[PATCH v1 iwl-next] ice: fix NULL pointer dereference when changing RX queue length

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH v1 iwl-next] ice: fix NULL pointer dereference when changing RX queue length
@ 2026-02-02 16:17 Kohei Enju
  2026-02-02 16:28 ` Loktionov, Aleksandr
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Kohei Enju @ 2026-02-02 16:17 UTC (permalink / raw)
  To: intel-wired-lan, netdev
  Cc: Tony Nguyen, Przemek Kitszel, Andrew Lunn, David S. Miller,
	Eric Dumazet, Jakub Kicinski, Paolo Abeni, Aleksandr Loktionov,
	Jacob Keller, Alexander Lobakin, kohei.enju, Kohei Enju

When changing RX queue length via 'ethtool -G $DEV rx $NUM', a WARNING
indicates the driver missed unregistering xdp_rxq_info [1], and then
NULL pointer dereference panics the kernel. [2]

The following sequence in ice_set_ringparam() triggers this bug.
1. Allocate new rx_rings
2. rx_rings[i] = *vsi->rx_rings[i];
3. ice_down() unregisters vsi->rx_rings[i]->xdp_rxq
4. ice_up() registers rx_ring[i]->xdp_rxq
   a. __xdp_rxq_info_reg() sees the copied state REG_STATE_REGISTERED
      and calls xdp_rxq_info_unreg() to fix it [1]
   b. xdp_unreg_mem_model() looks up the stale mem.id in rhashtable,
      which was already removed in step 3, causing NULL dereference [2]

The root cause is that struct copying includes xdp_rxq_info which
contains registration state that should not be duplicated.

Fix by clearing xdp_rxq_info after copying the ring so it starts with
REG_STATE_NEW instead of the stale REG_STATE_REGISTERED.

[1]
 Missing unregister, handled but fix driver
 WARNING: net/core/xdp.c:182 at __xdp_rxq_info_reg+0x89/0x150, CPU#4: ethtool/1105
 [...]
 RIP: 0010:__xdp_rxq_info_reg+0x89/0x150
 [...]
 Call Trace:
  <TASK>
  ice_queue_mem_alloc+0x159/0x240
  ice_vsi_cfg_rxq+0xc3/0x160
  ice_vsi_cfg_rxqs+0x4f/0x70
  ice_up+0xd/0x20
  ice_set_ringparam+0x34f/0x4e0

[2]
 BUG: kernel NULL pointer dereference, address: 0000000000000008
 [...]
 RIP: 0010:xdp_unreg_mem_model+0x113/0x340
 [...]
 Call Trace:
  <TASK>
  __xdp_rxq_info_reg+0xfd/0x150
  ice_queue_mem_alloc+0x159/0x240
  ice_vsi_cfg_rxq+0xc3/0x160
  ice_vsi_cfg_rxqs+0x4f/0x70
  ice_up+0xd/0x20
  ice_set_ringparam+0x34f/0x4e0

Fixes: 111a8e2be488 ("ice: implement Rx queue management ops")
Signed-off-by: Kohei Enju <kohei@enjuk.jp>
---
I see the Fixes: commit exists in only tnguy/next-queue.git, so I'm
sending this patch to iwl-next, not iwl-net.

Also IIUC dev-queue in tnguy/next-queue.git is rebased continuously, so
the commit hash will be stale soon, and I don't know how to handle this.

I'd appreciate it if iwl-folks know the way to handle it. Thanks!
---
 drivers/net/ethernet/intel/ice/ice_ethtool.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c
index ddd252fb1124..e4c286a22ff5 100644
--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
+++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
@@ -3338,6 +3338,7 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring,
 		rx_rings[i].cached_phctime = pf->ptp.cached_phc_time;
 		rx_rings[i].desc = NULL;
 		rx_rings[i].xdp_buf = NULL;
+		memset(&rx_rings[i].xdp_rxq, 0, sizeof(rx_rings[i].xdp_rxq));
 
