CVE-2025-39859

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog<br /> <br /> The ptp_ocp_detach() only shuts down the watchdog timer if it is<br /> pending. However, if the timer handler is already running, the<br /> timer_delete_sync() is not called. This leads to race conditions<br /> where the devlink that contains the ptp_ocp is deallocated while<br /> the timer handler is still accessing it, resulting in use-after-free<br /> bugs. The following details one of the race scenarios.<br /> <br /> (thread 1) | (thread 2)<br /> ptp_ocp_remove() |<br /> ptp_ocp_detach() | ptp_ocp_watchdog()<br /> if (timer_pending(&amp;bp-&gt;watchdog))| bp = timer_container_of()<br /> timer_delete_sync() |<br /> |<br /> devlink_free(devlink) //free |<br /> | bp-&gt; //use<br /> <br /> Resolve this by unconditionally calling timer_delete_sync() to ensure<br /> the timer is reliably deactivated, preventing any access after free.