CVE-2026-53008
N/A
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: fix race condition in TX timestamp ring cleanup
Fix a race condition between ice_free_tx_tstamp_ring() and ice_tx_map() that can cause a NULL pointer dereference.
ice_free_tx_tstamp_ring currently clears the ICE_TX_FLAGS_TXTIME flag after NULLing the tstamp_ring. This could allow a concurrent ice_tx_map call on another CPU to dereference the tstamp_ring, which could lead to a NULL pointer dereference.
| CPU A:ice_free_tx_tstamp_ring() | CPU B:ice_tx_map() |
|---|---|
| tx_ring->tstamp_ring = NULL | |
| ice_is_txtime_cfg() -> true | |
| tstamp_ring = tx_ring->tstamp_ring | |
| tstamp_ring->count // NULL deref! | |
| flags &= ~ICE_TX_FLAGS_TXTIME |
Fix by:
- Reordering ice_free_tx_tstamp_ring() to clear the flag before NULLing the pointer, with smp_wmb() to ensure proper ordering.
- Adding smp_rmb() in ice_tx_map() after the flag check to order the flag read before the pointer read, using READ_ONCE() for the pointer, and adding a NULL check as a safety net.
- Converting tx_ring->flags from u8 to DECLARE_BITMAP() and using
atomic bitops (set_bit(), clear_bit(), test_bit()) for all flag
operations throughout the driver:
- ICE_TX_RING_FLAGS_XDP
- ICE_TX_RING_FLAGS_VLAN_L2TAG1
- ICE_TX_RING_FLAGS_VLAN_L2TAG2
- ICE_TX_RING_FLAGS_TXTIME
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | ccde82e909467abdf098a8ee6f63e1ecf9a47ce5 < 097409d20465723283632515df73038a4a853eda | affected |
| Linux | Linux | ccde82e909467abdf098a8ee6f63e1ecf9a47ce5 < 7c72ec18c2a4111204c2e915f8e4f6d849ce9398 | affected |
| Linux | Linux | 6.18 | affected |
| Linux | Linux | 0 < 6.18 | unaffected |
| Linux | Linux | 7.0.10 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/097409d20465723283632515df73038a4a853eda
- https://git.kernel.org/stable/c/7c72ec18c2a4111204c2e915f8e4f6d849ce9398
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.