Memory safety: NULL pointer dereference in kernel networking driver (Intel ICE)
Description
Root cause: In ice_set_ringparam(), the code nullifies the tstamp_ring of temporary tx_rings and then proceeds to call ice_setup_tx_ring(). If ICE_TX_RING_FLAGS_TXTIME is still set when ice_setup_tx_ring() fails, the unwinding path can trigger a NULL pointer dereference during cleanup: ice_clean_tx_ring() -> ice_is_txtime_cfg() == true -> ice_free_tx_tstamp_ring() -> ice_free_tstamp_ring() -> tstamp_ring->desc (NULL deref).
Fix: The patch clears the ICE_TX_RING_FLAGS_TXTIME bit on the affected tx_rings before calling ice_setup_tx_ring(), preventing the unwinding path from attempting to free an absent timestamp ring and thus avoiding the NULL dereference.
Impact: This is a memory safety issue in the kernel networking stack (Intel ICE driver). If triggered, it could crash the kernel (local DoS) rather than execute arbitrary code. The fix is a targeted control-flow safeguard in error handling."
Proof of Concept
PoC (high-level reproduction steps; requires a vulnerable kernel build with the ICE driver and TXTIME offload enabled):
1) Ensure an Intel ICE NIC is present and that TXTIME offload is configured/attempted (the path is taken when ICE_TX_RING_FLAGS_TXTIME is set).
2) Invoke ice_set_ringparam() in a way that causes ice_setup_tx_ring() to fail after tx_rings[i].tstamp_ring has been nulled but before the TXTIME flag is cleared (as in the vulnerable code path).
3) Observe kernel behavior during unwinding after ice_setup_tx_ring() failure. If the patch is not applied, the unwinding may dereference tstamp_ring->desc > NULL pointer dereference and crash the kernel.
4) After applying the patch, the TXTIME flag is cleared prior to the failed ice_setup_tx_ring() call, so ice_clean_tx_ring() will not enter the TXTIME timestamp cleanup path, avoiding the NULL dereference.
Note: This PoC is a controlled demonstration of a crash scenario on vulnerable kernels. Do not attempt on production systems. Reproduce only in a lab environment with hardware that matches the ICE driver and with the vulnerable kernel configuration.
If you cannot reproduce deterministically in your environment, consider instrumenting ice_set_ringparam() to log when ice_setup_tx_ring() fails while the TXTIME flag is set, then validate that the patched kernel no longer crashes during unwind.
Commit Details
Author: Kohei Enju
Date: 2026-04-17 00:53 UTC
Message:
ice: fix potential NULL pointer deref in error path of ice_set_ringparam()
ice_set_ringparam nullifies tstamp_ring of temporary tx_rings, without
clearing ICE_TX_RING_FLAGS_TXTIME bit.
When ICE_TX_RING_FLAGS_TXTIME is set and the subsequent
ice_setup_tx_ring() call fails, a NULL pointer dereference could happen
in the unwinding sequence:
ice_clean_tx_ring()
-> ice_is_txtime_cfg() == true (ICE_TX_RING_FLAGS_TXTIME is set)
-> ice_free_tx_tstamp_ring()
-> ice_free_tstamp_ring()
-> tstamp_ring->desc (NULL deref)
Clear ICE_TX_RING_FLAGS_TXTIME bit to avoid the potential issue.
Note that this potential issue is found by manual code review.
Compile test only since unfortunately I don't have E830 devices.
Fixes: ccde82e90946 ("ice: add E830 Earliest TxTime First Offload support")
Signed-off-by: Kohei Enju <kohei@enjuk.jp>
Reviewed-by: Paul Greenwalt <paul.greenwalt@intel.com>
Tested-by: Rinitha S <sx.rinitha@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260416-iwl-net-submission-2026-04-14-v2-8-686c33c9828d@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Triage Assessment
Vulnerability Type: Memory safety (NULL pointer dereference)
Confidence: HIGH
Reasoning:
Addresses a potential NULL pointer dereference in the error handling path of ice_set_ringparam by clearing ICE_TX_RING_FLAGS_TXTIME, preventing a crash during unwinding (memory safety issue with security implications).
Verification Assessment
Vulnerability Type: Memory safety: NULL pointer dereference in kernel networking driver (Intel ICE)
Confidence: HIGH
Affected Versions: v7.0-rc6 and earlier (ICE driver code in Linux kernels containing this path before the patch)
Code Diff
diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c
index e6a20af6f63de5..f28416a707d77c 100644
--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
+++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
@@ -3290,6 +3290,7 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring,
tx_rings[i].desc = NULL;
tx_rings[i].tx_buf = NULL;
tx_rings[i].tstamp_ring = NULL;
+ clear_bit(ICE_TX_RING_FLAGS_TXTIME, tx_rings[i].flags);
tx_rings[i].tx_tstamps = &pf->ptp.port.tx;
err = ice_setup_tx_ring(&tx_rings[i]);
if (err) {