From: Jacob Keller <jacob.e.keller@intel.com>
To: Przemek Kitszel <przemyslaw.kitszel@intel.com>,
Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
"Eric Dumazet" <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Piotr Kwapulinski <piotr.kwapulinski@intel.com>,
Aleksandr Loktionov <aleksandr.loktionov@intel.com>,
Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>,
Maciej Fijalkowski <maciej.fijalkowski@intel.com>,
Michal Kubiak <michal.kubiak@intel.com>,
Joshua Hay <joshua.a.hay@intel.com>,
Madhu Chittim <madhu.chittim@intel.com>,
Willem de Bruijn <willemb@google.com>,
Dave Ertman <david.m.ertman@intel.com>,
Ivan Vecera <ivecera@redhat.com>,
Grzegorz Nitka <grzegorz.nitka@intel.com>
Cc: <netdev@vger.kernel.org>, <stable@vger.kernel.org>,
Matt Vollrath <tactii@gmail.com>,
Sunitha Mekala <sunithax.d.mekala@intel.com>
Subject: Re: [PATCH net 01/13] i40e: Cleanup PTP registration on probe failure
Date: Wed, 6 May 2026 13:24:44 -0700 [thread overview]
Message-ID: <30de916a-2f74-4f8f-8054-2f2037831bfa@intel.com> (raw)
In-Reply-To: <20260504-jk-iwl-net-2026-05-04-v1-1-a222a88bd962@intel.com>
On 5/4/2026 10:14 PM, Jacob Keller wrote:
> From: Matt Vollrath <tactii@gmail.com>
>
> Fix two conditions which would leak PTP registration on probe failure:
>
> 1. i40e_setup_pf_switch can encounter an error in
> i40e_setup_pf_filter_control, call i40e_ptp_init, then return
> non-zero, sending i40e_probe to err_vsis.
>
> 2. i40e_setup_misc_vector can return non-zero, sending i40e_probe to
> err_vsis.
>
> Both of these conditions have been present since PTP was introduced in
> this driver.
>
> Found with coccinelle.
>
> Fixes: beb0dff1251db ("i40e: enable PTP")
> Signed-off-by: Matt Vollrath <tactii@gmail.com>
> Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com>
> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
> Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
> ---
> drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
> index 028bd500603a..f06fcef644e5 100644
> --- a/drivers/net/ethernet/intel/i40e/i40e_main.c
> +++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
> @@ -16108,6 +16108,7 @@ static int i40e_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
> /* Unwind what we've done if something failed in the setup */
> err_vsis:
> set_bit(__I40E_DOWN, pf->state);
> + i40e_ptp_stop(pf);
> i40e_clear_interrupt_scheme(pf);
> kfree(pf->vsi);
> err_switch_setup:
>
Sashiko points out two possible issues, both of which I think are better
served by follow-up fixes:
> This isn't a bug introduced by this patch, but is it safe to use
> i40e_ptp_stop() in this error path without canceling its workqueue task?
> The PTP initialization logic initializes a background work item
> pf->ptp_extts0_work, which is scheduled asynchronously by the hardware
> interrupt handler. The i40e_ptp_stop() function disables hardware
> interrupts and unregisters the clock without calling
> cancel_work_sync(&pf->ptp_extts0_work).
> Could this leave the work item pending if an event fires right before
> interrupts are disabled, leading to a use-after-free when the module
> teardown frees the pf structure?
I think we need to double check that extts0_work is cancelled properly
when stopping PTP. Or confirm that it won't cause a problem as-is.
Sashiko also says:
> This isn't a bug introduced by this patch, but does this error path leak VSI
> structures and leave netdevs registered?
> If i40e_setup_pf_switch() fails late, the main VSI has already been
> allocated and its netdev registered via register_netdev(). The err_vsis
> cleanup block only executes kfree(pf->vsi), which frees the array of
> pointers but fails to invoke i40e_vsi_release(vsi) or unregister the netdev.
> Since the driver then proceeds to i40e_free_pf(pf) and frees the underlying
> driver structure, could subsequent userspace operations on the
> still-registered netdev execute driver callbacks that dereference the freed
> pf structure?
The only way that the function can fail late appears to be if
i40e_validate_filter_settings() fails.. but that has a comment around
i40e_setup_pf_filter_control() which claims that we shouldn't the probe
just because that failed.. so I think there is maybe an issue but I'm
not 100% sure how to resolve it properly.. It does seem like there may
be a pre-existing issue in the i40e probe error cleanup.
next prev parent reply other threads:[~2026-05-06 20:24 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 5:14 [PATCH net 00/13] Intel Wired LAN Driver Updates 2026-05-04 (i40e, ice, idpf) Jacob Keller
2026-05-05 5:14 ` [PATCH net 01/13] i40e: Cleanup PTP registration on probe failure Jacob Keller
2026-05-06 20:24 ` Jacob Keller [this message]
2026-05-05 5:14 ` [PATCH net 02/13] i40e: Cleanup PTP pins " Jacob Keller
2026-05-06 20:28 ` Jacob Keller
2026-05-05 5:14 ` [PATCH net 03/13] i40e: keep q_vectors array in sync with channel count changes Jacob Keller
2026-05-06 20:53 ` Jacob Keller
2026-05-05 5:14 ` [PATCH net 04/13] idpf: fix read_dev_clk_lock spinlock init in idpf_ptp_init() Jacob Keller
2026-05-05 5:14 ` [PATCH net 05/13] idpf: do not enable XDP if queue based scheduling is not supported Jacob Keller
2026-05-06 20:59 ` Jacob Keller
2026-05-05 5:14 ` [PATCH net 06/13] idpf: fix skb datapath queue based scheduling crashes and timeouts Jacob Keller
2026-05-05 5:14 ` [PATCH net 07/13] idpf: fix xdp crash in soft reset error path Jacob Keller
2026-05-05 5:14 ` [PATCH net 08/13] idpf: fix double free and use-after-free in aux device error paths Jacob Keller
2026-05-06 21:04 ` Jacob Keller
2026-05-05 5:14 ` [PATCH net 09/13] ice: fix setting RSS VSI hash for E830 Jacob Keller
2026-05-06 21:06 ` Jacob Keller
2026-05-07 11:47 ` Marcin Szycik
2026-05-07 16:59 ` Marcin Szycik
2026-05-07 21:13 ` Jacob Keller
2026-05-05 5:14 ` [PATCH net 10/13] ice: fix locking in ice_dcb_rebuild() Jacob Keller
2026-05-06 21:13 ` Jacob Keller
2026-05-05 5:14 ` [PATCH net 11/13] ice: fix PTP hang for E825C devices Jacob Keller
2026-05-06 21:16 ` Jacob Keller
2026-05-05 5:14 ` [PATCH net 12/13] ice: dpll: fix rclk pin state get for E810 Jacob Keller
2026-05-05 5:14 ` [PATCH net 13/13] ice: dpll: fix misplaced header macros Jacob Keller
2026-05-06 21:21 ` [PATCH net 00/13] Intel Wired LAN Driver Updates 2026-05-04 (i40e, ice, idpf) Jacob Keller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=30de916a-2f74-4f8f-8054-2f2037831bfa@intel.com \
--to=jacob.e.keller@intel.com \
--cc=aleksandr.loktionov@intel.com \
--cc=andrew+netdev@lunn.ch \
--cc=arkadiusz.kubalewski@intel.com \
--cc=davem@davemloft.net \
--cc=david.m.ertman@intel.com \
--cc=edumazet@google.com \
--cc=grzegorz.nitka@intel.com \
--cc=ivecera@redhat.com \
--cc=joshua.a.hay@intel.com \
--cc=kuba@kernel.org \
--cc=maciej.fijalkowski@intel.com \
--cc=madhu.chittim@intel.com \
--cc=michal.kubiak@intel.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=piotr.kwapulinski@intel.com \
--cc=przemyslaw.kitszel@intel.com \
--cc=stable@vger.kernel.org \
--cc=sunithax.d.mekala@intel.com \
--cc=tactii@gmail.com \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox