superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers/ptp
History
Duoming Zhou 8bf935cf78 ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog 
The ptp_ocp_detach() only shuts down the watchdog timer if it is
pending. However, if the timer handler is already running, the
timer_delete_sync() is not called. This leads to race conditions
where the devlink that contains the ptp_ocp is deallocated while
the timer handler is still accessing it, resulting in use-after-free
bugs. The following details one of the race scenarios.

(thread 1)                           | (thread 2)
ptp_ocp_remove()                     |
  ptp_ocp_detach()                   | ptp_ocp_watchdog()
    if (timer_pending(&bp->watchdog))|   bp = timer_container_of()
      timer_delete_sync()            |
                                     |
  devlink_free(devlink) //free       |
                                     |   bp-> //use

Resolve this by unconditionally calling timer_delete_sync() to ensure
the timer is reliably deactivated, preventing any access after free.

Fixes: 773bda9649 ("ptp: ocp: Expose various resources on the timecard.")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/20250828082949.28189-1-duoming@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2025-08-29 19:10:22 -07:00
..
Kconfig ptp: Do not enable by default during compile testing 2025-04-22 18:43:10 -07:00
Makefile s390/time: Add PtP driver 2024-10-30 17:02:39 -07:00
ptp_chardev.c ptp: Enable auxiliary clocks for PTP_SYS_OFFSET_EXTENDED 2025-07-03 15:36:06 +02:00
ptp_clock.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-06-19 13:00:24 -07:00
ptp_clockmatrix.c net: ptp: introduce .supported_extts_flags to ptp_clock_info 2025-04-15 20:20:57 -07:00
ptp_clockmatrix.h
ptp_dfl_tod.c
ptp_dte.c Get rid of 'remove_new' relic from platform driver struct 2024-12-01 15:12:43 -08:00
ptp_fc3.c net: ptp: introduce .supported_extts_flags to ptp_clock_info 2025-04-15 20:20:57 -07:00
ptp_fc3.h
ptp_idt82p33.c net: ptp: introduce .supported_extts_flags to ptp_clock_info 2025-04-15 20:20:57 -07:00
ptp_idt82p33.h
ptp_ines.c Get rid of 'remove_new' relic from platform driver struct 2024-12-01 15:12:43 -08:00
ptp_kvm_arm.c
ptp_kvm_common.c
ptp_kvm_x86.c ptp: kvm: x86: Return EOPNOTSUPP instead of ENODEV from kvm_arch_ptp_init() 2024-12-06 17:38:11 -08:00
ptp_mock.c time/timecounter: Fix the lie that struct cyclecounter is const 2025-07-01 15:38:25 +02:00
ptp_ocp.c ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog 2025-08-29 19:10:22 -07:00
ptp_pch.c ptp_pch: Replace deprecated PCI functions 2024-10-31 18:53:35 -07:00
ptp_private.h ptp: prevent possible ABBA deadlock in ptp_clock_freerun() 2025-08-12 14:17:35 -07:00
ptp_qoriq.c Get rid of 'remove_new' relic from platform driver struct 2024-12-01 15:12:43 -08:00
ptp_qoriq_debugfs.c
ptp_s390.c s390/time: Add PtP driver 2024-10-30 17:02:39 -07:00
ptp_sysfs.c
ptp_vclock.c ptp: prevent possible ABBA deadlock in ptp_clock_freerun() 2025-08-12 14:17:35 -07:00
ptp_vmclock.c ptp: vmclock: Remove goto-based cleanup logic 2025-02-11 10:20:52 +01:00
ptp_vmw.c