Home

Description

In the Linux kernel, the following vulnerability has been resolved: ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog The ptp_ocp_detach() only shuts down the watchdog timer if it is pending. However, if the timer handler is already running, the timer_delete_sync() is not called. This leads to race conditions where the devlink that contains the ptp_ocp is deallocated while the timer handler is still accessing it, resulting in use-after-free bugs. The following details one of the race scenarios. (thread 1) | (thread 2) ptp_ocp_remove() | ptp_ocp_detach() | ptp_ocp_watchdog() if (timer_pending(&bp->watchdog))| bp = timer_container_of() timer_delete_sync() | | devlink_free(devlink) //free | | bp-> //use Resolve this by unconditionally calling timer_delete_sync() to ensure the timer is reliably deactivated, preventing any access after free.

PUBLISHED Reserved 2025-04-16 | Published 2025-09-19 | Updated 2025-09-29 | Assigner Linux

Product status

Default status
unaffected

773bda96492153e11d21eb63ac814669b51fc701 (git) before f10d3c7267ac7387a5129d5506c3c5f2460cfd9b
affected

773bda96492153e11d21eb63ac814669b51fc701 (git) before 8bf935cf789872350b04c1a6468b0a509f67afb2
affected

Default status
affected

5.15
affected

Any version before 5.15
unaffected

6.16.6 (semver)
unaffected

6.17 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/f10d3c7267ac7387a5129d5506c3c5f2460cfd9b

git.kernel.org/...c/8bf935cf789872350b04c1a6468b0a509f67afb2

cve.org (CVE-2025-39859)

nvd.nist.gov (CVE-2025-39859)

Download JSON