From nobody Sun Feb 8 02:56:03 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 30AD8376BD2 for ; Thu, 29 Jan 2026 09:57:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769680661; cv=none; b=TW2cKjtNJ0kgkUwaLywN/8bgH2sP3hqw3PYPOyLqKZACfSSdvVL2TYSXlSfwRjVp0rRcQ3JMqabRJ+pWLdZ/FAjfupPP6rqx6J5HIkkrvffk10W8XaEvvtvuaXX27rPgGmJKI0WXkQA7zkWH+G8mw4geXlD7ygMIfJL0p6z3/KM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769680661; c=relaxed/simple; bh=RQihqxsso+7xeMWjpGb9PL5gf8xIHK+tva93bT86+Vw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=u6WFdTgcHNtYreqo3Ld7ZpGVXnk+Y94DjoZ3VdIIEbQUVMA8RI2CprYOOcqHSvjnuSSVlwuz55WG2zW1K4P175Vle8qs1j1fHq5zazcjhR0p2UQW/XfKe4ULUUgmIsfMFxEnl8xfV6yIVB4uQCt4LJfcvQ7EKy2w9yTl9316/W0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=c2hj6lOE; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="c2hj6lOE" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1769680659; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=0Z7GQGT6PLKvmdoazn0BpeLlPo5mZl2/bnsp2MVA+EA=; b=c2hj6lOEJTfW75iRwrV8g3O2WeDvF/86gh6bf9+OYIKtBYNgh8cJRQIaksPUPHFc+288Za fELL8A0ild5YFHcGfF4I/kyCaHg/2QoZ1dkZjLn+Y7eNkOl+JebR1zrvVGOQOUJXo9blqs Qu6aCI9+ZE7HHr0qYwiPVjNbR950Qyc= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-329-_Kn7WWcYPY6B2Aa8H1AueA-1; Thu, 29 Jan 2026 04:57:36 -0500 X-MC-Unique: _Kn7WWcYPY6B2Aa8H1AueA-1 X-Mimecast-MFC-AGG-ID: _Kn7WWcYPY6B2Aa8H1AueA_1769680653 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 674371956096; Thu, 29 Jan 2026 09:57:33 +0000 (UTC) Received: from ShadowPeak.redhat.com (unknown [10.45.225.83]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id C837A1800109; Thu, 29 Jan 2026 09:57:28 +0000 (UTC) From: Petr Oros To: netdev@vger.kernel.org Cc: ivecera@redhat.com, mschmidt@redhat.com, Petr Oros , Tony Nguyen , Przemek Kitszel , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Richard Cochran , Jacob Keller , Simon Horman , Mateusz Polchlopek , intel-wired-lan@lists.osuosl.org, linux-kernel@vger.kernel.org Subject: [PATCH net] iavf: fix PTP use-after-free during reset Date: Thu, 29 Jan 2026 10:57:23 +0100 Message-ID: <20260129095723.7269-1-poros@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Content-Type: text/plain; charset="utf-8" Commit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") introduced a worker to cache PHC time, but failed to stop it during reset or disable. This creates a race condition where `iavf_reset_task()` or `iavf_disable_vf()` free adapter resources (AQ) while the worker is still running. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, it accesses freed memory/locks, leading to a crash. Fix this by calling `iavf_ptp_release()` before tearing down the adapter. This ensures `ptp_clock_unregister()` synchronously cancels the worker and cleans up the chardev before the backing resources are destroyed. Fixes: 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") Signed-off-by: Petr Oros Acked-by: Jacob Keller Reviewed-by: Aleksandr Loktionov Reviewed-by: Ivan Vecera Reviewed-by: Paul Menzel Reviewed-by: Vadim Fedorenko --- drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethe= rnet/intel/iavf/iavf_main.c index 4b0fc8f354bc90..0dd58ce5a53ab1 100644 --- a/drivers/net/ethernet/intel/iavf/iavf_main.c +++ b/drivers/net/ethernet/intel/iavf/iavf_main.c @@ -3025,6 +3025,8 @@ static void iavf_disable_vf(struct iavf_adapter *adap= ter) =20 adapter->flags |=3D IAVF_FLAG_PF_COMMS_FAILED; =20 + iavf_ptp_release(adapter); + /* We don't use netif_running() because it may be true prior to * ndo_open() returning, so we can't assume it means all our open * tasks have finished, since we're not holding the rtnl_lock here. @@ -3200,6 +3202,8 @@ static void iavf_reset_task(struct work_struct *work) iavf_change_state(adapter, __IAVF_RESETTING); adapter->flags &=3D ~IAVF_FLAG_RESET_PENDING; =20 + iavf_ptp_release(adapter); + /* free the Tx/Rx rings and descriptors, might be better to just * re-use them sometime in the future */ --=20 2.52.0