[PATCH v1 iwl-next] ice: fix NULL pointer dereference when changing RX queue length

[PATCH v1 iwl-next] ice: fix NULL pointer dereference when changing RX queue length

[Kohei Enju]

When changing RX queue length via 'ethtool -G $DEV rx $NUM', a WARNING
indicates the driver missed unregistering xdp_rxq_info [1], and then
NULL pointer dereference panics the kernel. [2]

The following sequence in ice_set_ringparam() triggers this bug.
1. Allocate new rx_rings
2. rx_rings[i] = *vsi->rx_rings[i];
3. ice_down() unregisters vsi->rx_rings[i]->xdp_rxq
4. ice_up() registers rx_ring[i]->xdp_rxq
   a. __xdp_rxq_info_reg() sees the copied state REG_STATE_REGISTERED
      and calls xdp_rxq_info_unreg() to fix it [1]
   b. xdp_unreg_mem_model() looks up the stale mem.id in rhashtable,
      which was already removed in step 3, causing NULL dereference [2]

The root cause is that struct copying includes xdp_rxq_info which
contains registration state that should not be duplicated.

Fix by clearing xdp_rxq_info after copying the ring so it starts with
REG_STATE_NEW instead of the stale REG_STATE_REGISTERED.

[1]
 Missing unregister, handled but fix driver
 WARNING: net/core/xdp.c:182 at __xdp_rxq_info_reg+0x89/0x150, CPU#4: ethtool/1105
 [...]
 RIP: 0010:__xdp_rxq_info_reg+0x89/0x150
 [...]
 Call Trace:
  <TASK>
  ice_queue_mem_alloc+0x159/0x240
  ice_vsi_cfg_rxq+0xc3/0x160
  ice_vsi_cfg_rxqs+0x4f/0x70
  ice_up+0xd/0x20
  ice_set_ringparam+0x34f/0x4e0

[2]
 BUG: kernel NULL pointer dereference, address: 0000000000000008
 [...]
 RIP: 0010:xdp_unreg_mem_model+0x113/0x340
 [...]
 Call Trace:
  <TASK>
  __xdp_rxq_info_reg+0xfd/0x150
  ice_queue_mem_alloc+0x159/0x240
  ice_vsi_cfg_rxq+0xc3/0x160
  ice_vsi_cfg_rxqs+0x4f/0x70
  ice_up+0xd/0x20
  ice_set_ringparam+0x34f/0x4e0

Fixes: 111a8e2be488 ("ice: implement Rx queue management ops")
Signed-off-by: Kohei Enju <kohei@enjuk.jp>
---
I see the Fixes: commit exists in only tnguy/next-queue.git, so I'm
sending this patch to iwl-next, not iwl-net.

Also IIUC dev-queue in tnguy/next-queue.git is rebased continuously, so
the commit hash will be stale soon, and I don't know how to handle this.

I'd appreciate it if iwl-folks know the way to handle it. Thanks!
---
 drivers/net/ethernet/intel/ice/ice_ethtool.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c
index ddd252fb1124..e4c286a22ff5 100644
--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
+++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
@@ -3338,6 +3338,7 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring,
 		rx_rings[i].cached_phctime = pf->ptp.cached_phc_time;
 		rx_rings[i].desc = NULL;
 		rx_rings[i].xdp_buf = NULL;
+		memset(&rx_rings[i].xdp_rxq, 0, sizeof(rx_rings[i].xdp_rxq));
 
 		/* this is to allow wr32 to have something to write to
 		 * during early allocation of Rx buffers
-- 
2.51.0

RE: [PATCH v1 iwl-next] ice: fix NULL pointer dereference when changing RX queue length

[Loktionov, Aleksandr]

