{"id":2224759,"url":"http://patchwork.ozlabs.org/api/patches/2224759/?format=json","web_url":"http://patchwork.ozlabs.org/project/intel-wired-lan/patch/20260418090137.411506-1-kohei@enjuk.jp/","project":{"id":46,"url":"http://patchwork.ozlabs.org/api/projects/46/?format=json","name":"Intel Wired Ethernet development","link_name":"intel-wired-lan","list_id":"intel-wired-lan.osuosl.org","list_email":"intel-wired-lan@osuosl.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260418090137.411506-1-kohei@enjuk.jp>","list_archive_url":null,"date":"2026-04-18T09:01:15","name":"[iwl-net,v1] ice: fix UAF/NULL deref when VSI rebuild and XDP attach race","commit_ref":null,"pull_url":null,"state":"under-review","archived":false,"hash":"80cc55f3cd5a44b4c8ee896bae1cc5ae14f384ae","submitter":{"id":92459,"url":"http://patchwork.ozlabs.org/api/people/92459/?format=json","name":"Kohei Enju","email":"kohei@enjuk.jp"},"delegate":{"id":109701,"url":"http://patchwork.ozlabs.org/api/users/109701/?format=json","username":"anguy11","first_name":"Anthony","last_name":"Nguyen","email":"anthony.l.nguyen@intel.com"},"mbox":"http://patchwork.ozlabs.org/project/intel-wired-lan/patch/20260418090137.411506-1-kohei@enjuk.jp/mbox/","series":[{"id":500430,"url":"http://patchwork.ozlabs.org/api/series/500430/?format=json","web_url":"http://patchwork.ozlabs.org/project/intel-wired-lan/list/?series=500430","date":"2026-04-18T09:01:15","name":"[iwl-net,v1] ice: fix UAF/NULL deref when VSI rebuild and XDP attach race","version":1,"mbox":"http://patchwork.ozlabs.org/series/500430/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2224759/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2224759/checks/","tags":{},"related":[],"headers":{"Return-Path":"<intel-wired-lan-bounces@osuosl.org>","X-Original-To":["incoming@patchwork.ozlabs.org","intel-wired-lan@lists.osuosl.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","intel-wired-lan@lists.osuosl.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=osuosl.org header.i=@osuosl.org header.a=rsa-sha256\n header.s=default header.b=PwNOtLrs;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=osuosl.org\n (client-ip=140.211.166.138; helo=smtp1.osuosl.org;\n envelope-from=intel-wired-lan-bounces@osuosl.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fyQjn6RRMz1yGt\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 18 Apr 2026 19:02:03 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id B8BBF82289;\n\tSat, 18 Apr 2026 09:02:00 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id gkiPRMhVoxfJ; Sat, 18 Apr 2026 09:01:59 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 8E39182237;\n\tSat, 18 Apr 2026 09:01:59 +0000 (UTC)","from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])\n by lists1.osuosl.org (Postfix) with ESMTP id E3F19259\n for <intel-wired-lan@lists.osuosl.org>; Sat, 18 Apr 2026 09:01:57 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp3.osuosl.org (Postfix) with ESMTP id C9B8C60F19\n for <intel-wired-lan@lists.osuosl.org>; Sat, 18 Apr 2026 09:01:57 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id oc_xiCa0CKZK for <intel-wired-lan@lists.osuosl.org>;\n Sat, 18 Apr 2026 09:01:57 +0000 (UTC)","from www2881.sakura.ne.jp (www2881.sakura.ne.jp [49.212.198.91])\n by smtp3.osuosl.org (Postfix) with ESMTPS id D79FA60F15\n for <intel-wired-lan@lists.osuosl.org>; Sat, 18 Apr 2026 09:01:56 +0000 (UTC)","from ms-a2 (232.154.13.160.dy.iij4u.or.jp [160.13.154.232])\n (authenticated bits=0)\n by www2881.sakura.ne.jp (8.16.1/8.16.1) with ESMTPSA id 63I91csh034081\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);\n Sat, 18 Apr 2026 18:01:38 +0900 (JST) (envelope-from kohei@enjuk.jp)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=intel-wired-lan-bounces@osuosl.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp1.osuosl.org 8E39182237","OpenDKIM Filter v2.11.0 smtp3.osuosl.org D79FA60F15"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=osuosl.org;\n\ts=default; t=1776502919;\n\tbh=SxGyo39sLn37ykZ1MyDgzsUgeOOQcYMpbjUuw3Tt9ms=;\n\th=From:To:Cc:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:From;\n\tb=PwNOtLrsxIInANe6VMr+A0d9gDhIDtZpZYLQq/smSUgLZ2waquAHrepnXOeLOxYjJ\n\t EEbGl/2bXKSlCn8vDBTz0+dDyTv98HR/n0+e1OShikcuQuAtxhCuadkydaLeoXMhrP\n\t DZGliQTwgPL6vLDDAewF0a5Ld9RXfNEfQkj2J4j7P8g2dICKNht/e4Y+vxWzLh2EbI\n\t 2+DK1I7dQ4A8+3BCH4HD8Iyrwa8FfZiM2GQoGT17mnoxDSbwVs4IiIW4w8bBzkU7wm\n\t b2HMuumZI0O942JYgd89nWM/Ws0b4v5KiHW+aTKlk4SmCtngbjBv1+OYYbDOtmrOUe\n\t BNsG7npKISpow==","Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=49.212.198.91;\n helo=www2881.sakura.ne.jp; envelope-from=kohei@enjuk.jp; receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp3.osuosl.org D79FA60F15","From":"Kohei Enju <kohei@enjuk.jp>","To":"intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org","Cc":"Tony Nguyen <anthony.l.nguyen@intel.com>,\n Przemek Kitszel <przemyslaw.kitszel@intel.com>,\n Andrew Lunn <andrew+netdev@lunn.ch>,\n \"David S. Miller\" <davem@davemloft.net>,\n Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,\n Paolo Abeni <pabeni@redhat.com>,\n Wojciech Drewek <wojciech.drewek@intel.com>,\n Jacob Keller <jacob.e.keller@intel.com>,\n Larysa Zaremba <larysa.zaremba@intel.com>,\n Maciej Fijalkowski <maciej.fijalkowski@intel.com>,\n Kohei Enju <kohei@enjuk.jp>","Date":"Sat, 18 Apr 2026 09:01:15 +0000","Message-ID":"<20260418090137.411506-1-kohei@enjuk.jp>","X-Mailer":"git-send-email 2.51.0","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Mailman-Original-DKIM-Signature":"a=rsa-sha256;\n bh=SxGyo39sLn37ykZ1MyDgzsUgeOOQcYMpbjUuw3Tt9ms=;\n c=relaxed/relaxed; d=enjuk.jp;\n h=From:Message-ID:To:Subject:Date;\n s=rs20251215; t=1776502899; v=1;\n b=L7wYo3hpYw9vXC27in1/pj4EJZikMcyWN269KKsoZ7r8ATphDcfbC5d2uUdKDsFN\n NYlbM5ZqBAFotMmCCODVwhYGiRKQ0K8kbKSXOZsK2eJtXkMJLnH0vKw+alVIaaZ0\n nYnOdEhQeCPqbrgBV/33Yt2A+lRDrWfCzVZ6KCGMYTaUyeuljWgvNJ2H9amHMhi4\n 00rBms2IksdBHuUK7dIbPvXEsFZJUa6s7r+rlwNW4SGE/ch7Df+iopMJVzJ+P7Pj\n kWSDhKEvIzhyJu/AQ7DlUmfhWRQ78IT1VTLD3VX8KOCAYzEK2oZ/0Q13qDJTMwtC\n nJPf5xqN37c+1EsE4bfH0g==","X-Mailman-Original-Authentication-Results":["smtp3.osuosl.org;\n dmarc=pass (p=none dis=none)\n header.from=enjuk.jp","smtp3.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=enjuk.jp header.i=@enjuk.jp header.a=rsa-sha256\n header.s=rs20251215 header.b=L7wYo3hp"],"Subject":"[Intel-wired-lan] [PATCH iwl-net v1] ice: fix UAF/NULL deref when\n VSI rebuild and XDP attach race","X-BeenThere":"intel-wired-lan@osuosl.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Intel Wired Ethernet Linux Kernel Driver Development\n <intel-wired-lan.osuosl.org>","List-Unsubscribe":"<https://lists.osuosl.org/mailman/options/intel-wired-lan>,\n <mailto:intel-wired-lan-request@osuosl.org?subject=unsubscribe>","List-Archive":"<http://lists.osuosl.org/pipermail/intel-wired-lan/>","List-Post":"<mailto:intel-wired-lan@osuosl.org>","List-Help":"<mailto:intel-wired-lan-request@osuosl.org?subject=help>","List-Subscribe":"<https://lists.osuosl.org/mailman/listinfo/intel-wired-lan>,\n <mailto:intel-wired-lan-request@osuosl.org?subject=subscribe>","Errors-To":"intel-wired-lan-bounces@osuosl.org","Sender":"\"Intel-wired-lan\" <intel-wired-lan-bounces@osuosl.org>"},"content":"ice_xdp_setup_prog() unconditionally hot-swaps xdp_prog when\nICE_VSI_REBUILD_PENDING is set. In the attach path, this can publish a\nnew rx_ring->xdp_prog before rx_ring->xdp_ring becomes valid while the\nrebuild is pending. As a result, ice_clean_rx_irq() may dereference\nrx_ring->xdp_ring too early.\n\nWith high-volume RX packets, running these commands in parallel\ntriggered a KASAN splat [1].\n # ethtool --reset $DEV irq dma filter offload\n # ip link set dev $DEV xdp {obj $OBJ sec xdp,off}\n\nFix this by rejecting XDP attach while rebuild is pending.\nKeep XDP detach allowed in this window. Detach clears rx_ring->xdp_prog,\nso the RX path will not attempt to access rx_ring->xdp_ring.\n\n[1]\nBUG: KASAN: slab-use-after-free in ice_napi_poll+0x3921/0x41a0\nRead of size 2 at addr ffff88812475b880 by task ksoftirqd/1/23\n[...]\nCall Trace:\n <TASK>\n ice_napi_poll+0x3921/0x41a0\n __napi_poll+0x98/0x520\n net_rx_action+0x8f2/0xfa0\n handle_softirqs+0x1cb/0x7f0\n[...]\n </TASK>\n\nAllocated by task 7246:\n ice_prepare_xdp_rings+0x3de/0x12d0\n ice_xdp+0x61c/0xef0\n dev_xdp_install+0x3c4/0x840\n dev_xdp_attach+0x50a/0x10a0\n dev_change_xdp_fd+0x175/0x210\n[...]\n\nFreed by task 7251:\n __rcu_free_sheaf_prepare+0x5f/0x230\n rcu_free_sheaf+0x1a/0xf0\n rcu_core+0x567/0x1d80\n handle_softirqs+0x1cb/0x7f0\n\nFixes: 2504b8405768 (\"ice: protect XDP configuration with a mutex\")\nSigned-off-by: Kohei Enju <kohei@enjuk.jp>\n---\n drivers/net/ethernet/intel/ice/ice_main.c | 13 +++++++++++--\n 1 file changed, 11 insertions(+), 2 deletions(-)","diff":"diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c\nindex d1f628f1c8ac..4681cbe193f6 100644\n--- a/drivers/net/ethernet/intel/ice/ice_main.c\n+++ b/drivers/net/ethernet/intel/ice/ice_main.c\n@@ -2912,12 +2912,21 @@ ice_xdp_setup_prog(struct ice_vsi *vsi, struct bpf_prog *prog,\n \t}\n \n \t/* hot swap progs and avoid toggling link */\n-\tif (ice_is_xdp_ena_vsi(vsi) == !!prog ||\n-\t    test_bit(ICE_VSI_REBUILD_PENDING, vsi->state)) {\n+\tif (ice_is_xdp_ena_vsi(vsi) == !!prog) {\n \t\tice_vsi_assign_bpf_prog(vsi, prog);\n \t\treturn 0;\n \t}\n \n+\tif (test_bit(ICE_VSI_REBUILD_PENDING, vsi->state)) {\n+\t\tif (prog) {\n+\t\t\tNL_SET_ERR_MSG_MOD(extack, \"VSI rebuild is pending\");\n+\t\t\treturn -EAGAIN;\n+\t\t}\n+\n+\t\tice_vsi_assign_bpf_prog(vsi, NULL);\n+\t\treturn 0;\n+\t}\n+\n \tif_running = netif_running(vsi->netdev) &&\n \t\t     !test_and_set_bit(ICE_VSI_DOWN, vsi->state);\n \n","prefixes":["iwl-net","v1"]}