From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Aleksandr Loktionov <aleksandr.loktionov@intel.com>,
Aaron Ma <aaron.ma@canonical.com>,
Paul Menzel <pmenzel@molgen.mpg.de>,
Tony Nguyen <anthony.l.nguyen@intel.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.12 14/87] ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues
Date: Wed, 4 Feb 2026 15:40:12 +0100 [thread overview]
Message-ID: <20260204143847.425894413@linuxfoundation.org> (raw)
In-Reply-To: <20260204143846.906385641@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Ma <aaron.ma@canonical.com>
[ Upstream commit 9bb30be4d89ff9a8d7ab1aa0eb2edaca83431f85 ]
Add NULL pointer checks in ice_vsi_set_napi_queues() to prevent crashes
during resume from suspend when rings[q_idx]->q_vector is NULL.
Tested adaptor:
60:00.0 Ethernet controller [0200]: Intel Corporation Ethernet Controller E810-XXV for SFP [8086:159b] (rev 02)
Subsystem: Intel Corporation Ethernet Network Adapter E810-XXV-2 [8086:4003]
SR-IOV state: both disabled and enabled can reproduce this issue.
kernel version: v6.18
Reproduce steps:
Boot up and execute suspend like systemctl suspend or rtcwake.
Log:
<1>[ 231.443607] BUG: kernel NULL pointer dereference, address: 0000000000000040
<1>[ 231.444052] #PF: supervisor read access in kernel mode
<1>[ 231.444484] #PF: error_code(0x0000) - not-present page
<6>[ 231.444913] PGD 0 P4D 0
<4>[ 231.445342] Oops: Oops: 0000 [#1] SMP NOPTI
<4>[ 231.446635] RIP: 0010:netif_queue_set_napi+0xa/0x170
<4>[ 231.447067] Code: 31 f6 31 ff c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 85 c9 74 0b <48> 83 79 30 00 0f 84 39 01 00 00 55 41 89 d1 49 89 f8 89 f2 48 89
<4>[ 231.447513] RSP: 0018:ffffcc780fc078c0 EFLAGS: 00010202
<4>[ 231.447961] RAX: ffff8b848ca30400 RBX: ffff8b848caf2028 RCX: 0000000000000010
<4>[ 231.448443] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8b848dbd4000
<4>[ 231.448896] RBP: ffffcc780fc078e8 R08: 0000000000000000 R09: 0000000000000000
<4>[ 231.449345] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
<4>[ 231.449817] R13: ffff8b848dbd4000 R14: ffff8b84833390c8 R15: 0000000000000000
<4>[ 231.450265] FS: 00007c7b29e9d740(0000) GS:ffff8b8c068e2000(0000) knlGS:0000000000000000
<4>[ 231.450715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4>[ 231.451179] CR2: 0000000000000040 CR3: 000000030626f004 CR4: 0000000000f72ef0
<4>[ 231.451629] PKRU: 55555554
<4>[ 231.452076] Call Trace:
<4>[ 231.452549] <TASK>
<4>[ 231.452996] ? ice_vsi_set_napi_queues+0x4d/0x110 [ice]
<4>[ 231.453482] ice_resume+0xfd/0x220 [ice]
<4>[ 231.453977] ? __pfx_pci_pm_resume+0x10/0x10
<4>[ 231.454425] pci_pm_resume+0x8c/0x140
<4>[ 231.454872] ? __pfx_pci_pm_resume+0x10/0x10
<4>[ 231.455347] dpm_run_callback+0x5f/0x160
<4>[ 231.455796] ? dpm_wait_for_superior+0x107/0x170
<4>[ 231.456244] device_resume+0x177/0x270
<4>[ 231.456708] dpm_resume+0x209/0x2f0
<4>[ 231.457151] dpm_resume_end+0x15/0x30
<4>[ 231.457596] suspend_devices_and_enter+0x1da/0x2b0
<4>[ 231.458054] enter_state+0x10e/0x570
Add defensive checks for both the ring pointer and its q_vector
before dereferencing, allowing the system to resume successfully even when
q_vectors are unmapped.
Fixes: 2a5dc090b92cf ("ice: move netif_queue_set_napi to rtnl-protected sections")
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_lib.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c
index 4e022de9e4bbd..4ad21c21c5c57 100644
--- a/drivers/net/ethernet/intel/ice/ice_lib.c
+++ b/drivers/net/ethernet/intel/ice/ice_lib.c
@@ -2731,12 +2731,14 @@ void ice_vsi_set_napi_queues(struct ice_vsi *vsi)
return;
ice_for_each_rxq(vsi, q_idx)
- netif_queue_set_napi(netdev, q_idx, NETDEV_QUEUE_TYPE_RX,
- &vsi->rx_rings[q_idx]->q_vector->napi);
+ if (vsi->rx_rings[q_idx] && vsi->rx_rings[q_idx]->q_vector)
+ netif_queue_set_napi(netdev, q_idx, NETDEV_QUEUE_TYPE_RX,
+ &vsi->rx_rings[q_idx]->q_vector->napi);
ice_for_each_txq(vsi, q_idx)
- netif_queue_set_napi(netdev, q_idx, NETDEV_QUEUE_TYPE_TX,
- &vsi->tx_rings[q_idx]->q_vector->napi);
+ if (vsi->tx_rings[q_idx] && vsi->tx_rings[q_idx]->q_vector)
+ netif_queue_set_napi(netdev, q_idx, NETDEV_QUEUE_TYPE_TX,
+ &vsi->tx_rings[q_idx]->q_vector->napi);
/* Also set the interrupt number for the NAPI */
ice_for_each_q_vector(vsi, v_idx) {
struct ice_q_vector *q_vector = vsi->q_vectors[v_idx];
--
2.51.0
next prev parent reply other threads:[~2026-02-04 15:24 UTC|newest]
Thread overview: 104+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-04 14:39 [PATCH 6.12 00/87] 6.12.69-rc1 review Greg Kroah-Hartman
2026-02-04 14:39 ` [PATCH 6.12 01/87] can: at91_can: Fix memory leak in at91_can_probe() Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 02/87] Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 03/87] Bluetooth: MGMT: Fix memory leak in set_ssp_complete Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 04/87] net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup() Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 05/87] can: gs_usb: gs_usb_receive_bulk_callback(): fix error message Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 06/87] net: bcmasp: fix early exit leak with fixed phy Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 07/87] octeon_ep: Fix memory leak in octep_device_setup() Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 08/87] bonding: annotate data-races around slave->last_rx Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 09/87] net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins() Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 10/87] ipv6: use the right ifindex when replying to icmpv6 from localhost Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 11/87] net: wwan: t7xx: fix potential skb->frags overflow in RX path Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 12/87] rocker: fix memory leak in rocker_world_port_post_fini() Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 13/87] nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame() Greg Kroah-Hartman
2026-02-04 14:40 ` Greg Kroah-Hartman [this message]
2026-02-04 14:40 ` [PATCH 6.12 15/87] ice: stop counting UDP csum mismatch as rx_errors Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 16/87] net/mlx5e: TC, delete flows only for existing peers Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 17/87] nfc: nci: Fix race between rfkill and nci_unregister_device() Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 18/87] net: bridge: fix static key check Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 19/87] net: phy: micrel: fix clk warning when removing the driver Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 20/87] net/mlx5: fs, Fix inverted cap check in tx flow table root disconnect Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 21/87] net/mlx5: Initialize events outside devlink lock Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 22/87] net/mlx5: Fix vhca_id access call trace use before alloc Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 23/87] net/mlx5e: Skip ESN replay window setup for IPsec crypto offload Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 24/87] scsi: firewire: sbp-target: Fix overflow in sbp_make_tpg() Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 25/87] ASoC: Intel: sof_es8336: fix headphone GPIO logic inversion Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 26/87] gpiolib: acpi: use BIT_ULL() for u64 mask in address space handler Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 27/87] gpio: virtuser: fix UAF in configfs release path Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 28/87] bcache: fix improper use of bi_end_io Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 29/87] bcache: use bio cloning for detached device requests Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 30/87] bcache: fix I/O accounting leak in detached_dev_do_request Greg Kroah-Hartman
2026-02-13 0:16 ` Guenter Roeck
2026-02-16 9:50 ` Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 31/87] dma/pool: distinguish between missing and exhausted atomic pools Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 32/87] sched/deadline: Document dl_server Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 33/87] sched/deadline: Fix stuck dl_server Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 34/87] pinctrl: meson: mark the GPIO controller as sleeping Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 35/87] riscv: compat: fix COMPAT_UTS_MACHINE definition Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 36/87] rust: rbtree: fix documentation typo in CursorMut peek_next method Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 37/87] rust: kbuild: give `--config-path` to `rustfmt` in `.rsi` target Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 38/87] ASoC: fsl: imx-card: Do not force slot width to sample width Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 39/87] scsi: be2iscsi: Fix a memory leak in beiscsi_boot_get_sinfo() Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 40/87] ASoC: amd: yc: Add DMI quirk for Acer TravelMate P216-41-TCO Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 41/87] gpio: pca953x: mask interrupts in irq