CVE-2026-53289

In the Linux kernel, the following vulnerability has been resolved:

ice: fix NULL pointer dereference in ice reset all vfs()

ice reset all vfs() ignores the return value of ice vf rebuild vsi(). When the VSI rebuild fails (e.g. during NVM firmware update via nvmupdate64e), ice vsi rebuild() tears down the VSI on its error path, leaving txq map and rxq map as NULL. The subsequent unconditional call to ice vf post vsi rebuild() leads to a NULL pointer dereference in ice ena vf q mappings() when it accesses vsi->txq map[0].

The single-VF reset path in ice reset vf() already handles this correctly by checking the return value of ice vf reconfig vsi() and skipping ice vf post vsi rebuild() on failure.

Apply the same pattern to ice reset all vfs(): check the return value of ice vf rebuild vsi() and skip ice vf post vsi rebuild() and ice eswitch attach vf() on failure. The VF is left safely disabled (ICE VF STATE INIT not set, VFGEN RSTAT not set to VFACTIVE) and can be recovered via a VFLR triggered by a PCI reset of the VF (sysfs reset or driver rebind).

Note that this patch does not prevent the VF VSI rebuild from failing during NVM update — the underlying cause is firmware being in a transitional state while the EMP reset is processed, which can cause Admin Queue commands (ice add vsi, ice cfg vsi lan) to fail. This patch only prevents the subsequent NULL pointer dereference that crashes the kernel when the rebuild does fail.

crash> bt PID: 50795 TASK: ff34c9ee708dc680 CPU: 1 COMMAND: "kworker/u512:5" #0 [ff72159bcfe5bb50] machine kexec at ffffffffaa8850ee #1 [ff72159bcfe5bba8] crash kexec at ffffffffaaa15fba #2 [ff72159bcfe5bc68] crash kexec at ffffffffaaa16540 #3 [ff72159bcfe5bc70] oops end at ffffffffaa837eda #4 [ff72159bcfe5bc90] page fault oops at ffffffffaa893997 #5 [ff72159bcfe5bce8] exc page fault at ffffffffab528595 #6 [ff72159bcfe5bd10] asm exc page fault at ffffffffab600bb2 [exception RIP: ice ena vf q mappings+0x79] RIP: ffffffffc0a85b29 RSP: ff72159bcfe5bdc8 RFLAGS: 00010206 RAX: 00000000000f0000 RBX: ff34c9efc9c00000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000010 RDI: ff34c9efc9c00000 RBP: ff34c9efc27d4828 R8: 0000000000000093 R9: 0000000000000040 R10: ff34c9efc27d4828 R11: 0000000000000040 R12: 0000000000100000 R13: 0000000000000010 R14: R15: ORIG RAX: ffffffffffffffff CS: 0010 SS: 0018 #7 [ff72159bcfe5bdf8] ice sriov post vsi rebuild at ffffffffc0a85e2e [ice] #8 [ff72159bcfe5be08] ice reset all vfs at ffffffffc0a920b4 [ice] #9 [ff72159bcfe5be48] ice service task at ffffffffc0a31519 [ice] #10 [ff72159bcfe5be88] process one work at ffffffffaa93dca4 #11 [ff72159bcfe5bec8] worker thread at ffffffffaa93e9de #12 [ff72159bcfe5bf18] kthread at ffffffffaa946663 #13 [ff72159bcfe5bf50] ret from fork at ffffffffaa8086b9

The panic occurs attempting to dereference the NULL pointer in RDX at ice sriov.c:294, which loads vsi->txq map (offset 0x4b8 in ice vsi).

The faulting VSI is an allocated slab object but not fully initialized after a failed ice vsi rebuild():

crash> struct ice vsi 0xff34c9efc27d4828 netdev = 0x0, rx rings = 0x0, tx rings = 0x0, q vectors = 0x0, txq map = 0x0, rxq map = 0x0, alloc txq = 0x10, num txq = 0x10, alloc rxq = 0x10, num rxq = 0x10,

The nvmupdate64e process was performing NVM firmware update:

crash> bt 0xff34c9edd1a30000 PID: 49858 TASK: ff34c9edd1a30000 CPU: 1 COMMAND: "nvmupdate64e" #0 [ff72159bcd617618] schedule at ffffffffab5333f8 #4 [ff72159bcd617750] ice sq send cmd at ffffffffc0a35347 [ice] #5 [ff72159bcd6177a8] ice sq send cmd retry at ffffffffc0a35b47 [ice] #6 [ff72159bcd617810] ice aq send cmd at ffffffffc0a38018 [ice] #7 [ff72159bcd617848] ice aq read nvm at ffffffffc0a40254 [ice] #8 ---truncated---