 		/* this is to allow wr32 to have something to write to
 		 * during early allocation of Rx buffers
-- 
2.51.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* RE: [PATCH v1 iwl-next] ice: fix NULL pointer dereference when changing RX queue length
  2026-02-02 16:17 [PATCH v1 iwl-next] ice: fix NULL pointer dereference when changing RX queue length Kohei Enju
@ 2026-02-02 16:28 ` Loktionov, Aleksandr
  2026-02-03  0:31 ` Jacob Keller
  2026-02-04 11:52 ` [PATCH v1 iwl-next] ice: fix NULL pointer dereference when changing RX queue length Alexander Lobakin
  2 siblings, 0 replies; 6+ messages in thread
From: Loktionov, Aleksandr @ 2026-02-02 16:28 UTC (permalink / raw)
  To: Kohei Enju, intel-wired-lan@lists.osuosl.org,
	netdev@vger.kernel.org
  Cc: Nguyen, Anthony L, Kitszel, Przemyslaw, Andrew Lunn,
	David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Keller, Jacob E, Lobakin, Aleksander, kohei.enju@gmail.com



> -----Original Message-----
> From: Kohei Enju <kohei@enjuk.jp>
> Sent: Monday, February 2, 2026 5:17 PM
> To: intel-wired-lan@lists.osuosl.org; netdev@vger.kernel.org
> Cc: Nguyen, Anthony L <anthony.l.nguyen@intel.com>; Kitszel,
> Przemyslaw <przemyslaw.kitszel@intel.com>; Andrew Lunn
> <andrew+netdev@lunn.ch>; David S. Miller <davem@davemloft.net>; Eric
> Dumazet <edumazet@google.com>; Jakub Kicinski <kuba@kernel.org>; Paolo
> Abeni <pabeni@redhat.com>; Loktionov, Aleksandr
> <aleksandr.loktionov@intel.com>; Keller, Jacob E
> <jacob.e.keller@intel.com>; Lobakin, Aleksander
> <aleksander.lobakin@intel.com>; kohei.enju@gmail.com; Kohei Enju
> <kohei@enjuk.jp>
> Subject: [PATCH v1 iwl-next] ice: fix NULL pointer dereference when
> changing RX queue length
> 
> When changing RX queue length via 'ethtool -G $DEV rx $NUM', a WARNING
> indicates the driver missed unregistering xdp_rxq_info [1], and then
> NULL pointer dereference panics the kernel. [2]
> 
> The following sequence in ice_set_ringparam() triggers this bug.
> 1. Allocate new rx_rings
> 2. rx_rings[i] = *vsi->rx_rings[i];
> 3. ice_down() unregisters vsi->rx_rings[i]->xdp_rxq 4. ice_up()
> registers rx_ring[i]->xdp_rxq
>    a. __xdp_rxq_info_reg() sees the copied state REG_STATE_REGISTERED
>       and calls xdp_rxq_info_unreg() to fix it [1]
>    b. xdp_unreg_mem_model() looks up the stale mem.id in rhashtable,
>       which was already removed in step 3, causing NULL dereference
> [2]
> 
> The root cause is that struct copying includes xdp_rxq_info which
> contains registration state that should not be duplicated.
> 
> Fix by clearing xdp_rxq_info after copying the ring so it starts with
> REG_STATE_NEW instead of the stale REG_STATE_REGISTERED.
> 
> [1]
>  Missing unregister, handled but fix driver
>  WARNING: net/core/xdp.c:182 at __xdp_rxq_info_reg+0x89/0x150, CPU#4:
> ethtool/1105  [...]
>  RIP: 0010:__xdp_rxq_info_reg+0x89/0x150
>  [...]
>  Call Trace:
>   <TASK>
>   ice_queue_mem_alloc+0x159/0x240
>   ice_vsi_cfg_rxq+0xc3/0x160
>   ice_vsi_cfg_rxqs+0x4f/0x70
>   ice_up+0xd/0x20
>   ice_set_ringparam+0x34f/0x4e0
> 
> [2]
>  BUG: kernel NULL pointer dereference, address: 0000000000000008
> [...]
>  RIP: 0010:xdp_unreg_mem_model+0x113/0x340
>  [...]
>  Call Trace:
>   <TASK>
>   __xdp_rxq_info_reg+0xfd/0x150
>   ice_queue_mem_alloc+0x159/0x240
>   ice_vsi_cfg_rxq+0xc3/0x160
>   ice_vsi_cfg_rxqs+0x4f/0x70
>   ice_up+0xd/0x20
>   ice_set_ringparam+0x34f/0x4e0
> 
> Fixes: 111a8e2be488 ("ice: implement Rx queue management ops")
> Signed-off-by: Kohei Enju <kohei@enjuk.jp>
> ---
> I see the Fixes: commit exists in only tnguy/next-queue.git, so I'm
> sending this patch to iwl-next, not iwl-net.
> 
> Also IIUC dev-queue in tnguy/next-queue.git is rebased continuously,
> so the commit hash will be stale soon, and I don't know how to handle
> this.
> 
> I'd appreciate it if iwl-folks know the way to handle it. Thanks!
> ---
>  drivers/net/ethernet/intel/ice/ice_ethtool.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c
> b/drivers/net/ethernet/intel/ice/ice_ethtool.c
> index ddd252fb1124..e4c286a22ff5 100644
> --- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
> +++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
> @@ -3338,6 +3338,7 @@ ice_set_ringparam(struct net_device *netdev,
> struct ethtool_ringparam *ring,
>  		rx_rings[i].cached_phctime = pf->ptp.cached_phc_time;
>  		rx_rings[i].desc = NULL;
>  		rx_rings[i].xdp_buf = NULL;
> +		memset(&rx_rings[i].xdp_rxq, 0,
> sizeof(rx_rings[i].xdp_rxq));
> 
>  		/* this is to allow wr32 to have something to write to
>  		 * during early allocation of Rx buffers
> --
> 2.51.0

Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v1 iwl-next] ice: fix NULL pointer dereference when changing RX queue length
  2026-02-02 16:17 [PATCH v1 iwl-next] ice: fix NULL pointer dereference when changing RX queue length Kohei Enju
  2026-02-02 16:28 ` Loktionov, Aleksandr
@ 2026-02-03  0:31 ` Jacob Keller
  2026-02-03  3:23   ` [PATCH v1 iwl-next] ice: fix NULL pointer dereference when Kohei Enju
  2026-02-04 11:52 ` [PATCH v1 iwl-next] ice: fix NULL pointer dereference when changing RX queue length Alexander Lobakin
  2 siblings, 1 reply; 6+ messages in thread
From: Jacob Keller @ 2026-02-03  0:31 UTC (permalink / raw)
  To: Kohei Enju, intel-wired-lan, netdev
  Cc: Tony Nguyen, Przemek Kitszel, Andrew Lunn, David S. Miller,
	Eric Dumazet, Jakub Kicinski, Paolo Abeni, Aleksandr Loktionov,
	Alexander Lobakin, kohei.enju



On 2/2/2026 8:17 AM, Kohei Enju wrote:
> When changing RX queue length via 'ethtool -G $DEV rx $NUM', a WARNING
> indicates the driver missed unregistering xdp_rxq_info [1], and then
> NULL pointer dereference panics the kernel. [2]
> 
> The following sequence in ice_set_ringparam() triggers this bug.
> 1. Allocate new rx_rings
> 2. rx_rings[i] = *vsi->rx_rings[i];
> 3. ice_down() unregisters vsi->rx_rings[i]->xdp_rxq
> 4. ice_up() registers rx_ring[i]->xdp_rxq
>     a. __xdp_rxq_info_reg() sees the copied state REG_STATE_REGISTERED
>        and calls xdp_rxq_info_unreg() to fix it [1]
>     b. xdp_unreg_mem_model() looks up the stale mem.id in rhashtable,
>        which was already removed in step 3, causing NULL dereference [2]
> 
> The root cause is that struct copying includes xdp_rxq_info which
> contains registration state that should not be duplicated.
> 
> Fix by clearing xdp_rxq_info after copying the ring so it starts with
> REG_STATE_NEW instead of the stale REG_STATE_REGISTERED.
> 
> [1]
>   Missing unregister, handled but fix driver
>   WARNING: net/core/xdp.c:182 at __xdp_rxq_info_reg+0x89/0x150, CPU#4: ethtool/1105
>   [...]
>   RIP: 0010:__xdp_rxq_info_reg+0x89/0x150
>   [...]
>   Call Trace:
>    <TASK>
>    ice_queue_mem_alloc+0x159/0x240
>    ice_vsi_cfg_rxq+0xc3/0x160
>    ice_vsi_cfg_rxqs+0x4f/0x70
>    ice_up+0xd/0x20
>    ice_set_ringparam+0x34f/0x4e0
> 
> [2]
>   BUG: kernel NULL pointer dereference, address: 0000000000000008
>   [...]
>   RIP: 0010:xdp_unreg_mem_model+0x113/0x340
>   [...]
>   Call Trace:
>    <TASK>
>    __xdp_rxq_info_reg+0xfd/0x150
>    ice_queue_mem_alloc+0x159/0x240
>    ice_vsi_cfg_rxq+0xc3/0x160
>    ice_vsi_cfg_rxqs+0x4f/0x70
>    ice_up+0xd/0x20
>    ice_set_ringparam+0x34f/0x4e0
> 
> Fixes: 111a8e2be488 ("ice: implement Rx queue management ops")
> Signed-off-by: Kohei Enju <kohei@enjuk.jp>
> ---
> I see the Fixes: commit exists in only tnguy/next-queue.git, so I'm
> sending this patch to iwl-next, not iwl-net.
> 
> Also IIUC dev-queue in tnguy/next-queue.git is rebased continuously, so
> the commit hash will be stale soon, and I don't know how to handle this.
> 