shutdown Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 42/87] scsi: qla2xxx: edif: Fix dma_free_coherent() size Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 43/87] efivarfs: fix error propagation in efivar_entry_get() Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 44/87] nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 45/87] gpio: rockchip: Stop calling pinctrl for set_direction Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 46/87] mm/kasan: fix KASAN poisoning in vrealloc() Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 47/87] mptcp: only reset subflow errors when propagated Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 48/87] selftests: mptcp: check no dup close events after error Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 49/87] selftests: mptcp: check subflow errors in close events Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 50/87] selftests: mptcp: join: fix local endp not being tracked Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 51/87] flex_proportions: make fprop_new_period() hardirq safe Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 52/87] mm/memory-failure: fix missing ->mf_stats count in hugetlb poison Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 53/87] mm/memory-failure: teach kill_accessing_process to accept hugetlb tail page pfn Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 54/87] mm/shmem, swap: fix race of truncate and swap entry split Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 55/87] net: fix segmentation of forwarding fraglist GRO Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 56/87] scripts: generate_rust_analyzer: remove sysroot assertion Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 57/87] scripts: generate_rust_analyzer: compile sysroot with correct edition Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 58/87] scripts: generate_rust_analyzer: Add compiler_builtins -> core dep Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 59/87] drm/msm/a6xx: fix bogus hwcg register updates Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 60/87] drm/imx/tve: fix probe device leak Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.12 61/87] drm/amdgpu/soc21: fix xclk for APUs Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 62/87] drm/amdgpu/gfx10: fix wptr reset in KGQ init Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 63/87] drm/amdgpu/gfx11: " Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 64/87] drm/amdgpu/gfx12: " Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 65/87] drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 66/87] drm/amdgpu: Fix cond_exec handling in amdgpu_ib_schedule() Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 67/87] gpiolib: acpi: Fix potential out-of-boundary left shift Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 68/87] rust: kbuild: support `-Cjump-tables=n` for Rust 1.93.0 Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 69/87] cgroup: Fix kernfs_node UAF in css_free_rwork_fn Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 70/87] rxrpc: Fix data-race warning and potential load/store tearing Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 71/87] ksmbd: smbd: fix dma_unmap_sg() nents Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 72/87] libbpf: Fix -Wdiscarded-qualifiers under C23 Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 73/87] mm/kfence: randomize the freelist on initialization Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 74/87] wifi: ath11k: add srng->lock for ath11k_hal_srng_* in monitor mode Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 75/87] Revert "drm/nouveau/disp: Set drm_mode_config_funcs.atomic_(check|commit)" Greg Kroah-Hartman
2026-02-05 14:28 ` Guenter Roeck
2026-02-05 14:30 ` Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 76/87] btrfs: prevent use-after-free on folio private data in btrfs_subpage_clear_uptodate() Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 77/87] net/sched: act_ife: convert comma to semicolon Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 78/87] pinctrl: qcom: sm8350-lpass-lpi: Merge with SC7280 to fix I2S2 and SWR TX pins Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 79/87] mptcp: avoid dup SUB_CLOSED events after disconnect Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 80/87] perf: Simplify get_perf_callchain() user logic Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 81/87] perf: sched: Fix perf crash with new is_user_task() helper Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 82/87] writeback: fix 100% CPU usage when dirtytime_expire_interval is 0 Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 83/87] drm/amdgpu/gfx11: adjust KGQ reset sequence Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 84/87] pinctrl: lpass-lpi: implement .get_direction() for the GPIO driver Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 85/87] net: mana: Change the function signature of mana_get_primary_netdev_rcu Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 86/87] RDMA/mana_ib: Handle net event for pointing to the current netdev Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.12 87/87] bpf/selftests: test_select_reuseport_kern: Remove unused header Greg Kroah-Hartman
2026-02-04 19:52 ` [PATCH 6.12 00/87] 6.12.69-rc1 review Brett A C Sheffield
2026-02-04 20:11 ` Florian Fainelli
2026-02-04 20:27 ` Jon Hunter
2026-02-04 23:39 ` Peter Schneider
2026-02-05 7:40 ` Ron Economos
2026-02-05 8:26 ` Francesco Dolcini
2026-02-05 10:30 ` Harshit Mogalapalli
2026-02-05 12:13 ` Mark Brown
2026-02-05 14:34 ` Brett Mastbergen
2026-02-06 1:22 ` Hardik Garg
2026-02-06 5:53 ` Shung-Hsi Yu
2026-02-06 9:29 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260204143847.425894413@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=aaron.ma@canonical.com \
--cc=aleksandr.loktionov@intel.com \
--cc=anthony.l.nguyen@intel.com \
--cc=patches@lists.linux.dev \
--cc=pmenzel@molgen.mpg.de \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox