[{"id":3680741,"web_url":"http://patchwork.ozlabs.org/comment/3680741/","msgid":"<20260422180020.GQ651125@horms.kernel.org>","list_archive_url":null,"date":"2026-04-22T18:00:20","subject":"Re: [Intel-wired-lan] [PATCH iwl-net v1] ice: fix UAF/NULL deref\n when VSI rebuild and XDP attach race","submitter":{"id":82748,"url":"http://patchwork.ozlabs.org/api/people/82748/","name":"Simon Horman","email":"horms@kernel.org"},"content":"On Sat, Apr 18, 2026 at 09:01:15AM +0000, Kohei Enju wrote:\n> ice_xdp_setup_prog() unconditionally hot-swaps xdp_prog when\n> ICE_VSI_REBUILD_PENDING is set. In the attach path, this can publish a\n> new rx_ring->xdp_prog before rx_ring->xdp_ring becomes valid while the\n> rebuild is pending. As a result, ice_clean_rx_irq() may dereference\n> rx_ring->xdp_ring too early.\n> \n> With high-volume RX packets, running these commands in parallel\n> triggered a KASAN splat [1].\n>  # ethtool --reset $DEV irq dma filter offload\n>  # ip link set dev $DEV xdp {obj $OBJ sec xdp,off}\n> \n> Fix this by rejecting XDP attach while rebuild is pending.\n> Keep XDP detach allowed in this window. Detach clears rx_ring->xdp_prog,\n> so the RX path will not attempt to access rx_ring->xdp_ring.\n> \n> [1]\n> BUG: KASAN: slab-use-after-free in ice_napi_poll+0x3921/0x41a0\n> Read of size 2 at addr ffff88812475b880 by task ksoftirqd/1/23\n> [...]\n> Call Trace:\n>  <TASK>\n>  ice_napi_poll+0x3921/0x41a0\n>  __napi_poll+0x98/0x520\n>  net_rx_action+0x8f2/0xfa0\n>  handle_softirqs+0x1cb/0x7f0\n> [...]\n>  </TASK>\n> \n> Allocated by task 7246:\n>  ice_prepare_xdp_rings+0x3de/0x12d0\n>  ice_xdp+0x61c/0xef0\n>  dev_xdp_install+0x3c4/0x840\n>  dev_xdp_attach+0x50a/0x10a0\n>  dev_change_xdp_fd+0x175/0x210\n> [...]\n> \n> Freed by task 7251:\n>  __rcu_free_sheaf_prepare+0x5f/0x230\n>  rcu_free_sheaf+0x1a/0xf0\n>  rcu_core+0x567/0x1d80\n>  handle_softirqs+0x1cb/0x7f0\n> \n> Fixes: 2504b8405768 (\"ice: protect XDP configuration with a mutex\")\n> Signed-off-by: Kohei Enju <kohei@enjuk.jp>\n\nReviewed-by: Simon Horman <horms@kernel.org>\n\nSashiko has provided some feedback on this patch.\nHowever, I believe the issues it raises are not introduced\nby this patch and should not block progress of it.\nI'd like to ask if you could take a look over that feedback\nand see if any follow-up is appropriate.\n\nThanks!","headers":{"Return-Path":"<intel-wired-lan-bounces@osuosl.org>","X-Original-To":["incoming@patchwork.ozlabs.org","intel-wired-lan@lists.osuosl.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","intel-wired-lan@lists.osuosl.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=osuosl.org header.i=@osuosl.org header.a=rsa-sha256\n header.s=default header.b=7CInItM2;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=osuosl.org\n (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org;\n envelope-from=intel-wired-lan-bounces@osuosl.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g16TK2Pthz1yD5\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 23 Apr 2026 04:00:36 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 8B235848A8;\n\tWed, 22 Apr 2026 18:00:35 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id VTHIAuFq9EPD; Wed, 22 Apr 2026 18:00:31 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id F2207848D1;\n\tWed, 22 Apr 2026 18:00:30 +0000 (UTC)","from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n by lists1.osuosl.org (Postfix) with ESMTP id 494F3183\n for <intel-wired-lan@lists.osuosl.org>; Wed, 22 Apr 2026 18:00:30 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id 383B240C81\n for <intel-wired-lan@lists.osuosl.org>; Wed, 22 Apr 2026 18:00:30 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 2OEostrLKUpy for <intel-wired-lan@lists.osuosl.org>;\n Wed, 22 Apr 2026 18:00:27 +0000 (UTC)","from sea.source.kernel.org (sea.source.kernel.org [172.234.252.31])\n by smtp4.osuosl.org (Postfix) with ESMTPS id EAF6A40D0D\n for <intel-wired-lan@lists.osuosl.org>; Wed, 22 Apr 2026 18:00:26 +0000 (UTC)","from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58])\n by sea.source.kernel.org (Postfix) with ESMTP id 511FC442A4;\n Wed, 22 Apr 2026 18:00:26 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id 38913C19425;\n Wed, 22 Apr 2026 18:00:23 +0000 (UTC)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=intel-wired-lan-bounces@osuosl.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp1.osuosl.org F2207848D1","OpenDKIM Filter v2.11.0 smtp4.osuosl.org EAF6A40D0D"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=osuosl.org;\n\ts=default; t=1776880831;\n\tbh=mh6y5yh9QyquHEkZ51r/J1pTGJ3FWOuH+S5IWnZMJpE=;\n\th=Date:From:To:Cc:References:In-Reply-To:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From;\n\tb=7CInItM2PmAd+NpqvI8JNsiSs/PEw67KCBiD0UnVkwqHpZ6y3rdlR9NBRNtVjK8Z8\n\t KVgSQmNMTTSlcqdX0nZ7mZ1BvAFZ4v/9dHQKaQAv8WXr9HjVGjO7SV9J8iJP7lVYOZ\n\t IyLXuNmoqpd5YeSMtgFvCbtwpgUL3o1lQG17o0bXSYOravHplHuMxZoAX7oCRal9KT\n\t cUYhMhANBOG5BnSOoLuifpvwlgJQyjy1yqp8EsB+jq9//6p4EEtGzOZ2DHtODA7Aj2\n\t MAPQT0ztGHzKpNpq8qTMu80+k3N2um//pOdyUrWWysxsXSeTdGw5NbfghD+0Yz3daL\n\t 3lswr79e7W5LA==","Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=172.234.252.31;\n helo=sea.source.kernel.org; envelope-from=horms@kernel.org;\n receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp4.osuosl.org EAF6A40D0D","Date":"Wed, 22 Apr 2026 19:00:20 +0100","From":"Simon Horman <horms@kernel.org>","To":"Kohei Enju <kohei@enjuk.jp>","Cc":"intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org,\n Tony Nguyen <anthony.l.nguyen@intel.com>,\n Przemek Kitszel <przemyslaw.kitszel@intel.com>,\n Andrew Lunn <andrew+netdev@lunn.ch>,\n \"David S. Miller\" <davem@davemloft.net>,\n Eric Dumazet <edumazet@google.com>,\n Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,\n Wojciech Drewek <wojciech.drewek@intel.com>,\n Jacob Keller <jacob.e.keller@intel.com>,\n Larysa Zaremba <larysa.zaremba@intel.com>,\n Maciej Fijalkowski <maciej.fijalkowski@intel.com>","Message-ID":"<20260422180020.GQ651125@horms.kernel.org>","References":"<20260418090137.411506-1-kohei@enjuk.jp>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20260418090137.411506-1-kohei@enjuk.jp>","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple;\n d=kernel.org; s=k20201202; t=1776880826;\n bh=vRGM5fdnwN3r2o7+o8B0zJJEj14G3ujdB0md67BxS6M=;\n h=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n b=cxwr75AxlCyeiQ/LwDiYJ6l6jyirk+bWY/wjemxm4nLyAhfeSFsmFZQoPm7m0R9GL\n vej3+9Nj2Jd5LStc2cSPmc+kenIkHE9nBndhc3a0qFRm6uiVEy9SOJfqvqM13+LdwR\n mZIBjarJwqbv69bCv3XggOay062kWmunTFUuzl9Ghq9tUmNz3QL2Q/aST6YuYSVxJq\n Omgw3s0SktvAZDcbYodie12zJcwkkTDwL5eeAyvwSn1xuRVJiAlSGsVlMi2k9L1Xsw\n yEcMLMAdl8Owo0+xYUKThD83rIOoXDZKv9vPgTcZI/ThPZOK6qfv4y3dbtUBQ+FtCJ\n /JNFVVan13Xuw==","X-Mailman-Original-Authentication-Results":["smtp4.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=kernel.org","smtp4.osuosl.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.a=rsa-sha256 header.s=k20201202 header.b=cxwr75Ax"],"Subject":"Re: [Intel-wired-lan] [PATCH iwl-net v1] ice: fix UAF/NULL deref\n when VSI rebuild and XDP attach race","X-BeenThere":"intel-wired-lan@osuosl.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Intel Wired Ethernet Linux Kernel Driver Development\n <intel-wired-lan.osuosl.org>","List-Unsubscribe":"<https://lists.osuosl.org/mailman/options/intel-wired-lan>,\n <mailto:intel-wired-lan-request@osuosl.org?subject=unsubscribe>","List-Archive":"<http://lists.osuosl.org/pipermail/intel-wired-lan/>","List-Post":"<mailto:intel-wired-lan@osuosl.org>","List-Help":"<mailto:intel-wired-lan-request@osuosl.org?subject=help>","List-Subscribe":"<https://lists.osuosl.org/mailman/listinfo/intel-wired-lan>,\n <mailto:intel-wired-lan-request@osuosl.org?subject=subscribe>","Errors-To":"intel-wired-lan-bounces@osuosl.org","Sender":"\"Intel-wired-lan\" <intel-wired-lan-bounces@osuosl.org>"}}]