* [PATCH net v2 03/12] ice: fix double free in ice_sf_eth_activate() error path
2026-04-17 0:53 [PATCH net v2 00/12] Intel Wired LAN Driver Updates 2026-04-14 (ice, i40e, iavf, idpf, e1000e) Jacob Keller
@ 2026-04-17 0:53 ` Jacob Keller
2026-04-17 0:53 ` [PATCH net v2 11/12] idpf: fix xdp crash in soft reset " Jacob Keller
2026-04-18 19:10 ` [PATCH net v2 00/12] Intel Wired LAN Driver Updates 2026-04-14 (ice, i40e, iavf, idpf, e1000e) patchwork-bot+netdevbpf
2 siblings, 0 replies; 7+ messages in thread
From: Jacob Keller @ 2026-04-17 0:53 UTC (permalink / raw)
To: Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni
Cc: netdev, Jacob Keller, Guangshuo Li, stable, Aleksandr Loktionov,
Simon Horman
From: Guangshuo Li <lgs201920130244@gmail.com>
When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to
aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).
The device release callback ice_sf_dev_release() frees sf_dev, but
the current error path falls through to sf_dev_free and calls
kfree(sf_dev) again, causing a double free.
Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but
avoid falling through to sf_dev_free after auxiliary_device_uninit().
Fixes: 13acc5c4cdbe ("ice: subfunction activation and base devlink ops")
Cc: stable@vger.kernel.org
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
---
drivers/net/ethernet/intel/ice/ice_sf_eth.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/intel/ice/ice_sf_eth.c b/drivers/net/ethernet/intel/ice/ice_sf_eth.c
index 2cf04bc6edce..a730aa368c92 100644
--- a/drivers/net/ethernet/intel/ice/ice_sf_eth.c
+++ b/drivers/net/ethernet/intel/ice/ice_sf_eth.c
@@ -305,6 +305,8 @@ ice_sf_eth_activate(struct ice_dynamic_port *dyn_port,
aux_dev_uninit:
auxiliary_device_uninit(&sf_dev->adev);
+ return err;
+
sf_dev_free:
kfree(sf_dev);
xa_erase:
--
2.54.0.rc2.531.gaf818d63126a
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PATCH net v2 11/12] idpf: fix xdp crash in soft reset error path
2026-04-17 0:53 [PATCH net v2 00/12] Intel Wired LAN Driver Updates 2026-04-14 (ice, i40e, iavf, idpf, e1000e) Jacob Keller
2026-04-17 0:53 ` [PATCH net v2 03/12] ice: fix double free in ice_sf_eth_activate() error path Jacob Keller
@ 2026-04-17 0:53 ` Jacob Keller
2026-04-18 19:00 ` Jakub Kicinski
2026-04-18 19:10 ` [PATCH net v2 00/12] Intel Wired LAN Driver Updates 2026-04-14 (ice, i40e, iavf, idpf, e1000e) patchwork-bot+netdevbpf
2 siblings, 1 reply; 7+ messages in thread
From: Jacob Keller @ 2026-04-17 0:53 UTC (permalink / raw)
To: Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni
Cc: netdev, Jacob Keller, Emil Tantilov, stable, Aleksandr Loktionov,
Patryk Holda
From: Emil Tantilov <emil.s.tantilov@intel.com>
NULL pointer dereference is reported in cases where idpf_vport_open()
fails during soft reset:
./xdpsock -i <inf> -q -r -N
[ 3179.186687] idpf 0000:83:00.0: Failed to initialize queue ids for vport 0: -12
[ 3179.276739] BUG: kernel NULL pointer dereference, address: 0000000000000010
[ 3179.277636] #PF: supervisor read access in kernel mode
[ 3179.278470] #PF: error_code(0x0000) - not-present page
[ 3179.279285] PGD 0
[ 3179.280083] Oops: Oops: 0000 [#1] SMP NOPTI
...
[ 3179.283997] Workqueue: events xp_release_deferred
[ 3179.284770] RIP: 0010:idpf_find_rxq_vec+0x17/0x30 [idpf]
...
[ 3179.291937] Call Trace:
[ 3179.292392] <TASK>
[ 3179.292843] idpf_qp_switch+0x25/0x820 [idpf]
[ 3179.293325] idpf_xsk_pool_setup+0x7c/0x520 [idpf]
[ 3179.293803] idpf_xdp+0x59/0x240 [idpf]
[ 3179.294275] xp_disable_drv_zc+0x62/0xb0
[ 3179.294743] xp_clear_dev+0x40/0xb0
[ 3179.295198] xp_release_deferred+0x1f/0xa0
[ 3179.295648] process_one_work+0x226/0x730
[ 3179.296106] worker_thread+0x19e/0x340
[ 3179.296557] ? __pfx_worker_thread+0x10/0x10
[ 3179.297009] kthread+0xf4/0x130
[ 3179.297459] ? __pfx_kthread+0x10/0x10
[ 3179.297910] ret_from_fork+0x32c/0x410
[ 3179.298361] ? __pfx_kthread+0x10/0x10
[ 3179.298702] ret_from_fork_asm+0x1a/0x30
Fix the error handling of the soft reset in idpf_xdp_setup_prog() by
restoring the vport->xdp_prog to the old value. This avoids referencing
the orphaned prog that was copied to vport->xdp_prog in the soft reset
and prevents subsequent false positive by idpf_xdp_enabled().
Update the restart check in idpf_xsk_pool_setup() to use IDPF_VPORT_UP bit
instead of netif_running(). The idpf_vport_stop/start() calls will not
update the __LINK_STATE_START bit, making this test a false positive
should the soft reset fail.
Fixes: 3d57b2c00f09 ("idpf: add XSk pool initialization")
Cc: stable@vger.kernel.org
Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Patryk Holda <patryk.holda@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
---
drivers/net/ethernet/intel/idpf/xdp.c | 1 +
drivers/net/ethernet/intel/idpf/xsk.c | 4 +++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/idpf/xdp.c b/drivers/net/ethernet/intel/idpf/xdp.c
index cbccd4546768..18a6e7062863 100644
--- a/drivers/net/ethernet/intel/idpf/xdp.c
+++ b/drivers/net/ethernet/intel/idpf/xdp.c
@@ -488,6 +488,7 @@ static int idpf_xdp_setup_prog(struct idpf_vport *vport,
"Could not reopen the vport after XDP setup");
cfg->user_config.xdp_prog = old;
+ vport->xdp_prog = old;
old = prog;
}
diff --git a/drivers/net/ethernet/intel/idpf/xsk.c b/drivers/net/ethernet/intel/idpf/xsk.c
index d95d3efdfd36..3d8c430efd2b 100644
--- a/drivers/net/ethernet/intel/idpf/xsk.c
+++ b/drivers/net/ethernet/intel/idpf/xsk.c
@@ -553,6 +553,7 @@ int idpf_xskrq_poll(struct idpf_rx_queue *rxq, u32 budget)
int idpf_xsk_pool_setup(struct idpf_vport *vport, struct netdev_bpf *bpf)
{
+ const struct idpf_netdev_priv *np = netdev_priv(vport->netdev);
struct xsk_buff_pool *pool = bpf->xsk.pool;
u32 qid = bpf->xsk.queue_id;
bool restart;
@@ -568,7 +569,8 @@ int idpf_xsk_pool_setup(struct idpf_vport *vport, struct netdev_bpf *bpf)
return -EINVAL;
}
- restart = idpf_xdp_enabled(vport) && netif_running(vport->netdev);
+ restart = idpf_xdp_enabled(vport) &&
+ test_bit(IDPF_VPORT_UP, np->state);
if (!restart)
goto pool;
--
2.54.0.rc2.531.gaf818d63126a
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [PATCH net v2 11/12] idpf: fix xdp crash in soft reset error path
2026-04-17 0:53 ` [PATCH net v2 11/12] idpf: fix xdp crash in soft reset " Jacob Keller
@ 2026-04-18 19:00 ` Jakub Kicinski
2026-04-20 19:41 ` Jacob Keller
2026-04-20 19:48 ` Jacob Keller
0 siblings, 2 replies; 7+ messages in thread
From: Jakub Kicinski @ 2026-04-18 19:00 UTC (permalink / raw)
To: jacob.e.keller
Cc: Jakub Kicinski, andrew+netdev, davem, edumazet, pabeni, netdev,
emil.s.tantilov, stable, aleksandr.loktionov, patryk.holda
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Jakub: I'll drop this patch and apply the rest.
---
idpf: fix xdp crash in soft reset error path
This commit fixes a NULL pointer dereference in idpf_vport_open() when
soft reset fails by restoring vport->xdp_prog to the old value. It also
updates the restart check to use IDPF_VPORT_UP instead of netif_running().
Cc: stable@vger.kernel.org
> diff --git a/drivers/net/ethernet/intel/idpf/xdp.c b/drivers/net/ethernet/intel/idpf/xdp.c
> --- a/drivers/net/ethernet/intel/idpf/xdp.c
> +++ b/drivers/net/ethernet/intel/idpf/xdp.c
> @@ -488,6 +488,7 @@ static int idpf_xdp_setup_prog(struct idpf_vport *vport,
> "Could not reopen the vport after XDP setup");
>
> cfg->user_config.xdp_prog = old;
> + vport->xdp_prog = old;
Does this also need to roll back vport->num_xdp_txq?
Because idpf_initiate_soft_reset() overwrites the vport struct with the new
queue configuration before failing, vport->num_xdp_txq might remain > 0
while vport->xdp_prog is restored to NULL.
When the interface is brought up, idpf_xdpsqs_get() evaluates
idpf_xdp_enabled(vport) as false and returns early without allocating the
NAPI timers (xdpsq->timer).
Could another interface redirect XDP frames via ndo_xdp_xmit, bypassing the
check because vport->num_xdp_txq > 0, and cause a NULL pointer dereference
in libeth_xdpsq_queue_timer() during idpf_xdp_tx_finalize()?
> old = prog;
> }
Is this old = prog assignment leading to a double-put of the BPF program?
If idpf_initiate_soft_reset() fails, this error path drops a reference to
the newly provided prog when it calls bpf_prog_put(old) right after this
block.
Since the function returns an error code to the core network stack, won't
dev_xdp_install() in net/core/dev.c also explicitly call bpf_prog_put(prog)
assuming ownership of the error cleanup?
Could this underflow the reference count and cause a use-after-free?
[ ... ]
> diff --git a/drivers/net/ethernet/intel/idpf/xsk.c b/drivers/net/ethernet/intel/idpf/xsk.c
> --- a/drivers/net/ethernet/intel/idpf/xsk.c
> +++ b/drivers/net/ethernet/intel/idpf/xsk.c
> @@ -568,7 +569,8 @@ int idpf_xsk_pool_setup(struct idpf_vport *vport, struct netdev_bpf *bpf)
> return -EINVAL;
> }
>
> - restart = idpf_xdp_enabled(vport) && netif_running(vport->netdev);
> + restart = idpf_xdp_enabled(vport) &&
> + test_bit(IDPF_VPORT_UP, np->state);
> if (!restart)
> goto pool;
Does this function leave the queue pair permanently disabled if the pool
setup fails?
If restart is true, the queue pair is disabled via:
idpf_qp_switch(vport, qid, false);
If the subsequent call to libeth_xsk_setup_pool() fails, the function
returns early:
ret = libeth_xsk_setup_pool(vport->netdev, qid, pool);
if (ret) {
...
return ret;
}
Does this early return bypass the idpf_qp_switch(vport, qid, true) call
expected later, causing a permanent partial loss of connectivity until the
interface is manually restarted?
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH net v2 11/12] idpf: fix xdp crash in soft reset error path
2026-04-18 19:00 ` Jakub Kicinski
@ 2026-04-20 19:41 ` Jacob Keller
2026-04-20 19:48 ` Jacob Keller
1 sibling, 0 replies; 7+ messages in thread
From: Jacob Keller @ 2026-04-20 19:41 UTC (permalink / raw)
To: Jakub Kicinski
Cc: andrew+netdev, davem, edumazet, pabeni, netdev, emil.s.tantilov,
stable, aleksandr.loktionov, patryk.holda
On 4/18/2026 12:00 PM, Jakub Kicinski wrote:
> This is an AI-generated review of your patch. The human sending this
> email has considered the AI review valid, or at least plausible.
