PTP removal
2026-02-09 8:32 ` Korenblit, Miriam Rachel
2026-02-12 10:24 ` Junjie Cao
@ 2026-02-12 12:50 ` Junjie Cao
2026-02-12 12:50 ` [PATCH v2 2/2] wifi: iwlwifi: mld: " Junjie Cao
1 sibling, 1 reply; 7+ messages in thread
From: Junjie Cao @ 2026-02-12 12:50 UTC (permalink / raw)
To: miriam.rachel.korenblit, johannes.berg, linux-wireless,
richardcochran
Cc: horms, netdev, linux-kernel, yedidya.ben.shimol, avraham.stern,
daniel.gabay, krishnanand.prabhu, luciano.coelho,
gregory.greenman, stable, Junjie Cao, Vadim Fedorenko
iwl_mvm_ptp_remove() calls cancel_delayed_work_sync() only after
ptp_clock_unregister() and clearing ptp_data state (ptp_clock,
ptp_clock_info, last_gp2).
This creates a race where the delayed work iwl_mvm_ptp_work() can
execute between ptp_clock_unregister() and cancel_delayed_work_sync(),
observing partially cleared PTP state.
Move cancel_delayed_work_sync() before ptp_clock_unregister() to
ensure the delayed work is fully stopped before any PTP cleanup
begins.
Fixes: 1595ecce1cf3 ("wifi: iwlwifi: mvm: add support for PTP HW clock (PHC)")
Cc: stable@vger.kernel.org
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Signed-off-by: Junjie Cao <junjie.cao@intel.com>
---
drivers/net/wireless/intel/iwlwifi/mvm/ptp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c b/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
index ad156b82eaa9..efb291ceb0e5 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
@@ -323,11 +323,11 @@ void iwl_mvm_ptp_remove(struct iwl_mvm *mvm)
mvm->ptp_data.ptp_clock_info.name,
ptp_clock_index(mvm->ptp_data.ptp_clock));
+ cancel_delayed_work_sync(&mvm->ptp_data.dwork);
ptp_clock_unregister(mvm->ptp_data.ptp_clock);
mvm->ptp_data.ptp_clock = NULL;
memset(&mvm->ptp_data.ptp_clock_info, 0,
sizeof(mvm->ptp_data.ptp_clock_info));
mvm->ptp_data.last_gp2 = 0;
- cancel_delayed_work_sync(&mvm->ptp_data.dwork);
}
}
--
2.48.1
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PATCH v2 2/2] wifi: iwlwifi: mld: fix race condition in PTP removal
2026-02-12 12:50 ` [PATCH v2 1/2] wifi: iwlwifi: mvm: fix " Junjie Cao
@ 2026-02-12 12:50 ` Junjie Cao
0 siblings, 0 replies; 7+ messages in thread
From: Junjie Cao @ 2026-02-12 12:50 UTC (permalink / raw)
To: miriam.rachel.korenblit, johannes.berg, linux-wireless,
richardcochran
Cc: horms, netdev, linux-kernel, yedidya.ben.shimol, avraham.stern,
daniel.gabay, krishnanand.prabhu, luciano.coelho,
gregory.greenman, stable, Junjie Cao, Vadim Fedorenko
iwl_mld_ptp_remove() calls cancel_delayed_work_sync() only after
ptp_clock_unregister() and clearing ptp_data state (ptp_clock,
last_gp2, wrap_counter).
This creates a race where the delayed work iwl_mld_ptp_work() can
execute between ptp_clock_unregister() and cancel_delayed_work_sync(),
observing partially cleared PTP state.
Move cancel_delayed_work_sync() before ptp_clock_unregister() to
ensure the delayed work is fully stopped before any PTP cleanup
begins.
Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver")
Cc: stable@vger.kernel.org
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Signed-off-by: Junjie Cao <junjie.cao@intel.com>
---
drivers/net/wireless/intel/iwlwifi/mld/ptp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mld/ptp.c b/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
index 231920425c06..b40182320801 100644
--- a/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
+++ b/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
@@ -319,10 +319,10 @@ void iwl_mld_ptp_remove(struct iwl_mld *mld)
mld->ptp_data.ptp_clock_info.name,
ptp_clock_index(mld->ptp_data.ptp_clock));
+ cancel_delayed_work_sync(&mld->ptp_data.dwork);
ptp_clock_unregister(mld->ptp_data.ptp_clock);
mld->ptp_data.ptp_clock = NULL;
mld->ptp_data.last_gp2 = 0;
mld->ptp_data.wrap_counter = 0;
- cancel_delayed_work_sync(&mld->ptp_data.dwork);
}
}
--
2.48.1
^ permalink raw reply related [flat|nested] 7+ messages in thread