Yea. Including the full subject line should be sufficient for Tony to 
find this.

> I'd appreciate it if iwl-folks know the way to handle it. Thanks!

Ideally we can squash this in with the implementation patches and 
include your Co-developed-by and Signed-off-by tags if you would agree 
to that?

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v1 iwl-next] ice: fix NULL pointer dereference when
  2026-02-03  0:31 ` Jacob Keller
@ 2026-02-03  3:23   ` Kohei Enju
  0 siblings, 0 replies; 6+ messages in thread
From: Kohei Enju @ 2026-02-03  3:23 UTC (permalink / raw)
  To: jacob.e.keller
  Cc: aleksander.lobakin, aleksandr.loktionov, andrew+netdev,
	anthony.l.nguyen, davem, edumazet, intel-wired-lan, kohei.enju,
	kohei, kuba, netdev, pabeni, przemyslaw.kitszel

On Mon, 2 Feb 2026 16:31:39 -0800, Jacob Keller wrote:

> > I see the Fixes: commit exists in only tnguy/next-queue.git, so I'm
> > sending this patch to iwl-next, not iwl-net.
> > 
> > Also IIUC dev-queue in tnguy/next-queue.git is rebased continuously, so
> > the commit hash will be stale soon, and I don't know how to handle this.
> > 
> 
> Yea. Including the full subject line should be sufficient for Tony to 
> find this.

I see :)

> 
> > I'd appreciate it if iwl-folks know the way to handle it. Thanks!
> 
> Ideally we can squash this in with the implementation patches and 
> include your Co-developed-by and Signed-off-by tags if you would agree 
> to that?

That sounds good, and I agree to do so.
If I need to take some actions, please let me know.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v1 iwl-next] ice: fix NULL pointer dereference when changing RX queue length
  2026-02-02 16:17 [PATCH v1 iwl-next] ice: fix NULL pointer dereference when changing RX queue length Kohei Enju
  2026-02-02 16:28 ` Loktionov, Aleksandr
  2026-02-03  0:31 ` Jacob Keller
@ 2026-02-04 11:52 ` Alexander Lobakin
  2026-02-04 13:06   ` [PATCH v1 iwl-next] ice: fix NULL pointer dereference when Kohei Enju
  2 siblings, 1 reply; 6+ messages in thread
From: Alexander Lobakin @ 2026-02-04 11:52 UTC (permalink / raw)
  To: Kohei Enju
  Cc: intel-wired-lan, netdev, Tony Nguyen, Przemek Kitszel,
	Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, Aleksandr Loktionov, Jacob Keller, kohei.enju

