1. Patchew
  2. linux
  3. View series

[PATCH] wifi: iwlwifi: ptp: Fix potential race condition in PTP removal

Junjie Cao posted 1 patch 3 weeks, 2 days ago 
drivers/net/wireless/intel/iwlwifi/mld/ptp.c | 2 +-
drivers/net/wireless/intel/iwlwifi/mvm/ptp.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
[PATCH] wifi: iwlwifi: ptp: Fix potential race condition in PTP removal
Posted by Junjie Cao 3 weeks, 2 days ago 
iwl_mvm_ptp_remove() and iwl_mld_ptp_remove() call
cancel_delayed_work_sync() only after ptp_clock_unregister() and after
partially clearing ptp_data state.

This creates a race where the delayed work (iwl_mvm_ptp_work /
iwl_mld_ptp_work) can run while teardown is in progress and observe a
partially modified PTP state. In addition, the work may re-arm itself,
extending the teardown window and risking execution after driver
resources have been released.

Move cancel_delayed_work_sync() before ptp_clock_unregister() to ensure
the delayed work is fully stopped before any PTP cleanup begins. This
follows the standard pattern used by other Intel PTP drivers such as
e1000e, igb, ixgbe, and ice.

Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver")
Fixes: 1595ecce1cf3 ("wifi: iwlwifi: mvm: add support for PTP HW clock (PHC)")
Cc: stable@vger.kernel.org
Signed-off-by: Junjie Cao <junjie.cao@intel.com>
---
 drivers/net/wireless/intel/iwlwifi/mld/ptp.c | 2 +-
 drivers/net/wireless/intel/iwlwifi/mvm/ptp.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/mld/ptp.c b/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
index 231920425c06..b40182320801 100644
--- a/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
+++ b/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
@@ -319,10 +319,10 @@ void iwl_mld_ptp_remove(struct iwl_mld *mld)
 			       mld->ptp_data.ptp_clock_info.name,
 			       ptp_clock_index(mld->ptp_data.ptp_clock));
 
+		cancel_delayed_work_sync(&mld->ptp_data.dwork);
 		ptp_clock_unregister(mld->ptp_data.ptp_clock);
 		mld->ptp_data.ptp_clock = NULL;
 		mld->ptp_data.last_gp2 = 0;
 		mld->ptp_data.wrap_counter = 0;
-		cancel_delayed_work_sync(&mld->ptp_data.dwork);
 	}
 }
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c b/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
index 1da6260e238c..2b01ca36a1b5 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
@@ -325,11 +325,11 @@ void iwl_mvm_ptp_remove(struct iwl_mvm *mvm)
 			       mvm->ptp_data.ptp_clock_info.name,
 			       ptp_clock_index(mvm->ptp_data.ptp_clock));
 
+		cancel_delayed_work_sync(&mvm->ptp_data.dwork);
 		ptp_clock_unregister(mvm->ptp_data.ptp_clock);
 		mvm->ptp_data.ptp_clock = NULL;
 		memset(&mvm->ptp_data.ptp_clock_info, 0,
 		       sizeof(mvm->ptp_data.ptp_clock_info));
 		mvm->ptp_data.last_gp2 = 0;
-		cancel_delayed_work_sync(&mvm->ptp_data.dwork);
 	}
 }
-- 
2.43.0
Re: [PATCH] wifi: iwlwifi: ptp: Fix potential race condition in PTP removal
Posted by Vadim Fedorenko 2 weeks, 4 days ago 
On 15/01/2026 16:15, Junjie Cao wrote:
> iwl_mvm_ptp_remove() and iwl_mld_ptp_remove() call
> cancel_delayed_work_sync() only after ptp_clock_unregister() and after
> partially clearing ptp_data state.
> 
> This creates a race where the delayed work (iwl_mvm_ptp_work /
> iwl_mld_ptp_work) can run while teardown is in progress and observe a
> partially modified PTP state. In addition, the work may re-arm itself,
> extending the teardown window and risking execution after driver
> resources have been released.
> 
> Move cancel_delayed_work_sync() before ptp_clock_unregister() to ensure
> the delayed work is fully stopped before any PTP cleanup begins. This
> follows the standard pattern used by other Intel PTP drivers such as
> e1000e, igb, ixgbe, and ice.
> 
> Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver")
> Fixes: 1595ecce1cf3 ("wifi: iwlwifi: mvm: add support for PTP HW clock (PHC)")
> Cc: stable@vger.kernel.org
> Signed-off-by: Junjie Cao <junjie.cao@intel.com>

Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Re: [PATCH] wifi: iwlwifi: ptp: Fix potential race condition in PTP removal
Posted by Simon Horman 2 weeks, 5 days ago 
+ Yao Zi and Benjamin Berg

On Fri, Jan 16, 2026 at 12:15:29AM +0800, Junjie Cao wrote:
> iwl_mvm_ptp_remove() and iwl_mld_ptp_remove() call
> cancel_delayed_work_sync() only after ptp_clock_unregister() and after
> partially clearing ptp_data state.
> 
> This creates a race where the delayed work (iwl_mvm_ptp_work /
> iwl_mld_ptp_work) can run while teardown is in progress and observe a
> partially modified PTP state. In addition, the work may re-arm itself,
> extending the teardown window and risking execution after driver
> resources have been released.
> 
> Move cancel_delayed_work_sync() before ptp_clock_unregister() to ensure
> the delayed work is fully stopped before any PTP cleanup begins. This
> follows the standard pattern used by other Intel PTP drivers such as
> e1000e, igb, ixgbe, and ice.
> 
> Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver")
> Fixes: 1595ecce1cf3 ("wifi: iwlwifi: mvm: add support for PTP HW clock (PHC)")
> Cc: stable@vger.kernel.org
> Signed-off-by: Junjie Cao <junjie.cao@intel.com>

Thinking out loud: The two cited commits were introduced in
the same upstream release - v6.4 - so from a backporting PoV
it seems reasonable to address these issues in one patch.
Though I do think it would be best to think of these
as two things and thus warranting two patches.

That notwithstanding, the changes look good to me.

Reviewed-by: Simon Horman <horms@kernel.org>

Context left intact below for the benefit of Yao Zi and Benjamin Berg.

> ---
>  drivers/net/wireless/intel/iwlwifi/mld/ptp.c | 2 +-
>  drivers/net/wireless/intel/iwlwifi/mvm/ptp.c | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/wireless/intel/iwlwifi/mld/ptp.c b/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
> index 231920425c06..b40182320801 100644
> --- a/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
> +++ b/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
> @@ -319,10 +319,10 @@ void iwl_mld_ptp_remove(struct iwl_mld *mld)
>  			       mld->ptp_data.ptp_clock_info.name,
>  			       ptp_clock_index(mld->ptp_data.ptp_clock));
>  
> +		cancel_delayed_work_sync(&mld->ptp_data.dwork);
>  		ptp_clock_unregister(mld->ptp_data.ptp_clock);
>  		mld->ptp_data.ptp_clock = NULL;
>  		mld->ptp_data.last_gp2 = 0;
>  		mld->ptp_data.wrap_counter = 0;
> -		cancel_delayed_work_sync(&mld->ptp_data.dwork);
>  	}
>  }
> diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c b/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
> index 1da6260e238c..2b01ca36a1b5 100644
> --- a/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
> +++ b/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
> @@ -325,11 +325,11 @@ void iwl_mvm_ptp_remove(struct iwl_mvm *mvm)
>  			       mvm->ptp_data.ptp_clock_info.name,
>  			       ptp_clock_index(mvm->ptp_data.ptp_clock));
>  
> +		cancel_delayed_work_sync(&mvm->ptp_data.dwork);
>  		ptp_clock_unregister(mvm->ptp_data.ptp_clock);
>  		mvm->ptp_data.ptp_clock = NULL;
>  		memset(&mvm->ptp_data.ptp_clock_info, 0,
>  		       sizeof(mvm->ptp_data.ptp_clock_info));
>  		mvm->ptp_data.last_gp2 = 0;
> -		cancel_delayed_work_sync(&mvm->ptp_data.dwork);
>  	}
>  }
> -- 
> 2.43.0
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.