>
> Jakub: I'll drop this patch and apply the rest.
Thanks. Emil is on vacation, so I don't know if we'll get any response
for this fix for a bit. I'll forward this to others on the team and see
what they think.
Regards,
Jake
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH net v2 11/12] idpf: fix xdp crash in soft reset error path
2026-04-18 19:00 ` Jakub Kicinski
2026-04-20 19:41 ` Jacob Keller
@ 2026-04-20 19:48 ` Jacob Keller
1 sibling, 0 replies; 7+ messages in thread
From: Jacob Keller @ 2026-04-20 19:48 UTC (permalink / raw)
To: Joshua Hay
Cc: andrew+netdev, davem, edumazet, pabeni, netdev, emil.s.tantilov,
stable, aleksandr.loktionov, patryk.holda
Here's the full review on the website if it helps:
https://sashiko.dev/#/patchset/20260319224159.23885-1-emil.s.tantilov%40intel.com
Thanks,
Jake
On 4/18/2026 12:00 PM, Jakub Kicinski wrote:
> This is an AI-generated review of your patch. The human sending this
> email has considered the AI review valid, or at least plausible.
>
> Jakub: I'll drop this patch and apply the rest.
> ---
> idpf: fix xdp crash in soft reset error path
>
> This commit fixes a NULL pointer dereference in idpf_vport_open() when
> soft reset fails by restoring vport->xdp_prog to the old value. It also
> updates the restart check to use IDPF_VPORT_UP instead of netif_running().
>
> Cc: stable@vger.kernel.org
>
>> diff --git a/drivers/net/ethernet/intel/idpf/xdp.c b/drivers/net/ethernet/intel/idpf/xdp.c
>> --- a/drivers/net/ethernet/intel/idpf/xdp.c
>> +++ b/drivers/net/ethernet/intel/idpf/xdp.c
>> @@ -488,6 +488,7 @@ static int idpf_xdp_setup_prog(struct idpf_vport *vport,
>> "Could not reopen the vport after XDP setup");
>>
>> cfg->user_config.xdp_prog = old;
>> + vport->xdp_prog = old;
>
> Does this also need to roll back vport->num_xdp_txq?
>
> Because idpf_initiate_soft_reset() overwrites the vport struct with the new
> queue configuration before failing, vport->num_xdp_txq might remain > 0
> while vport->xdp_prog is restored to NULL.
>
> When the interface is brought up, idpf_xdpsqs_get() evaluates
> idpf_xdp_enabled(vport) as false and returns early without allocating the
> NAPI timers (xdpsq->timer).
>
> Could another interface redirect XDP frames via ndo_xdp_xmit, bypassing the
> check because vport->num_xdp_txq > 0, and cause a NULL pointer dereference
> in libeth_xdpsq_queue_timer() during idpf_xdp_tx_finalize()?
>
>> old = prog;
>> }
>
> Is this old = prog assignment leading to a double-put of the BPF program?
>
> If idpf_initiate_soft_reset() fails, this error path drops a reference to
> the newly provided prog when it calls bpf_prog_put(old) right after this
> block.
>
> Since the function returns an error code to the core network stack, won't
> dev_xdp_install() in net/core/dev.c also explicitly call bpf_prog_put(prog)
> assuming ownership of the error cleanup?
>
> Could this underflow the reference count and cause a use-after-free?
>
> [ ... ]
>
>> diff --git a/drivers/net/ethernet/intel/idpf/xsk.c b/drivers/net/ethernet/intel/idpf/xsk.c
>> --- a/drivers/net/ethernet/intel/idpf/xsk.c
>> +++ b/drivers/net/ethernet/intel/idpf/xsk.c
>> @@ -568,7 +569,8 @@ int idpf_xsk_pool_setup(struct idpf_vport *vport, struct netdev_bpf *bpf)
>> return -EINVAL;
>> }
>>
>> - restart = idpf_xdp_enabled(vport) && netif_running(vport->netdev);
>> + restart = idpf_xdp_enabled(vport) &&
>> + test_bit(IDPF_VPORT_UP, np->state);
>> if (!restart)
>> goto pool;
>
> Does this function leave the queue pair permanently disabled if the pool
> setup fails?
>
> If restart is true, the queue pair is disabled via:
> idpf_qp_switch(vport, qid, false);
>
> If the subsequent call to libeth_xsk_setup_pool() fails, the function
> returns early:
>
> ret = libeth_xsk_setup_pool(vport->netdev, qid, pool);
> if (ret) {
> ...
> return ret;
> }
>
> Does this early return bypass the idpf_qp_switch(vport, qid, true) call
> expected later, causing a permanent partial loss of connectivity until the
> interface is manually restarted?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH net v2 00/12] Intel Wired LAN Driver Updates 2026-04-14 (ice, i40e, iavf, idpf, e1000e)
2026-04-17 0:53 [PATCH net v2 00/12] Intel Wired LAN Driver Updates 2026-04-14 (ice, i40e, iavf, idpf, e1000e) Jacob Keller
2026-04-17 0:53 ` [PATCH net v2 03/12] ice: fix double free in ice_sf_eth_activate() error path Jacob Keller
2026-04-17 0:53 ` [PATCH net v2 11/12] idpf: fix xdp crash in soft reset " Jacob Keller
@ 2026-04-18 19:10 ` patchwork-bot+netdevbpf
2 siblings, 0 replies; 7+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-04-18 19:10 UTC (permalink / raw)
To: Jacob Keller
Cc: andrew+netdev, davem, edumazet, kuba, pabeni, netdev,
grzegorz.nitka, aleksandr.loktionov, horms, sx.rinitha,
zoltan.fodor, sunithax.d.mekala, lgs201920130244, stable,
mschmidt, paul.greenwalt, przemyslaw.kitszel, kmta1236, kohei,
poros, pmenzel, rafal.romanowski, emil.s.tantilov, patryk.holda,
tactii, avigailx.dahan
Hello:
This series was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Thu, 16 Apr 2026 17:53:24 -0700 you wrote:
> Grzegorz updates the logic for adjusting the PTP hardware clock on E830,
> fixing a bug that prevented adjustments below S32_MAX/MIN nanoseconds.
>
> Grzegorz and Zoli update the PCS latency settings for E825 devices at 10GbE
> and 25GbE, improving the accuracy of timestamps based on data from
> production hardware.
>
> [...]
Here is the summary with links:
- [net,v2,01/12] ice: fix 'adjust' timer programming for E830 devices
https://git.kernel.org/netdev/net/c/885c5e57924d
- [net,v2,02/12] ice: update PCS latency settings for E825 10G/25Gb modes
https://git.kernel.org/netdev/net/c/05567e405273
- [net,v2,03/12] ice: fix double free in ice_sf_eth_activate() error path
https://git.kernel.org/netdev/net/c/9aab1c3d7299
- [net,v2,04/12] ice: fix double-free of tx_buf skb
https://git.kernel.org/netdev/net/c/1a303baa715e
- [net,v2,05/12] ice: fix PHY config on media change with link-down-on-close
https://git.kernel.org/netdev/net/c/55e74f9ea7fe
- [net,v2,06/12] ice: fix ICE_AQ_LINK_SPEED_M for 200G
https://git.kernel.org/netdev/net/c/4a3a940059e9
- [net,v2,07/12] ice: fix race condition in TX timestamp ring cleanup
https://git.kernel.org/netdev/net/c/7c72ec18c2a4
- [net,v2,08/12] ice: fix potential NULL pointer deref in error path of ice_set_ringparam()
https://git.kernel.org/netdev/net/c/fa28351f970f
- [net,v2,09/12] i40e: don't advertise IFF_SUPP_NOFCS
https://git.kernel.org/netdev/net/c/a24162f18825
- [net,v2,10/12] iavf: fix wrong VLAN mask for legacy Rx descriptors L2TAG2
https://git.kernel.org/netdev/net/c/496d9f91062f
- [net,v2,11/12] idpf: fix xdp crash in soft reset error path
(no matching commit)
- [net,v2,12/12] e1000e: Unroll PTP in probe error handling
https://git.kernel.org/netdev/net/c/aa3f7fe40935
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 7+ messages in thread