From: Simon Horman <horms@kernel.org>
To: aleksander.lobakin@intel.com
Cc: 'Simon Horman' <horms@kernel.org>,
intel-wired-lan@lists.osuosl.org, anthony.l.nguyen@intel.com,
przemyslaw.kitszel@intel.com, andrew+netdev@lunn.ch,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, kohei@enjuk.jp, jacob.e.keller@intel.com,
aleksandr.loktionov@intel.com,
nxne.cnse.osdt.itp.upstreaming@intel.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [Intel-wired-lan] [PATCH iwl-next v5 3/5] ice: migrate to netdev ops lock
Date: Fri, 8 May 2026 14:28:29 +0100 [thread overview]
Message-ID: <20260508132827.1183079-3-horms@kernel.org> (raw)
In-Reply-To: <20260505152923.1040589-4-aleksander.lobakin@intel.com>
From: 'Simon Horman' <horms@kernel.org>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://sashiko.dev
---
ice: migrate to netdev ops lock
This commit migrates queue management operations to use netdev locking.
It updates several NAPI and VSI configuration functions to use their
_locked variants to avoid deadlocks, taking the lock manually where needed.
> diff --git a/drivers/net/ethernet/intel/ice/ice_dcb_lib.c b/drivers/net/ethernet/intel/ice/ice_dcb_lib.c
> index 16aa255351523..7d89c0acc5d8d 100644
> --- a/drivers/net/ethernet/intel/ice/ice_dcb_lib.c
> +++ b/drivers/net/ethernet/intel/ice/ice_dcb_lib.c
[ ... ]
> @@ -1107,7 +1106,7 @@ ice_dcb_process_lldp_set_mib_change(struct ice_pf *pf,
>
> rtnl_lock();
> /* disable VSIs affected by DCB changes */
> - ice_dcb_ena_dis_vsi(pf, false, true);
> + ice_dcb_ena_dis_vsi(pf, false);
>
> ret = ice_query_port_ets(pi, &buf, sizeof(buf), NULL);
> if (ret) {
> @@ -1119,7 +1118,7 @@ ice_dcb_process_lldp_set_mib_change(struct ice_pf *pf,
> ice_pf_dcb_recfg(pf, false);
>
> /* enable previously downed VSIs */
> - ice_dcb_ena_dis_vsi(pf, true, true);
> + ice_dcb_ena_dis_vsi(pf, true);
> unlock_rtnl:
> rtnl_unlock();
> out:
This wasn't introduced by this patch, but does this error path leave VSIs
permanently disabled?
If ice_query_port_ets() fails, the code jumps to unlock_rtnl, bypassing the
call to ice_dcb_ena_dis_vsi(pf, true). This seems to leave the affected VSIs
(including the main PF interface) in a disabled state (ICE_VSI_DOWN) with
ICE_VSI_NEEDS_RESTART set, which could result in a denial of service.
> diff --git a/drivers/net/ethernet/intel/ice/ice_eswitch.c b/drivers/net/ethernet/intel/ice/ice_eswitch.c
> index 2e4f0969035f7..af0cc77fbf718 100644
> --- a/drivers/net/ethernet/intel/ice/ice_eswitch.c
> +++ b/drivers/net/ethernet/intel/ice/ice_eswitch.c
> @@ -23,10 +23,16 @@ static int ice_eswitch_setup_env(struct ice_pf *pf)
> struct net_device *netdev = uplink_vsi->netdev;
> bool if_running = netif_running(netdev);
> struct ice_vsi_vlan_ops *vlan_ops;
> + int ret;
> +
> + if (if_running && !test_and_set_bit(ICE_VSI_DOWN, uplink_vsi->state)) {
> + netdev_lock(netdev);
> + ret = ice_down(uplink_vsi);
> + netdev_unlock(netdev);
>
> - if (if_running && !test_and_set_bit(ICE_VSI_DOWN, uplink_vsi->state))
> - if (ice_down(uplink_vsi))
> + if (ret)
> return -ENODEV;
> + }
Simon says: It seems that the topic of locks in this patch has come up
again ¯\_(ツ)_/¯
Does manipulating the state bit outside of netdev_lock create a race
condition with interface teardown?
