RE: [PATCH v2 1/2] wifi: iwlwifi: mvm: fix race condition in PTP removal

[Korenblit, Miriam Rachel]

> -----Original Message-----
> From: Cao, Junjie <junjie.cao@xxxxxxxxx>
> Sent: Thursday, February 12, 2026 2:51 PM
> To: Korenblit, Miriam Rachel <miriam.rachel.korenblit@xxxxxxxxx>; Berg,
> Johannes <johannes.berg@xxxxxxxxx>; linux-wireless@xxxxxxxxxxxxxxx;
> richardcochran@xxxxxxxxx
> Cc: horms@xxxxxxxxxx; netdev@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx;
> yedidya.ben.shimol@xxxxxxxxx; Stern, Avraham <avraham.stern@xxxxxxxxx>;
> Gabay, Daniel <daniel.gabay@xxxxxxxxx>; Prabhu, Krishnanand
> <krishnanand.prabhu@xxxxxxxxx>; Coelho, Luciano <luciano.coelho@xxxxxxxxx>;
> gregory.greenman@xxxxxxxxx; stable@xxxxxxxxxxxxxxx; Cao, Junjie
> <junjie.cao@xxxxxxxxx>; Vadim Fedorenko <vadim.fedorenko@xxxxxxxxx>
> Subject: [PATCH v2 1/2] wifi: iwlwifi: mvm: fix race condition in PTP removal
> 
> iwl_mvm_ptp_remove() calls cancel_delayed_work_sync() only after
> ptp_clock_unregister() and clearing ptp_data state (ptp_clock, ptp_clock_info,
> last_gp2).
> 
> This creates a race where the delayed work iwl_mvm_ptp_work() can execute
> between ptp_clock_unregister() and cancel_delayed_work_sync(), observing
> partially cleared PTP state.

But the work runs under the mvm mutex, and so does iwl_mvm_ptp_remove, so not sure how such a race can happen?
> 
> Move cancel_delayed_work_sync() before ptp_clock_unregister() to ensure the
> delayed work is fully stopped before any PTP cleanup begins.
> 
> Fixes: 1595ecce1cf3 ("wifi: iwlwifi: mvm: add support for PTP HW clock (PHC)")
> Cc: stable@xxxxxxxxxxxxxxx
> Reviewed-by: Simon Horman <horms@xxxxxxxxxx>
> Reviewed-by: Vadim Fedorenko <vadim.fedorenko@xxxxxxxxx>
> Signed-off-by: Junjie Cao <junjie.cao@xxxxxxxxx>
> ---
>  drivers/net/wireless/intel/iwlwifi/mvm/ptp.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
> b/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
> index ad156b82eaa9..efb291ceb0e5 100644
> --- a/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
> +++ b/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
> @@ -323,11 +323,11 @@ void iwl_mvm_ptp_remove(struct iwl_mvm *mvm)
>  			       mvm->ptp_data.ptp_clock_info.name,
>  			       ptp_clock_index(mvm->ptp_data.ptp_clock));
> 
> +		cancel_delayed_work_sync(&mvm->ptp_data.dwork);
>  		ptp_clock_unregister(mvm->ptp_data.ptp_clock);
>  		mvm->ptp_data.ptp_clock = NULL;
>  		memset(&mvm->ptp_data.ptp_clock_info, 0,
>  		       sizeof(mvm->ptp_data.ptp_clock_info));
>  		mvm->ptp_data.last_gp2 = 0;
> -		cancel_delayed_work_sync(&mvm->ptp_data.dwork);
>  	}
>  }
> --
> 2.48.1