From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pandora.armlinux.org.uk (pandora.armlinux.org.uk [78.32.30.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5E6943DD506 for ; Wed, 25 Mar 2026 14:37:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=78.32.30.218 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774449449; cv=none; b=ir72Px1t9In139hr9Pd48q5Mai6dK9Zh+bJqgmd0h1P6Fhf1f8qHfuatvxcCxv+SeDOJA/wVJYZQzUSDBAoe935TA9zLEqBJK6GYwdXodxJfL6jN6Z79pf019WEKvJsj25yMRPIWecUGjokBBGmLDwhuSU10IMZhgza+2jNjpNY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774449449; c=relaxed/simple; bh=ujhOZwbSzzOOvYmG+TOGPe3QUIrHOcld3yL6AWCpPJg=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=RNRN5CCvXmkoKenpNPOCV7sYvuduTQWwQZmxSKaD0Gd54LVT8D/zYYWmsCRgn+wOehoa8It9oFTbQyAdXzzCaSTar1KekJ++0shZaeAMCHVpjPEd5ARfz35AfEtFjzSE3f9yiVxMqh/C/7AUGeXMEYgwfJObs29o6Cw28jPyEu8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=armlinux.org.uk; spf=none smtp.mailfrom=armlinux.org.uk; dkim=pass (2048-bit key) header.d=armlinux.org.uk header.i=@armlinux.org.uk header.b=UDjn2G4M; arc=none smtp.client-ip=78.32.30.218 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=armlinux.org.uk Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=armlinux.org.uk Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=armlinux.org.uk header.i=@armlinux.org.uk header.b="UDjn2G4M" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=armlinux.org.uk; s=pandora-2019; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=YTPjRKoJrKkPqSHoXxV1KY7bysIh/k+vDLIycJCoKm0=; b=UDjn2G4MWnqTw/9saQeG4R2X4w Q8wZPPKWwoYTc1cImSIed6YLreqhjOx0qDfayXXTxW9wndzSNNOwO5bGQmrnwtFfyIY5p3SryzsT1 6ylGJ1gEW0LTva74Vg7c4ky9NaGEqEcMsHqZ0M9NoYYc62IiNCm2c3ccxrvFfMjPot+IUdLcvSsu8 +kBXMkJ9DV827D3oKKYZMB8y5+9fSeRpiO3OwM6lCRj5egOvlbiwOUxVFEy5kf4hgEFzxHxxabtYW eDH5MqZVhcaGsX1c4klBvmiOgAeDpZcX+lP6GvRuUtHt5sjFqj7Tm2wIx1kNOOYGtRiY+Uo+h+gQX tWEkeopQ==; Received: from shell.armlinux.org.uk ([fd8f:7570:feb6:1:5054:ff:fe00:4ec]:37058) by pandora.armlinux.org.uk with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1w5PMF-000000003W9-43fF; Wed, 25 Mar 2026 14:37:20 +0000 Received: from linux by shell.armlinux.org.uk with local (Exim 4.98.2) (envelope-from ) id 1w5PMC-0000000066Z-1aVs; Wed, 25 Mar 2026 14:37:16 +0000 Date: Wed, 25 Mar 2026 14:37:16 +0000 From: "Russell King (Oracle)" To: Vladimir Oltean Cc: Vadim Fedorenko , Richard Cochran , Andrew Lunn , "David S. Miller" , Paolo Abeni , Jakub Kicinski , netdev@vger.kernel.org Subject: Re: [PATCH] ptp: ocp: fix resource freeing order Message-ID: References: <20260325120510.34481-1-vadim.fedorenko@linux.dev> <20260325122005.jvis4ydmogfkrxl7@skbuf> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260325122005.jvis4ydmogfkrxl7@skbuf> Sender: Russell King (Oracle) On Wed, Mar 25, 2026 at 02:20:05PM +0200, Vladimir Oltean wrote: > On Wed, Mar 25, 2026 at 12:05:10PM +0000, Vadim Fedorenko wrote: > > Commit a60fc3294a37 ("ptp: rework ptp_clock_unregister() to disable > > events") added a call to ptp_disable_all_events() which changes the > > configuration of pins if they support EXTTS events. In ptp_ocp_detach() > > pins resources are freed before ptp_clock_unregister() and it leads to > > use-after-free during driver removal. Fix it by changing the order of > > free/unregister calls. > > > > Fixes: a60fc3294a37 ("ptp: rework ptp_clock_unregister() to disable events") > > Signed-off-by: Vadim Fedorenko > > --- > > drivers/ptp/ptp_ocp.c | 6 +++--- > > 1 file changed, 3 insertions(+), 3 deletions(-) > > > > diff --git a/drivers/ptp/ptp_ocp.c b/drivers/ptp/ptp_ocp.c > > index d88ab2f86b1b..16fd4804fc6a 100644 > > --- a/drivers/ptp/ptp_ocp.c > > +++ b/drivers/ptp/ptp_ocp.c > > @@ -4558,6 +4558,9 @@ ptp_ocp_detach(struct ptp_ocp *bp) > > ptp_ocp_detach_sysfs(bp); > > ptp_ocp_attr_group_del(bp); > > timer_delete_sync(&bp->watchdog); > > + if (bp->ptp) > > + ptp_clock_unregister(bp->ptp); > > + kfree(bp->ptp_info.pin_config); > > ptp_ocp_unregister_ext(bp->ts0); > > ptp_ocp_unregister_ext(bp->ts1); > > ptp_ocp_unregister_ext(bp->ts2); > > @@ -4575,9 +4578,6 @@ ptp_ocp_detach(struct ptp_ocp *bp) > > clk_hw_unregister_fixed_rate(bp->i2c_clk); > > if (bp->n_irqs) > > pci_free_irq_vectors(bp->pdev); > > - if (bp->ptp) > > - ptp_clock_unregister(bp->ptp); > > - kfree(bp->ptp_info.pin_config); > > device_unregister(&bp->dev); > > } > > > > -- > > 2.47.3 > > > > The code wasn't safe even before the patch, since user space could have > emitted a PTP ioctl that passed into the driver in between the > ptp_ocp_unregister_ext() calls and the subsequent ptp_clock_unregister() > call. It's just that the patch you blame made it more obvious. Indeed. We've been talking about "setup, then publish interfaces, unpublish interfaces, tear down" for decades. I remember it coming up at the Ottawa Linux Symposiums in the early 2000s when the driver model was in its infancy. Yet, here we are in 2026, and the same problem persists. :( -- RMK's Patch system: https://www.armlinux.org.uk/developer/patches/ FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!