[Intel-wired-lan] [PATCH iwl-net v2 1/3] ice: Convert ctrl_pf pointer in struct ice_adapter to RCU

Mon, 11 May 2026 02:28:42 -0700 

Use RCU to ensure the consistent state of the control PF global
pointer contained in struct ice_adapter. Enforce RCU usage on
the callers.

Fix a potential invalid pointer return due a TOCTOU issue

Fixes: e2193f9f9ec9 ("ice: enable timesync operation on 2xNAC E825 devices")

Signed-off-by: Sergey Temerkhanov <[email protected]>
Reviewed-by: Arkadiusz Kubalewski <[email protected]>
Tested-by: Frederick Lawler <[email protected]>
---
 drivers/net/ethernet/intel/ice/ice.h         | 10 +++-
 drivers/net/ethernet/intel/ice/ice_adapter.h |  2 +-
 drivers/net/ethernet/intel/ice/ice_ptp.c     | 49 ++++++++++++++++----
 drivers/net/ethernet/intel/ice/ice_ptp_hw.c  |  9 ++++
 4 files changed, 59 insertions(+), 11 deletions(-)

diff --git a/drivers/net/ethernet/intel/ice/ice.h 
b/drivers/net/ethernet/intel/ice/ice.h
index 804f5aa8e9f5..2b2787d16c33 100644
--- a/drivers/net/ethernet/intel/ice/ice.h
+++ b/drivers/net/ethernet/intel/ice/ice.h
@@ -40,6 +40,7 @@
 #include <linux/cpu_rmap.h>
 #include <linux/dim.h>
 #include <linux/gnss.h>
+#include <linux/rcupdate.h>
 #include <net/pkt_cls.h>
 #include <net/pkt_sched.h>
 #include <net/tc_act/tc_mirred.h>
@@ -1145,14 +1146,19 @@ static inline bool ice_pf_src_tmr_owned(struct ice_pf 
*pf)
  * ice_get_primary_hw - Get pointer to primary ice_hw structure
  * @pf: pointer to PF structure
  *
+ * The function must be called from an RCU read-side critical section.
+ * hw is embedded in struct ice_pf, so it is protected by the RCU.
+ *
  * Return: A pointer to ice_hw structure with access to timesync
  * register space.
  */
 static inline struct ice_hw *ice_get_primary_hw(struct ice_pf *pf)
 {
-       if (!pf->adapter->ctrl_pf)
+       struct ice_pf *ctrl_pf = rcu_dereference(pf->adapter->ctrl_pf);
+
+       if (!ctrl_pf)
                return &pf->hw;
        else
-               return &pf->adapter->ctrl_pf->hw;
+               return &ctrl_pf->hw;
 }
 #endif /* _ICE_H_ */
diff --git a/drivers/net/ethernet/intel/ice/ice_adapter.h 
b/drivers/net/ethernet/intel/ice/ice_adapter.h
index e95266c7f20b..349d49d57f11 100644
--- a/drivers/net/ethernet/intel/ice/ice_adapter.h
+++ b/drivers/net/ethernet/intel/ice/ice_adapter.h
@@ -42,7 +42,7 @@ struct ice_adapter {
        /* For access to GLCOMM_QTX_CNTX_CTL register */
        spinlock_t txq_ctx_lock;
 
-       struct ice_pf *ctrl_pf;
+       struct ice_pf __rcu *ctrl_pf;
        struct ice_port_list ports;
        u64 index;
 };
diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c 
b/drivers/net/ethernet/intel/ice/ice_ptp.c
index 691f05c62d4e..23d9a826f88b 100644
--- a/drivers/net/ethernet/intel/ice/ice_ptp.c
+++ b/drivers/net/ethernet/intel/ice/ice_ptp.c
@@ -4,6 +4,7 @@
 #include "ice.h"
 #include "ice_lib.h"
 #include "ice_trace.h"
+#include <linux/rcupdate.h>
 
 static const char ice_pin_names[][64] = {
        "SDP0",
@@ -54,11 +55,35 @@ static const struct ice_ptp_pin_desc ice_pin_desc_dpll[] = {
        {  SDP3, {  3, -1 }, { 0, 0 }},
 };
 
+/**
+ * ice_get_ctrl_pf - Get the control PF for a given PF
+ * @pf: The PF pointer to look up at
+ *
+ * The control PF is the PF which owns the PTP clock for the adapter.
+ * Only the control PF is allowed to perform certain operations on the
+ * PTP clock such as adjusting the time or configuring the pins.
+ *
+ * This function must be called from an RCU read-side critical section.
+ *
+ * Return: Pointer to the control PF, or NULL if not found
+ */
 static struct ice_pf *ice_get_ctrl_pf(struct ice_pf *pf)
 {
-       return !pf->adapter ? NULL : pf->adapter->ctrl_pf;
+       return !pf->adapter ? NULL : rcu_dereference(pf->adapter->ctrl_pf);
 }
 
