RE: [Intel-wired-lan] [PATCH net v2 RESEND] ice: fix race condition in TX timestamp ring cleanup

[Rinitha, SX]

> -----Original Message-----
> From: Intel-wired-lan <intel-wired-lan-bounces@xxxxxxxxxx> On Behalf Of Keita Morisaki
> Sent: 24 February 2026 11:16
> To: Nguyen, Anthony L <anthony.l.nguyen@xxxxxxxxx>; Kitszel, Przemyslaw <przemyslaw.kitszel@xxxxxxxxx>; Andrew Lunn <andrew+netdev@xxxxxxx>; David S . Miller <davem@xxxxxxxxxxxxx>; Eric Dumazet <edumazet@xxxxxxxxxx>; Jakub Kicinski <kuba@xxxxxxxxxx>; Paolo Abeni <pabeni@xxxxxxxxxx>
> Cc: Alice Michael <alice.michael@xxxxxxxxx>; Loktionov, Aleksandr <aleksandr.loktionov@xxxxxxxxx>; Fijalkowski, Maciej <maciej.fijalkowski@xxxxxxxxx>; Greenwalt, Paul <paul.greenwalt@xxxxxxxxx>; intel-wired-lan@xxxxxxxxxxxxxxxx; netdev@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; Keita Morisaki <kmta1236@xxxxxxxxx>
> Subject: [Intel-wired-lan] [PATCH net v2 RESEND] ice: fix race condition in TX timestamp ring cleanup
>
> Fix a race condition between ice_free_tx_tstamp_ring() and ice_tx_map() that can cause a NULL pointer dereference.
>
> ice_free_tx_tstamp_ring currently clears the ICE_TX_FLAGS_TXTIME flag after NULLing the tstamp_ring. This could allow a concurrent ice_tx_map call on another CPU to dereference the tstamp_ring, which could lead to a NULL pointer dereference.
>
> CPU A:ice_free_tx_tstamp_ring() | CPU B:ice_tx_map()
>  --------------------------------|---------------------------------
>  tx_ring->tstamp_ring = NULL     |
>                                  | ice_is_txtime_cfg() -> true
>                                  | tstamp_ring = tx_ring->tstamp_ring
>                                  | tstamp_ring->count  // NULL deref!
>  flags &= ~ICE_TX_FLAGS_TXTIME   |
>
> Fix by:
> 1. Reordering ice_free_tx_tstamp_ring() to clear the flag before
>  NULLing the pointer, with smp_wmb() to ensure proper ordering.
> 2. Adding smp_rmb() in ice_tx_map() after the flag check to order the
>   flag read before the pointer read, using READ_ONCE() for the
>   pointer, and adding a NULL check as a safety net.
> 3. Converting tx_ring->flags from u8 to DECLARE_BITMAP() and using
>   atomic bitops (set_bit(), clear_bit(), test_bit()) for all flag
>   operations throughout the driver:
>   - ICE_TX_RING_FLAGS_XDP
>   - ICE_TX_RING_FLAGS_VLAN_L2TAG1
>   - ICE_TX_RING_FLAGS_VLAN_L2TAG2
>   - ICE_TX_RING_FLAGS_TXTIME
>
> Fixes: ccde82e909467 ("ice: add E830 Earliest TxTime First Offload support")
> Signed-off-by: Keita Morisaki <kmta1236@xxxxxxxxx>
> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@xxxxxxxxx>
> ---
> Changes in v2:
> - Convert tx_ring->flags from u8 to DECLARE_BITMAP() and use atomic
>  bitops (set_bit(), clear_bit(), test_bit()) for all flag operations
>  instead of WRITE_ONCE() for flag updates
> - Rename flags from ICE_TX_FLAGS_RING_* to ICE_TX_RING_FLAGS_* to
>  distinguish from per-packet flags (ICE_TX_FLAGS_*)
>
> drivers/net/ethernet/intel/ice/ice.h         |  4 ++--
> drivers/net/ethernet/intel/ice/ice_dcb_lib.c |  2 +-
> drivers/net/ethernet/intel/ice/ice_lib.c     |  4 ++--
> drivers/net/ethernet/intel/ice/ice_txrx.c    | 23 ++++++++++++++------
> drivers/net/ethernet/intel/ice/ice_txrx.h    | 16 +++++++++-----
> 5 files changed, 31 insertions(+), 18 deletions(-)
>

Tested-by: Rinitha S <sx.rinitha@xxxxxxxxx> (A Contingent worker at Intel)