[PATCH v2] ice: Fix wrong dsn read in ice_adapter_put

[Cyrill Gorcunov]

On Sun, May 17, 2026 at 01:53:07PM +0100, Simon Horman wrote:
...
> >  void ice_adapter_put(struct pci_dev *pdev)
> >  {
> > +	const struct ice_pf *pf = pci_get_drvdata(pdev);
> > +	unsigned long index = pf->adapter->index;
> 
> Is it possible for pf->adapter to be NULL here if the device was probed in
> firmware recovery mode?
> 
> If the device enters firmware recovery mode during ice_probe(), the driver
> calls ice_probe_recovery_mode() and skips the ice_adapter_get() allocation.
> If the device is subsequently unplugged, the memory-mapped read for the
> firmware state register might return 0.
> 
> This would cause ice_is_recovery_mode() to evaluate to false in ice_remove(),
> allowing the normal teardown sequence to proceed and call ice_adapter_put().
> Would the unconditional dereference of pf->adapter->index then cause a NULL
> pointer dereference?

If we're in recovery mode the ice_remove will not reach ice_adapter_put,
instead it will stop service work and just deinit devlink interface, no?

> Also, does this implicit cast to unsigned long bypass the XOR folding used
> during insertion on 32-bit architectures?
> 
> The ice_adapters XArray is keyed by an unsigned long index. During insertion
> in ice_adapter_get(), the index is computed using ice_adapter_xa_index(pdev).
> On 32-bit architectures, this helper explicitly applies a bitwise XOR fold
> to the 64-bit Device Serial Number:
> 
> (u32)index ^ (u32)(index >> 32)
> 
> Since pf->adapter->index is a 64-bit value, assigning it directly to a
> 32-bit unsigned long implicitly truncates the upper 32 bits, omitting the
> XOR operation.
> 
> Because the lookup index would differ from the insertion index, xa_load()
> might fail to find the adapter. Would this trigger the WARN_ON and return
> early, permanently leaking the adapter memory?

That's the good point but it seems the problem is deeper -- the xor doesn't
prevent from index collision which may lead to wrong assumption with shared
clocks as far as I can tell (and this will cause warn-on-once in ice_adapter_get
with unpredictable state of adapter in further work). So it looks that xoring
index on 32bit archs is just broken.

Still point is correct (i've been working with this adapters on 64bit archs
only so didn't get this issue). Here is an updated version.
---
From: Cyrill Gorcunov <gorcunov@xxxxxxxxx>
Subject: [PATCH v2] ice: Fix wrong dsn read in ice_adapter_put

When registering an adapter instance, we read the PCI configuration
space to fetch the DSN and generate an adapter index for lookups.

However, if the adapter has been physically unplugged, the PCI space
is no longer accessible. Reading it returns a zero value, which results
in either an incorrect adapter instance being put or the proper instance
not being put at all. To fix this, we will use the previously known
index instead.

Signed-off-by: Cyrill Gorcunov <gorcunov@xxxxxxxxx>
---
 drivers/net/ethernet/intel/ice/ice_adapter.c |   16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

Index: linux-tip.git/drivers/net/ethernet/intel/ice/ice_adapter.c
===================================================================
--- linux-tip.git.orig/drivers/net/ethernet/intel/ice/ice_adapter.c
+++ linux-tip.git/drivers/net/ethernet/intel/ice/ice_adapter.c
@@ -40,10 +40,8 @@ static u64 ice_adapter_index(struct pci_
 	}
 }
 
-static unsigned long ice_adapter_xa_index(struct pci_dev *pdev)
+static unsigned long xa_index_mangle(u64 index)
 {
-	u64 index = ice_adapter_index(pdev);
-
 #if BITS_PER_LONG == 64
 	return index;
 #else
@@ -51,6 +49,12 @@ static unsigned long ice_adapter_xa_inde
 #endif
 }
 
+static unsigned long ice_adapter_xa_index(struct pci_dev *pdev)
+{
+	u64 index = ice_adapter_index(pdev);
+	return xa_index_mangle(index);
+}
+
 static struct ice_adapter *ice_adapter_new(struct pci_dev *pdev)
 {
 	struct ice_adapter *adapter;
@@ -130,13 +134,13 @@ struct ice_adapter *ice_adapter_get(stru
  */
 void ice_adapter_put(struct pci_dev *pdev)
 {
+	const struct ice_pf *pf = pci_get_drvdata(pdev);
+	unsigned long index = xa_index_mangle(pf->adapter->index);
 	struct ice_adapter *adapter;
-	unsigned long index;
 
-	index = ice_adapter_xa_index(pdev);
 	scoped_guard(mutex, &ice_adapters_mutex) {
 		adapter = xa_load(&ice_adapters, index);
-		if (WARN_ON(!adapter))
+		if (WARN_ON(!adapter || adapter != pf->adapter))
 			return;
 		if (!refcount_dec_and_test(&adapter->refcount))
 			return;