> -----Original Message-----
> From: Kohei Enju <kohei@enjuk.jp>
> Sent: Monday, February 2, 2026 5:17 PM
> To: intel-wired-lan@lists.osuosl.org; netdev@vger.kernel.org
> Cc: Nguyen, Anthony L <anthony.l.nguyen@intel.com>; Kitszel,
> Przemyslaw <przemyslaw.kitszel@intel.com>; Andrew Lunn
> <andrew+netdev@lunn.ch>; David S. Miller <davem@davemloft.net>; Eric
> Dumazet <edumazet@google.com>; Jakub Kicinski <kuba@kernel.org>; Paolo
> Abeni <pabeni@redhat.com>; Loktionov, Aleksandr
> <aleksandr.loktionov@intel.com>; Keller, Jacob E
> <jacob.e.keller@intel.com>; Lobakin, Aleksander
> <aleksander.lobakin@intel.com>; kohei.enju@gmail.com; Kohei Enju
> <kohei@enjuk.jp>
> Subject: [PATCH v1 iwl-next] ice: fix NULL pointer dereference when
> changing RX queue length
> 
> When changing RX queue length via 'ethtool -G $DEV rx $NUM', a WARNING
> indicates the driver missed unregistering xdp_rxq_info [1], and then
> NULL pointer dereference panics the kernel. [2]
> 
> The following sequence in ice_set_ringparam() triggers this bug.
> 1. Allocate new rx_rings
> 2. rx_rings[i] = *vsi->rx_rings[i];
> 3. ice_down() unregisters vsi->rx_rings[i]->xdp_rxq 4. ice_up()
> registers rx_ring[i]->xdp_rxq
>    a. __xdp_rxq_info_reg() sees the copied state REG_STATE_REGISTERED
>       and calls xdp_rxq_info_unreg() to fix it [1]
>    b. xdp_unreg_mem_model() looks up the stale mem.id in rhashtable,
>       which was already removed in step 3, causing NULL dereference
> [2]
> 
> The root cause is that struct copying includes xdp_rxq_info which
> contains registration state that should not be duplicated.
> 
> Fix by clearing xdp_rxq_info after copying the ring so it starts with
> REG_STATE_NEW instead of the stale REG_STATE_REGISTERED.
> 
> [1]
>  Missing unregister, handled but fix driver
>  WARNING: net/core/xdp.c:182 at __xdp_rxq_info_reg+0x89/0x150, CPU#4:
> ethtool/1105  [...]
>  RIP: 0010:__xdp_rxq_info_reg+0x89/0x150
>  [...]
>  Call Trace:
>   <TASK>
>   ice_queue_mem_alloc+0x159/0x240
>   ice_vsi_cfg_rxq+0xc3/0x160
>   ice_vsi_cfg_rxqs+0x4f/0x70
>   ice_up+0xd/0x20
>   ice_set_ringparam+0x34f/0x4e0
> 
> [2]
>  BUG: kernel NULL pointer dereference, address: 0000000000000008
> [...]
>  RIP: 0010:xdp_unreg_mem_model+0x113/0x340
>  [...]
>  Call Trace:
>   <TASK>
>   __xdp_rxq_info_reg+0xfd/0x150
>   ice_queue_mem_alloc+0x159/0x240
>   ice_vsi_cfg_rxq+0xc3/0x160
>   ice_vsi_cfg_rxqs+0x4f/0x70
>   ice_up+0xd/0x20
>   ice_set_ringparam+0x34f/0x4e0
> 
> Fixes: 111a8e2be488 ("ice: implement Rx queue management ops")
> Signed-off-by: Kohei Enju <kohei@enjuk.jp>
> ---
> I see the Fixes: commit exists in only tnguy/next-queue.git, so I'm
> sending this patch to iwl-next, not iwl-net.
> 
> Also IIUC dev-queue in tnguy/next-queue.git is rebased continuously,
> so the commit hash will be stale soon, and I don't know how to handle
> this.
> 
> I'd appreciate it if iwl-folks know the way to handle it. Thanks!
> ---
>  drivers/net/ethernet/intel/ice/ice_ethtool.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c
> b/drivers/net/ethernet/intel/ice/ice_ethtool.c
> index ddd252fb1124..e4c286a22ff5 100644
> --- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
> +++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
> @@ -3338,6 +3338,7 @@ ice_set_ringparam(struct net_device *netdev,
> struct ethtool_ringparam *ring,
>  		rx_rings[i].cached_phctime = pf->ptp.cached_phc_time;
>  		rx_rings[i].desc = NULL;
>  		rx_rings[i].xdp_buf = NULL;
> +		memset(&rx_rings[i].xdp_rxq, 0,
> sizeof(rx_rings[i].xdp_rxq));
> 
>  		/* this is to allow wr32 to have something to write to
>  		 * during early allocation of Rx buffers
> --
> 2.51.0

Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>

Re: [PATCH v1 iwl-next] ice: fix NULL pointer dereference when changing RX queue length

[Jacob Keller]

On 2/2/2026 8:17 AM, Kohei Enju wrote:
> When changing RX queue length via 'ethtool -G $DEV rx $NUM', a WARNING
> indicates the driver missed unregistering xdp_rxq_info [1], and then
> NULL pointer dereference panics the kernel. [2]
> 
> The following sequence in ice_set_ringparam() triggers this bug.
> 1. Allocate new rx_rings
> 2. rx_rings[i] = *vsi->rx_rings[i];
> 3. ice_down() unregisters vsi->rx_rings[i]->xdp_rxq
> 4. ice_up() registers rx_ring[i]->xdp_rxq
>     a. __xdp_rxq_info_reg() sees the copied state REG_STATE_REGISTERED
>        and calls xdp_rxq_info_unreg() to fix it [1]
>     b. xdp_unreg_mem_model() looks up the stale mem.id in rhashtable,
>        which was already removed in step 3, causing NULL dereference [2]
> 
> The root cause is that struct copying includes xdp_rxq_info which
> contains registration state that should not be duplicated.
> 
> Fix by clearing xdp_rxq_info after copying the ring so it starts with
> REG_STATE_NEW instead of the stale REG_STATE_REGISTERED.
> 
> [1]
>   Missing unregister, handled but fix driver
>   WARNING: net/core/xdp.c:182 at __xdp_rxq_info_reg+0x89/0x150, CPU#4: ethtool/1105
>   [...]
>   RIP: 0010:__xdp_rxq_info_reg+0x89/0x150
>   [...]
>   Call Trace:
>    <TASK>
>    ice_queue_mem_alloc+0x159/0x240
>    ice_vsi_cfg_rxq+0xc3/0x160
>    ice_vsi_cfg_rxqs+0x4f/0x70
>    ice_up+0xd/0x20
>    ice_set_ringparam+0x34f/0x4e0
> 
> [2]
>   BUG: kernel NULL pointer dereference, address: 0000000000000008
>   [...]
>   RIP: 0010:xdp_unreg_mem_model+0x113/0x340
>   [...]
>   Call Trace:
>    <TASK>
>    __xdp_rxq_info_reg+0xfd/0x150
>    ice_queue_mem_alloc+0x159/0x240
>    ice_vsi_cfg_rxq+0xc3/0x160
>    ice_vsi_cfg_rxqs+0x4f/0x70
>    ice_up+0xd/0x20
>    ice_set_ringparam+0x34f/0x4e0
> 
> Fixes: 111a8e2be488 ("ice: implement Rx queue management ops")
> Signed-off-by: Kohei Enju <kohei@enjuk.jp>
> ---
> I see the Fixes: commit exists in only tnguy/next-queue.git, so I'm
> sending this patch to iwl-next, not iwl-net.
> 
> Also IIUC dev-queue in tnguy/next-queue.git is rebased continuously, so
> the commit hash will be stale soon, and I don't know how to handle this.
> 

Yea. Including the full subject line should be sufficient for Tony to 
find this.

> I'd appreciate it if iwl-folks know the way to handle it. Thanks!

Ideally we can squash this in with the implementation patches and 
include your Co-developed-by and Signed-off-by tags if you would agree 
to that?

Re: [PATCH v1 iwl-next] ice: fix NULL pointer dereference when

[Kohei Enju]

On Mon, 2 Feb 2026 16:31:39 -0800, Jacob Keller wrote:

> > I see the Fixes: commit exists in only tnguy/next-queue.git, so I'm
> > sending this patch to iwl-next, not iwl-net.
> > 
> > Also IIUC dev-queue in tnguy/next-queue.git is rebased continuously, so
> > the commit hash will be stale soon, and I don't know how to handle this.
> > 
> 
> Yea. Including the full subject line should be sufficient for Tony to 
> find this.

I see :)

> 
> > I'd appreciate it if iwl-folks know the way to handle it. Thanks!
> 
> Ideally we can squash this in with the implementation patches and 
> include your Co-developed-by and Signed-off-by tags if you would agree 
> to that?

That sounds good, and I agree to do so.
If I need to take some actions, please let me know.

Re: [PATCH v1 iwl-next] ice: fix NULL pointer dereference when changing RX queue length

[Alexander Lobakin]

From: Kohei Enju <kohei@enjuk.jp>
Date: Mon,  2 Feb 2026 16:17:14 +0000

> When changing RX queue length via 'ethtool -G $DEV rx $NUM', a WARNING
> indicates the driver missed unregistering xdp_rxq_info [1], and then
> NULL pointer dereference panics the kernel. [2]
> 
> The following sequence in ice_set_ringparam() triggers this bug.
> 1. Allocate new rx_rings
> 2. rx_rings[i] = *vsi->rx_rings[i];
> 3. ice_down() unregisters vsi->rx_rings[i]->xdp_rxq
> 4. ice_up() registers rx_ring[i]->xdp_rxq
>    a. __xdp_rxq_info_reg() sees the copied state REG_STATE_REGISTERED
>       and calls xdp_rxq_info_unreg() to fix it [1]
>    b. xdp_unreg_mem_model() looks up the stale mem.id in rhashtable,
>       which was already removed in step 3, causing NULL dereference [2]
> 
> The root cause is that struct copying includes xdp_rxq_info which
> contains registration state that should not be duplicated.
> 
> Fix by clearing xdp_rxq_info after copying the ring so it starts with
> REG_STATE_NEW instead of the stale REG_STATE_REGISTERED.
> 
> [1]
>  Missing unregister, handled but fix driver
>  WARNING: net/core/xdp.c:182 at __xdp_rxq_info_reg+0x89/0x150, CPU#4: ethtool/1105
>  [...]
>  RIP: 0010:__xdp_rxq_info_reg+0x89/0x150
>  [...]
>  Call Trace:
>   <TASK>
>   ice_queue_mem_alloc+0x159/0x240
>   ice_vsi_cfg_rxq+0xc3/0x160
>   ice_vsi_cfg_rxqs+0x4f/0x70
>   ice_up+0xd/0x20
>   ice_set_ringparam+0x34f/0x4e0
> 
> [2]
>  BUG: kernel NULL pointer dereference, address: 0000000000000008
>  [...]
>  RIP: 0010:xdp_unreg_mem_model+0x113/0x340
>  [...]
>  Call Trace:
>   <TASK>
>   __xdp_rxq_info_reg+0xfd/0x150
>   ice_queue_mem_alloc+0x159/0x240
>   ice_vsi_cfg_rxq+0xc3/0x160
>   ice_vsi_cfg_rxqs+0x4f/0x70
>   ice_up+0xd/0x20
>   ice_set_ringparam+0x34f/0x4e0
> 
> Fixes: 111a8e2be488 ("ice: implement Rx queue management ops")
> Signed-off-by: Kohei Enju <kohei@enjuk.jp>
> ---
> I see the Fixes: commit exists in only tnguy/next-queue.git, so I'm
> sending this patch to iwl-next, not iwl-net.
> 
> Also IIUC dev-queue in tnguy/next-queue.git is rebased continuously, so
> the commit hash will be stale soon, and I don't know how to handle this.
> 
> I'd appreciate it if iwl-folks know the way to handle it. Thanks!
I either way need to respin the series once the window opens, I'll take
your fix into the series with the appropriate credits. Thanks!

Olek

Re: [PATCH v1 iwl-next] ice: fix NULL pointer dereference when

[Kohei Enju]

On Wed, 4 Feb 2026 12:52:19 +0100, Alexander Lobakin wrote:

> > Also IIUC dev-queue in tnguy/next-queue.git is rebased continuously, so
> > the commit hash will be stale soon, and I don't know how to handle this.
> > 
> > I'd appreciate it if iwl-folks know the way to handle it. Thanks!
> I either way need to respin the series once the window opens, I'll take
> your fix into the series with the appropriate credits. Thanks!
> 
> Olek

Hi Olek, acknowledged.
Thank you for taking a look!

Kohei