+/**
+ * ice_get_ctrl_ptp - Get the PTP structure for the control PF
+ * @pf: The PF pointer to look up at
+ *
+ * The control PF is the PF which owns the PTP clock for the adapter.
+ * Only the control PF is allowed to perform certain operations on the
+ * PTP clock such as adjusting the time or configuring the pins.
+ *
+ * This function must be called from an RCU read-side critical section.
+ *
+ * Return: Pointer to the PTP structure of the control PF, or NULL if not found
+ */
 static struct ice_ptp *ice_get_ctrl_ptp(struct ice_pf *pf)
 {
        struct ice_pf *ctrl_pf = ice_get_ctrl_pf(pf);
@@ -207,6 +232,8 @@ u64 ice_ptp_read_src_clk_reg(struct ice_pf *pf,
        u32 hi, lo, lo2;
        u8 tmr_idx;
 
+       guard(rcu)();
+
        if (!ice_is_primary(hw))
                hw = ice_get_primary_hw(pf);
 
@@ -3074,18 +3101,19 @@ void ice_ptp_rebuild(struct ice_pf *pf, enum 
ice_reset_req reset_type)
 
 static void ice_ptp_setup_adapter(struct ice_pf *pf)
 {
-       pf->adapter->ctrl_pf = pf;
+       rcu_assign_pointer(pf->adapter->ctrl_pf, pf);
 }
 
 static int ice_ptp_setup_pf(struct ice_pf *pf)
 {
-       struct ice_ptp *ctrl_ptp = ice_get_ctrl_ptp(pf);
        struct ice_ptp *ptp = &pf->ptp;
 
-       if (!ctrl_ptp) {
-               dev_info(ice_pf_to_dev(pf),
-                        "PTP unavailable: no controlling PF\n");
-               return -EOPNOTSUPP;
+       scoped_guard(rcu) {
+               if (!ice_get_ctrl_ptp(pf)) {
+                       dev_info(ice_pf_to_dev(pf),
+                                "PTP unavailable: no controlling PF\n");
+                       return -EOPNOTSUPP;
+               }
        }
 
        if (pf->hw.mac_type == ICE_MAC_UNKNOWN)
@@ -3121,11 +3149,16 @@ static void ice_ptp_cleanup_pf(struct ice_pf *pf)
  */
 int ice_ptp_clock_index(struct ice_pf *pf)
 {
-       struct ice_ptp *ctrl_ptp = ice_get_ctrl_ptp(pf);
+       struct ice_ptp *ctrl_ptp;
        struct ptp_clock *clock;
 
+       guard(rcu)();
+
+       ctrl_ptp = ice_get_ctrl_ptp(pf);
+
        if (!ctrl_ptp)
                return -1;
+
        clock = ctrl_ptp->clock;
 
        return clock ? ptp_clock_index(clock) : -1;
diff --git a/drivers/net/ethernet/intel/ice/ice_ptp_hw.c 
b/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
index f0b76660a012..30a7096854c2 100644
--- a/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
+++ b/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0
 /* Copyright (C) 2021, Intel Corporation. */
 
+#include <linux/cleanup.h>
 #include <linux/delay.h>
 #include <linux/iopoll.h>
 #include "ice_common.h"
@@ -351,6 +352,8 @@ void ice_ptp_src_cmd(struct ice_hw *hw, enum 
ice_ptp_tmr_cmd cmd)
        struct ice_pf *pf = container_of(hw, struct ice_pf, hw);
        u32 cmd_val = ice_ptp_tmr_cmd_to_src_reg(hw, cmd);
 
+       guard(rcu)();
+
        if (!ice_is_primary(hw))
                hw = ice_get_primary_hw(pf);
 
@@ -379,6 +382,8 @@ static void ice_ptp_exec_tmr_cmd(struct ice_hw *hw)
        if (err)
                dev_warn(ice_hw_to_dev(hw), "Failed to flush SBQ: %d\n", err);
 
+       guard(rcu)();
+
        if (!ice_is_primary(hw))
                hw = ice_get_primary_hw(pf);
 
@@ -1948,6 +1953,8 @@ static int ice_read_phy_and_phc_time_eth56g(struct ice_hw 
*hw, u8 port,
                zo = rd32(hw, GLTSYN_SHTIME_0(tmr_idx));
                lo = rd32(hw, GLTSYN_SHTIME_L(tmr_idx));
        } else {
+               guard(rcu)();
+
                zo = rd32(ice_get_primary_hw(pf), GLTSYN_SHTIME_0(tmr_idx));
                lo = rd32(ice_get_primary_hw(pf), GLTSYN_SHTIME_L(tmr_idx));
        }
@@ -2117,6 +2124,8 @@ int ice_start_phy_timer_eth56g(struct ice_hw *hw, u8 port)
                lo = rd32(hw, GLTSYN_INCVAL_L(tmr_idx));
                hi = rd32(hw, GLTSYN_INCVAL_H(tmr_idx));
        } else {
+               guard(rcu)();
+
                lo = rd32(ice_get_primary_hw(pf), GLTSYN_INCVAL_L(tmr_idx));
                hi = rd32(ice_get_primary_hw(pf), GLTSYN_INCVAL_H(tmr_idx));
        }
-- 
2.53.0

Reply via email to