If the interface is concurrently brought down, ndo_stop (which holds
netdev_lock) would call ice_vsi_close(). Because ICE_VSI_DOWN is already
set by the test_and_set_bit() call above, ice_vsi_close() would skip calling
ice_down() and immediately proceed to free the Tx/Rx rings.
This would leave the hardware queues active and performing DMA operations into
freed memory, potentially causing a use-after-free.
WARNING: multiple messages have this Message-ID (diff)
From: Simon Horman <horms@kernel.org>
To: aleksander.lobakin@intel.com
Cc: 'Simon Horman' <horms@kernel.org>,
intel-wired-lan@lists.osuosl.org, anthony.l.nguyen@intel.com,
przemyslaw.kitszel@intel.com, andrew+netdev@lunn.ch,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, kohei@enjuk.jp, jacob.e.keller@intel.com,
aleksandr.loktionov@intel.com,
nxne.cnse.osdt.itp.upstreaming@intel.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH iwl-next v5 3/5] ice: migrate to netdev ops lock
Date: Fri, 8 May 2026 14:28:29 +0100 [thread overview]
Message-ID: <20260508132827.1183079-3-horms@kernel.org> (raw)
In-Reply-To: <20260505152923.1040589-4-aleksander.lobakin@intel.com>
From: 'Simon Horman' <horms@kernel.org>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://sashiko.dev
---
ice: migrate to netdev ops lock
This commit migrates queue management operations to use netdev locking.
It updates several NAPI and VSI configuration functions to use their
_locked variants to avoid deadlocks, taking the lock manually where needed.
> diff --git a/drivers/net/ethernet/intel/ice/ice_dcb_lib.c b/drivers/net/ethernet/intel/ice/ice_dcb_lib.c
> index 16aa255351523..7d89c0acc5d8d 100644
> --- a/drivers/net/ethernet/intel/ice/ice_dcb_lib.c
> +++ b/drivers/net/ethernet/intel/ice/ice_dcb_lib.c
[ ... ]
> @@ -1107,7 +1106,7 @@ ice_dcb_process_lldp_set_mib_change(struct ice_pf *pf,
>
> rtnl_lock();
> /* disable VSIs affected by DCB changes */
> - ice_dcb_ena_dis_vsi(pf, false, true);
> + ice_dcb_ena_dis_vsi(pf, false);
>
> ret = ice_query_port_ets(pi, &buf, sizeof(buf), NULL);
> if (ret) {
> @@ -1119,7 +1118,7 @@ ice_dcb_process_lldp_set_mib_change(struct ice_pf *pf,
> ice_pf_dcb_recfg(pf, false);
>
> /* enable previously downed VSIs */
> - ice_dcb_ena_dis_vsi(pf, true, true);
> + ice_dcb_ena_dis_vsi(pf, true);
> unlock_rtnl:
> rtnl_unlock();
> out:
This wasn't introduced by this patch, but does this error path leave VSIs
permanently disabled?
If ice_query_port_ets() fails, the code jumps to unlock_rtnl, bypassing the
call to ice_dcb_ena_dis_vsi(pf, true). This seems to leave the affected VSIs
(including the main PF interface) in a disabled state (ICE_VSI_DOWN) with
ICE_VSI_NEEDS_RESTART set, which could result in a denial of service.
> diff --git a/drivers/net/ethernet/intel/ice/ice_eswitch.c b/drivers/net/ethernet/intel/ice/ice_eswitch.c
> index 2e4f0969035f7..af0cc77fbf718 100644
> --- a/drivers/net/ethernet/intel/ice/ice_eswitch.c
> +++ b/drivers/net/ethernet/intel/ice/ice_eswitch.c
> @@ -23,10 +23,16 @@ static int ice_eswitch_setup_env(struct ice_pf *pf)
> struct net_device *netdev = uplink_vsi->netdev;
> bool if_running = netif_running(netdev);
> struct ice_vsi_vlan_ops *vlan_ops;
> + int ret;
> +
> + if (if_running && !test_and_set_bit(ICE_VSI_DOWN, uplink_vsi->state)) {
> + netdev_lock(netdev);
> + ret = ice_down(uplink_vsi);
> + netdev_unlock(netdev);
>
> - if (if_running && !test_and_set_bit(ICE_VSI_DOWN, uplink_vsi->state))
> - if (ice_down(uplink_vsi))
> + if (ret)
> return -ENODEV;
> + }
Simon says: It seems that the topic of locks in this patch has come up
again ¯\_(ツ)_/¯
Does manipulating the state bit outside of netdev_lock create a race
condition with interface teardown?
If the interface is concurrently brought down, ndo_stop (which holds
netdev_lock) would call ice_vsi_close(). Because ICE_VSI_DOWN is already
set by the test_and_set_bit() call above, ice_vsi_close() would skip calling
ice_down() and immediately proceed to free the Tx/Rx rings.
This would leave the hardware queues active and performing DMA operations into
freed memory, potentially causing a use-after-free.
next prev parent reply other threads:[~2026-05-08 13:31 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 15:29 [Intel-wired-lan] [PATCH iwl-next v5 0/5] ice: add support for devmem/io_uring Rx and Tx Alexander Lobakin
2026-05-05 15:29 ` Alexander Lobakin
2026-05-05 15:29 ` [Intel-wired-lan] [PATCH iwl-next v5 1/5] libeth: pass Rx queue index to PP when creating a fill queue Alexander Lobakin
2026-05-05 15:29 ` Alexander Lobakin
2026-05-05 15:29 ` [Intel-wired-lan] [PATCH iwl-next v5 2/5] libeth: handle creating pools with unreadable buffers Alexander Lobakin
2026-05-05 15:29 ` Alexander Lobakin
2026-05-05 15:29 ` [Intel-wired-lan] [PATCH iwl-next v5 3/5] ice: migrate to netdev ops lock Alexander Lobakin
2026-05-05 15:29 ` Alexander Lobakin
2026-05-08 13:28 ` Simon Horman [this message]
2026-05-08 13:28 ` Simon Horman
2026-05-08 13:57 ` [Intel-wired-lan] " Alexander Lobakin
2026-05-08 13:57 ` Alexander Lobakin
2026-05-10 8:57 ` [Intel-wired-lan] " Simon Horman
2026-05-10 8:57 ` Simon Horman
2026-05-05 15:29 ` [Intel-wired-lan] [PATCH iwl-next v5 4/5] ice: implement Rx queue management ops Alexander Lobakin
2026-05-05 15:29 ` Alexander Lobakin
2026-05-08 14:08 ` [Intel-wired-lan] " Simon Horman
2026-05-08 14:26 ` Simon Horman
2026-05-08 15:07 ` Alexander Lobakin
2026-05-08 14:25 ` Simon Horman
2026-05-08 14:25 ` Simon Horman
2026-05-05 15:29 ` [Intel-wired-lan] [PATCH iwl-next v5 5/5] ice: add support for transmitting unreadable frags Alexander Lobakin
2026-05-05 15:29 ` Alexander Lobakin
2026-05-08 15:42 ` [Intel-wired-lan] " Simon Horman
2026-05-08 15:42 ` Simon Horman
2026-05-08 12:06 ` [Intel-wired-lan] [PATCH iwl-next v5 0/5] ice: add support for devmem/io_uring Rx and Tx Alexander Lobakin
2026-05-08 12:06 ` Alexander Lobakin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260508132827.1183079-3-horms@kernel.org \
--to=horms@kernel.org \
--cc=aleksander.lobakin@intel.com \
--cc=aleksandr.loktionov@intel.com \
--cc=andrew+netdev@lunn.ch \
--cc=anthony.l.nguyen@intel.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=jacob.e.keller@intel.com \
--cc=kohei@enjuk.jp \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nxne.cnse.osdt.itp.upstreaming@intel.com \
--cc=pabeni@redhat.com \
--cc=przemyslaw.kitszel@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.