From: Jacob Keller <jacob.e.keller@intel.com>
To: Przemek Kitszel <przemyslaw.kitszel@intel.com>,
Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
"Eric Dumazet" <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Piotr Kwapulinski <piotr.kwapulinski@intel.com>,
Aleksandr Loktionov <aleksandr.loktionov@intel.com>,
Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>,
Maciej Fijalkowski <maciej.fijalkowski@intel.com>,
Michal Kubiak <michal.kubiak@intel.com>,
Joshua Hay <joshua.a.hay@intel.com>,
Madhu Chittim <madhu.chittim@intel.com>,
Willem de Bruijn <willemb@google.com>,
Dave Ertman <david.m.ertman@intel.com>,
Ivan Vecera <ivecera@redhat.com>,
Grzegorz Nitka <grzegorz.nitka@intel.com>
Cc: <netdev@vger.kernel.org>, <stable@vger.kernel.org>,
Matt Vollrath <tactii@gmail.com>, Kohei Enju <kohei@enjuk.jp>,
Paul Menzel <pmenzel@molgen.mpg.de>,
Sunitha Mekala <sunithax.d.mekala@intel.com>
Subject: Re: [PATCH net 02/13] i40e: Cleanup PTP pins on probe failure
Date: Wed, 6 May 2026 13:28:51 -0700 [thread overview]
Message-ID: <c2ac2c41-46a8-4cca-99b0-3e423114c91b@intel.com> (raw)
In-Reply-To: <20260504-jk-iwl-net-2026-05-04-v1-2-a222a88bd962@intel.com>
On 5/4/2026 10:14 PM, Jacob Keller wrote:
> From: Matt Vollrath <tactii@gmail.com>
>
> PTP pin structs are allocated early in probe, but never cleaned up.
>
> Fix this by calling i40e_ptp_free_pins in the error path.
>
> To support this, i40e_ptp_free_pins is added to the header and
> pin_config is correctly nullified after being freed.
>
> This has been an issue since i40e_ptp_alloc_pins was introduced.
>
> Fixes: 1050713026a08 ("i40e: add support for PTP external synchronization clock")
> Reported-by: Kohei Enju <kohei@enjuk.jp>
> Cc: stable@vger.kernel.org
> Signed-off-by: Matt Vollrath <tactii@gmail.com>
> Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
> Reviewed-by: Kohei Enju <kohei@enjuk.jp>
> Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com>
> Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
> ---
> drivers/net/ethernet/intel/i40e/i40e.h | 1 +
> drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
> drivers/net/ethernet/intel/i40e/i40e_ptp.c | 3 ++-
> 3 files changed, 4 insertions(+), 1 deletion(-)
>
Sashiko points out some issues which are related but pre-existing this fix:
> This isn't a bug in this patch, but looking at i40e_probe(), the return
> value of i40e_ptp_alloc_pins() is ignored earlier in the probe sequence.
> If the memory allocation fails, pf->ptp_pins remains NULL, but the probe
> routine continues successfully.
> Later, if a user attempts to configure the PTP pins via the PTP clock ioctl
> (such as PTP_EXTTS_REQUEST), i40e_ptp_enable_pin() unconditionally dereferences
> the pointer:
> drivers/net/ethernet/intel/i40e/i40e_ptp.c:i40e_ptp_enable_pin() {
> ...
> pins.sdp3_2 = pf->ptp_pins->sdp3_2;
> ...
> }
> Could this lead to a NULL pointer dereference panic triggered by userspace?
Probably we just need to add an error handling of the pin allocation
since failure to allocate memory is likely to hit a lot of other places
as well. This is also a pre-existing issue.
> This isn't a bug in this patch, but while looking at PTP cleanup, it appears
> the pf->ptp_extts0_work work item is never canceled during device removal.
> In i40e_remove(), i40e_ptp_stop() masks the PTP event interrupts, but it
> doesn't call cancel_work_sync(&pf->ptp_extts0_work) to flush any already-queued
> work.
> i40e_remove() later cancels service_task but completely omits ptp_extts0_work.
> If an interrupt triggers and schedules the work immediately before the teardown
> path masks the interrupt, will the work item execute after the pf structure is
> completely freed, resulting in a use-after-free?
This is also a pre-existing issue in the PTP teardown that was reported
on patch 1/13 as well: we need to cancel the extts0_work item.
next prev parent reply other threads:[~2026-05-06 20:29 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 5:14 [PATCH net 00/13] Intel Wired LAN Driver Updates 2026-05-04 (i40e, ice, idpf) Jacob Keller
2026-05-05 5:14 ` [PATCH net 01/13] i40e: Cleanup PTP registration on probe failure Jacob Keller
2026-05-06 20:24 ` Jacob Keller
2026-05-05 5:14 ` [PATCH net 02/13] i40e: Cleanup PTP pins " Jacob Keller
2026-05-06 20:28 ` Jacob Keller [this message]
2026-05-05 5:14 ` [PATCH net 03/13] i40e: keep q_vectors array in sync with channel count changes Jacob Keller
2026-05-06 20:53 ` Jacob Keller
2026-05-05 5:14 ` [PATCH net 04/13] idpf: fix read_dev_clk_lock spinlock init in idpf_ptp_init() Jacob Keller
2026-05-05 5:14 ` [PATCH net 05/13] idpf: do not enable XDP if queue based scheduling is not supported Jacob Keller
2026-05-06 20:59 ` Jacob Keller
2026-05-05 5:14 ` [PATCH net 06/13] idpf: fix skb datapath queue based scheduling crashes and timeouts Jacob Keller
2026-05-05 5:14 ` [PATCH net 07/13] idpf: fix xdp crash in soft reset error path Jacob Keller
2026-05-05 5:14 ` [PATCH net 08/13] idpf: fix double free and use-after-free in aux device error paths Jacob Keller
2026-05-06 21:04 ` Jacob Keller
2026-05-05 5:14 ` [PATCH net 09/13] ice: fix setting RSS VSI hash for E830 Jacob Keller
2026-05-06 21:06 ` Jacob Keller
2026-05-07 11:47 ` Marcin Szycik
2026-05-07 16:59 ` Marcin Szycik
2026-05-07 21:13 ` Jacob Keller
2026-05-05 5:14 ` [PATCH net 10/13] ice: fix locking in ice_dcb_rebuild() Jacob Keller
2026-05-06 21:13 ` Jacob Keller
2026-05-05 5:14 ` [PATCH net 11/13] ice: fix PTP hang for E825C devices Jacob Keller
2026-05-06 21:16 ` Jacob Keller
2026-05-05 5:14 ` [PATCH net 12/13] ice: dpll: fix rclk pin state get for E810 Jacob Keller
2026-05-05 5:14 ` [PATCH net 13/13] ice: dpll: fix misplaced header macros Jacob Keller
2026-05-06 21:21 ` [PATCH net 00/13] Intel Wired LAN Driver Updates 2026-05-04 (i40e, ice, idpf) Jacob Keller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c2ac2c41-46a8-4cca-99b0-3e423114c91b@intel.com \
--to=jacob.e.keller@intel.com \
--cc=aleksandr.loktionov@intel.com \
--cc=andrew+netdev@lunn.ch \
--cc=arkadiusz.kubalewski@intel.com \
--cc=davem@davemloft.net \
--cc=david.m.ertman@intel.com \
--cc=edumazet@google.com \
--cc=grzegorz.nitka@intel.com \
--cc=ivecera@redhat.com \
--cc=joshua.a.hay@intel.com \
--cc=kohei@enjuk.jp \
--cc=kuba@kernel.org \
--cc=maciej.fijalkowski@intel.com \
--cc=madhu.chittim@intel.com \
--cc=michal.kubiak@intel.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=piotr.kwapulinski@intel.com \
--cc=pmenzel@molgen.mpg.de \
--cc=przemyslaw.kitszel@intel.com \
--cc=stable@vger.kernel.org \
--cc=sunithax.d.mekala@intel.com \
--cc=tactii@gmail.com \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox