Re: [PATCH iwl-net] ice: fix infinite recursion in ice_cfg_tx_topo via ice_init_dev_hw

[Petr Oros]

On 4/15/26 18:30, Simon Horman wrote:
> On Mon, Apr 13, 2026 at 09:14:20PM +0200, Petr Oros wrote:
> > On certain E810 configurations where firmware supports Tx scheduler
> > topology switching (tx_sched_topo_comp_mode_en), ice_cfg_tx_topo()
> > may need to apply a new 5-layer or 9-layer topology from the DDP
> > package. If the AQ command to set the topology fails (e.g. due to
> > invalid DDP data or firmware limitations), the global configuration
> > lock must still be cleared via a CORER reset.
> >
> > Commit 86aae43f21cf ("ice: don't leave device non-functional if Tx
> > scheduler config fails") correctly fixed this by refactoring
> > ice_cfg_tx_topo() to always trigger CORER after acquiring the global
> > lock and re-initialize hardware via ice_init_hw() afterwards.
> >
> > However, commit 8a37f9e2ff40 ("ice: move ice_deinit_dev() to the end
> > of deinit paths") later moved ice_init_dev_hw() into ice_init_hw(),
> > breaking the reinit path introduced by 86aae43f21cf. This creates an
> > infinite recursive call chain:
> >
> >    ice_init_hw()
> >      ice_init_dev_hw()
> >        ice_cfg_tx_topo()         # topology change needed
> >          ice_deinit_hw()
> >          ice_init_hw()           # reinit after CORER
> >            ice_init_dev_hw()     # recurse
> >              ice_cfg_tx_topo()
> >                ...               # stack overflow
> >
> > Fix by moving ice_init_dev_hw() back out of ice_init_hw() and calling
> > it explicitly from ice_probe() and ice_devlink_reinit_up(). The third
> > caller, ice_cfg_tx_topo(), intentionally does not need ice_init_dev_hw()
> > during its reinit, it only needs the core HW reinitialization. This
> > breaks the recursion cleanly without adding flags or guards.
> >
> > The deinit ordering changes from commit 8a37f9e2ff40 ("ice: move
> > ice_deinit_dev() to the end of deinit paths") which fixed slow rmmod
> > are preserved, only the init-side placement of ice_init_dev_hw() is
> > reverted.
> >
> > Fixes: 8a37f9e2ff40 ("ice: move ice_deinit_dev() to the end of deinit paths")
> > Signed-off-by: Petr Oros <poros@xxxxxxxxxx>
> Hi Petr,
>
> I don't intended to delay this patch.
> But could you follow-up by looking over the AI generated
> review of this patch on sashiko.dev?
>
> Thanks!
Hi Simon,

Thanks, the sashiko.dev concern is valid. ice_init_dev_hw() swallowing
-ENODEV from the torn-down hw is a latent UAF independent of the
recursion fix here. I will send a follow-up patch that propagates
-ENODEV to abort probe cleanly.

Regards,
Petr