[bug report] Potential atomicity/refcounting issues in 'drivers/net/ethernet/chelsio/cxgb4/clip_tbl.c', between 'cxgb4_clip_get()' and 'cxgb4_clip_release()'

Next message: Vincent Guittot: "Re: [PATCH v2] sched: fair: Prevent negative lag increase during delayed dequeue"
Previous message: Corey Leavitt: "[PATCH RFC net-next 0/4] net: pse-pd: decouple controller lookup from MDIO probe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ginger

Date: Thu Apr 23 2026 - 03:28:27 EST

Dear Linux kernel maintainers,

My research-based static analyzer found a potential
refcounting/atomicity bug within the
'drivers/net/ethernet/chelsio/cxgb4' subsystem, more specifically, in
'drivers/net/ethernet/chelsio/cxgb4/clip_tbl.c'.

Kernel version: long-term kernel v6.18.9

Potential concurrent triggering executions:
T0:
cxgb4_clip_get
--> read_unlock_bh(&ctbl->lock);
--> refcount_inc(&ce->refcnt);
or
cxgb4_clip_get
--> write_unlock_bh(&ctbl->lock);
--> refcount_set(&ce->refcnt, 1);

T1:
cxgb4_clip_release
--> write_lock_bh(&ctbl->lock);
--> spin_lock_bh(&ce->lock);
--> refcount_dec_and_test(&ce->refcnt);
--> spin_unlock_bh(&ce->lock);
--> write_unlock_bh(&ctbl->lock);

In T0, the refcounting increment on 'ce->refcnt' is not operated
within 'ctbl->lock' and or does not check whether the refcount has
already reached zero, i.e., not synchronized with
'cxgb4_clip_release'.
Although 'ctbl->lock' does not seem to protect 'ce->refcnt', this is
potentially problematic because T1 decrements the 'ce->refcnt' using
synchronized locks and refcounting decrement.

Thank you for your time and consideration.

Best regards,
Ginger