From: Kohei Enju <kohei@enjuk.jp>
Date: Mon,  2 Feb 2026 16:17:14 +0000

> When changing RX queue length via 'ethtool -G $DEV rx $NUM', a WARNING
> indicates the driver missed unregistering xdp_rxq_info [1], and then
> NULL pointer dereference panics the kernel. [2]
> 
> The following sequence in ice_set_ringparam() triggers this bug.
> 1. Allocate new rx_rings
> 2. rx_rings[i] = *vsi->rx_rings[i];
> 3. ice_down() unregisters vsi->rx_rings[i]->xdp_rxq
> 4. ice_up() registers rx_ring[i]->xdp_rxq
>    a. __xdp_rxq_info_reg() sees the copied state REG_STATE_REGISTERED
>       and calls xdp_rxq_info_unreg() to fix it [1]
>    b. xdp_unreg_mem_model() looks up the stale mem.id in rhashtable,
>       which was already removed in step 3, causing NULL dereference [2]
> 
> The root cause is that struct copying includes xdp_rxq_info which
> contains registration state that should not be duplicated.
> 
> Fix by clearing xdp_rxq_info after copying the ring so it starts with
> REG_STATE_NEW instead of the stale REG_STATE_REGISTERED.
> 
> [1]
>  Missing unregister, handled but fix driver
>  WARNING: net/core/xdp.c:182 at __xdp_rxq_info_reg+0x89/0x150, CPU#4: ethtool/1105
>  [...]
>  RIP: 0010:__xdp_rxq_info_reg+0x89/0x150
>  [...]
>  Call Trace:
>   <TASK>
>   ice_queue_mem_alloc+0x159/0x240
>   ice_vsi_cfg_rxq+0xc3/0x160
>   ice_vsi_cfg_rxqs+0x4f/0x70
>   ice_up+0xd/0x20
>   ice_set_ringparam+0x34f/0x4e0
> 
> [2]
>  BUG: kernel NULL pointer dereference, address: 0000000000000008
>  [...]
>  RIP: 0010:xdp_unreg_mem_model+0x113/0x340
>  [...]
>  Call Trace:
>   <TASK>
>   __xdp_rxq_info_reg+0xfd/0x150
>   ice_queue_mem_alloc+0x159/0x240
>   ice_vsi_cfg_rxq+0xc3/0x160
>   ice_vsi_cfg_rxqs+0x4f/0x70
>   ice_up+0xd/0x20
>   ice_set_ringparam+0x34f/0x4e0
> 
> Fixes: 111a8e2be488 ("ice: implement Rx queue management ops")
> Signed-off-by: Kohei Enju <kohei@enjuk.jp>
> ---
> I see the Fixes: commit exists in only tnguy/next-queue.git, so I'm
> sending this patch to iwl-next, not iwl-net.
> 
> Also IIUC dev-queue in tnguy/next-queue.git is rebased continuously, so
> the commit hash will be stale soon, and I don't know how to handle this.
> 
> I'd appreciate it if iwl-folks know the way to handle it. Thanks!
I either way need to respin the series once the window opens, I'll take
your fix into the series with the appropriate credits. Thanks!

Olek

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v1 iwl-next] ice: fix NULL pointer dereference when
  2026-02-04 11:52 ` [PATCH v1 iwl-next] ice: fix NULL pointer dereference when changing RX queue length Alexander Lobakin
@ 2026-02-04 13:06   ` Kohei Enju
  0 siblings, 0 replies; 6+ messages in thread
From: Kohei Enju @ 2026-02-04 13:06 UTC (permalink / raw)
  To: aleksander.lobakin
  Cc: aleksandr.loktionov, andrew+netdev, anthony.l.nguyen, davem,
	edumazet, intel-wired-lan, jacob.e.keller, kohei.enju, kohei,
	kuba, netdev, pabeni, przemyslaw.kitszel

On Wed, 4 Feb 2026 12:52:19 +0100, Alexander Lobakin wrote:

> > Also IIUC dev-queue in tnguy/next-queue.git is rebased continuously, so
> > the commit hash will be stale soon, and I don't know how to handle this.
> > 
> > I'd appreciate it if iwl-folks know the way to handle it. Thanks!
> I either way need to respin the series once the window opens, I'll take
> your fix into the series with the appropriate credits. Thanks!
> 
> Olek

Hi Olek, acknowledged.
Thank you for taking a look!

Kohei

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2026-02-04 13:06 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-02 16:17 [PATCH v1 iwl-next] ice: fix NULL pointer dereference when changing RX queue length Kohei Enju
2026-02-02 16:28 ` Loktionov, Aleksandr
2026-02-03  0:31 ` Jacob Keller
2026-02-03  3:23   ` [PATCH v1 iwl-next] ice: fix NULL pointer dereference when Kohei Enju
2026-02-04 11:52 ` [PATCH v1 iwl-next] ice: fix NULL pointer dereference when changing RX queue length Alexander Lobakin
2026-02-04 13:06   ` [PATCH v1 iwl-next] ice: fix NULL pointer dereference when Kohei Enju

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox