Re: [PATCH iwl-net] idpf: fix xdp crash in soft reset error path

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

From: "Tantilov, Emil S" <emil.s.tantilov@intel.com>
To: Alexander Lobakin <aleksander.lobakin@intel.com>
Cc: <intel-wired-lan@lists.osuosl.org>, <netdev@vger.kernel.org>,
	<anthony.l.nguyen@intel.com>, <aleksandr.loktionov@intel.com>,
	<przemyslaw.kitszel@intel.com>, <andrew+netdev@lunn.ch>,
	<davem@davemloft.net>, <edumazet@google.com>, <kuba@kernel.org>,
	<pabeni@redhat.com>, <ast@kernel.org>, <daniel@iogearbox.net>,
	<hawk@kernel.org>, <john.fastabend@gmail.com>, <sdf@fomichev.me>,
	<bpf@vger.kernel.org>, <decot@google.com>, <willemb@google.com>
Subject: Re: [PATCH iwl-net] idpf: fix xdp crash in soft reset error path
Date: Thu, 19 Mar 2026 14:47:15 -0700	[thread overview]
Message-ID: <7bb04cd3-b787-455a-a989-50e3805e8c5b@intel.com> (raw)
In-Reply-To: <a666510d-8664-4b74-aed5-91eb28ff9d51@intel.com>



On 3/18/2026 9:40 AM, Alexander Lobakin wrote:
> From: Emil Tantilov <emil.s.tantilov@intel.com>
> Date: Tue, 17 Mar 2026 18:15:45 -0700
> 
>> NULL pointer dereference is reported in cases where idpf_vport_open()
>> fails during soft reset:
>>
>> ./xdpsock -i <inf> -q -r -N
>>
>> [ 3179.186687] idpf 0000:83:00.0: Failed to initialize queue ids for vport 0: -12
>> [ 3179.276739] BUG: kernel NULL pointer dereference, address: 0000000000000010
>> [ 3179.277636] #PF: supervisor read access in kernel mode
>> [ 3179.278470] #PF: error_code(0x0000) - not-present page
>> [ 3179.279285] PGD 0
>> [ 3179.280083] Oops: Oops: 0000 [#1] SMP NOPTI
>> ...
>> [ 3179.283997] Workqueue: events xp_release_deferred
>> [ 3179.284770] RIP: 0010:idpf_find_rxq_vec+0x17/0x30 [idpf]
>> ...
>> [ 3179.291937] Call Trace:
>> [ 3179.292392]  <TASK>
>> [ 3179.292843]  idpf_qp_switch+0x25/0x820 [idpf]
>> [ 3179.293325]  idpf_xsk_pool_setup+0x7c/0x520 [idpf]
>> [ 3179.293803]  idpf_xdp+0x59/0x240 [idpf]
>> [ 3179.294275]  xp_disable_drv_zc+0x62/0xb0
>> [ 3179.294743]  xp_clear_dev+0x40/0xb0
>> [ 3179.295198]  xp_release_deferred+0x1f/0xa0
>> [ 3179.295648]  process_one_work+0x226/0x730
>> [ 3179.296106]  worker_thread+0x19e/0x340
>> [ 3179.296557]  ? __pfx_worker_thread+0x10/0x10
>> [ 3179.297009]  kthread+0xf4/0x130
>> [ 3179.297459]  ? __pfx_kthread+0x10/0x10
>> [ 3179.297910]  ret_from_fork+0x32c/0x410
>> [ 3179.298361]  ? __pfx_kthread+0x10/0x10
>> [ 3179.298702]  ret_from_fork_asm+0x1a/0x30
>>
>> Fix the error handling of the soft reset in idpf_xdp_setup_prog() by
>> restoring the vport->xdp_prog to the old value. This avoids referencing
>> the orphaned prog that was copied to vport->xdp_prog in the soft reset
>> and prevents subsequent false positive by idpf_xdp_enabled().
>>
>> Update the restart check in idpf_xsk_pool_setup() to use IDPF_VPORT_UP bit
>> instead of netif_running(). The idpf_vport_stop/start() calls will not
>> update the __LINK_STATE_START bit, making this test a false positive
>> should the soft reset fail.
>>
>> Fixes: 3d57b2c00f09 ("idpf: add XSk pool initialization")
>> Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
>> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
>> ---
>>   drivers/net/ethernet/intel/idpf/xdp.c | 7 ++++++-
>>   drivers/net/ethernet/intel/idpf/xsk.c | 4 +++-
>>   2 files changed, 9 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/net/ethernet/intel/idpf/xdp.c b/drivers/net/ethernet/intel/idpf/xdp.c
>> index cbccd4546768..b670f0ea20b3 100644
>> --- a/drivers/net/ethernet/intel/idpf/xdp.c
>> +++ b/drivers/net/ethernet/intel/idpf/xdp.c
>> @@ -488,12 +488,17 @@ static int idpf_xdp_setup_prog(struct idpf_vport *vport,
>>   				   "Could not reopen the vport after XDP setup");
>>   
>>   		cfg->user_config.xdp_prog = old;
>> -		old = prog;
>> +		vport->xdp_prog = old;
> 
> You could just add 1 line here:
> 
>   		cfg->user_config.xdp_prog = old;
> +		vport->xdp_prog = old;
>   		old = prog;
> 
> And it would behave the same.

Good catch. Will clean it up in v2.

> 
>> +		if (prog)
>> +			bpf_prog_put(prog);
>> +
>> +		goto out;
>>   	}
>>   
>>   	if (old)
>>   		bpf_prog_put(old);
>>   
>> +out:
>>   	libeth_xdp_set_redirect(vport->netdev, vport->xdp_prog);
>>   
>>   	return ret;
>> diff --git a/drivers/net/ethernet/intel/idpf/xsk.c b/drivers/net/ethernet/intel/idpf/xsk.c
>> index d95d3efdfd36..b601b6c298c7 100644
>> --- a/drivers/net/ethernet/intel/idpf/xsk.c
>> +++ b/drivers/net/ethernet/intel/idpf/xsk.c
>> @@ -553,6 +553,7 @@ int idpf_xskrq_poll(struct idpf_rx_queue *rxq, u32 budget)
>>   
>>   int idpf_xsk_pool_setup(struct idpf_vport *vport, struct netdev_bpf *bpf)
>>   {
>> +	const struct idpf_netdev_priv *np = netdev_priv(vport->netdev);
>>   	struct xsk_buff_pool *pool = bpf->xsk.pool;
>>   	u32 qid = bpf->xsk.queue_id;
>>   	bool restart;
>> @@ -568,7 +569,8 @@ int idpf_xsk_pool_setup(struct idpf_vport *vport, struct netdev_bpf *bpf)
>>   		return -EINVAL;
>>   	}
>>   
>> -	restart = idpf_xdp_enabled(vport) && netif_running(vport->netdev);
>> +	restart = idpf_xdp_enabled(vport) &&
>> +	       test_bit(IDPF_VPORT_UP, np->state);
> 
> The indentation is messed up, should be:
> 
> 	restart = idpf_xdp_enabled(vport) &&
> 		  test_bit(IDPF_VPORT_UP, np->state);
> 
> (two tabs + 2 spaces)

Yeah, will resolve in v2.

Thanks,
Emil

> 
>>   	if (!restart)
>>   		goto pool;
> 
> Thanks,
> Olek

     prev parent reply	other threads:[~2026-03-19 21:47 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-18  1:15 [PATCH iwl-net] idpf: fix xdp crash in soft reset error path Emil Tantilov
2026-03-18 16:40 ` Alexander Lobakin
2026-03-19 21:47   ` Tantilov, Emil S [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7bb04cd3-b787-455a-a989-50e3805e8c5b@intel.com \
    --to=emil.s.tantilov@intel.com \
    --cc=aleksander.lobakin@intel.com \
    --cc=aleksandr.loktionov@intel.com \
    --cc=andrew+netdev@lunn.ch \
    --cc=anthony.l.nguyen@intel.com \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=decot@google.com \
    --cc=edumazet@google.com \
    --cc=hawk@kernel.org \
    --cc=intel-wired-lan@lists.osuosl.org \
    --cc=john.fastabend@gmail.com \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=przemyslaw.kitszel@intel.com \
    --cc=sdf@fomichev.me \
    --cc=willemb@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox