AI Trajectory

Trajectory: (Expand/Collapse All)
Seq	Timestamp	Type	Name	Duration
0/0	2026/06/22 11:55	flow	patch-triage	0m Args: null Results: { "EnableConfigs": null, "FocusSymbols": [], "Reasoning": "The patch modifies the Intel Ethernet Connection E800 Series Linux Driver (ice). This driver is for physical PCIe hardware and lacks software emulation in QEMU or the Linux kernel. Therefore, the modified code paths are impossible to reach and test in virtualized environments like GCE or QEMU.", "WorthFuzzing": false }
1/1	2026/06/22 11:55	action	read-patch-diff	0m Args: null Results: { "PatchDiff": "commit 7e932ab6ae8c99afbc33c1940ee33e1b909af7e7\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate: Mon Jun 22 11:55:28 2026 +0000\n\n syz-cluster: applied patch under review\n\ndiff --git a/drivers/net/ethernet/intel/ice/ice_eswitch.c b/drivers/net/ethernet/intel/ice/ice_eswitch.c\nindex 2e4f0969035f77..48273ef9f69dc8 100644\n--- a/drivers/net/ethernet/intel/ice/ice_eswitch.c\n+++ b/drivers/net/ethernet/intel/ice/ice_eswitch.c\n@@ -66,8 +66,10 @@ static int ice_eswitch_setup_env(struct ice_pf pf)\n \tice_cfg_dflt_vsi(uplink_vsi-\u003eport_info, uplink_vsi-\u003eidx, false,\n \t\t\t ICE_FLTR_TX);\n err_def_tx:\n-\tice_cfg_dflt_vsi(uplink_vsi-\u003eport_info, uplink_vsi-\u003eidx, false,\n-\t\t\t ICE_FLTR_RX);\n+\t/ keep the Rx DFLT rule if the uplink is promiscuous (see release_env) /\n+\tif (!(uplink_vsi-\u003enetdev-\u003eflags \u0026 IFF_PROMISC))\n+\t\tice_cfg_dflt_vsi(uplink_vsi-\u003eport_info, uplink_vsi-\u003eidx,\n+\t\t\t\t false, ICE_FLTR_RX);\n err_def_rx:\n \tice_vsi_del_vlan_zero(uplink_vsi);\n err_vlan_zero:\n@@ -278,8 +280,16 @@ static void ice_eswitch_release_env(struct ice_pf pf)\n \tvlan_ops-\u003eena_rx_filtering(uplink_vsi);\n \tice_cfg_dflt_vsi(uplink_vsi-\u003eport_info, uplink_vsi-\u003eidx, false,\n \t\t\t ICE_FLTR_TX);\n-\tice_cfg_dflt_vsi(uplink_vsi-\u003eport_info, uplink_vsi-\u003eidx, false,\n-\t\t\t ICE_FLTR_RX);\n+\n+\t/* Keep the Rx DFLT rule if the uplink is promiscuous; it must outlive\n+\t * the session. Test the live netdev-\u003eflags, the same value\n+\t * ena_rx_filtering() -\u003e ice_cfg_vlan_pruning() above keys its decision\n+\t * on, so the preserved DFLT rule and the pruning state stay consistent.\n+\t /\n+\tif (!(uplink_vsi-\u003enetdev-\u003eflags \u0026 IFF_PROMISC))\n+\t\tice_cfg_dflt_vsi(uplink_vsi-\u003eport_info, uplink_vsi-\u003eidx,\n+\t\t\t\t false, ICE_FLTR_RX);\n+\n \tice_fltr_add_mac_and_broadcast(uplink_vsi,\n \t\t\t\t uplink_vsi-\u003eport_info-\u003emac.perm_addr,\n \t\t\t\t ICE_FWD_TO_VSI);\ndiff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c\nindex e2fbe111f84969..efb1f536de6c7a 100644\n--- a/drivers/net/ethernet/intel/ice/ice_main.c\n+++ b/drivers/net/ethernet/intel/ice/ice_main.c\n@@ -274,7 +274,8 @@ static int ice_set_promisc(struct ice_vsi vsi, u8 promisc_m)\n \tif (vsi-\u003etype != ICE_VSI_PF)\n \t\treturn 0;\n \n-\tif (ice_vsi_has_non_zero_vlans(vsi)) {\n+\t/* skip per-VID expansion; the DFLT Rx rule already covers every VID /\n+\tif (ice_vsi_has_non_zero_vlans(vsi) \u0026\u0026 !ice_is_vsi_dflt_vsi(vsi)) {\n \t\tpromisc_m \|= (ICE_PROMISC_VLAN_RX \| ICE_PROMISC_VLAN_TX);\n \t\tstatus = ice_fltr_set_vlan_vsi_promisc(\u0026vsi-\u003eback-\u003ehw, vsi,\n \t\t\t\t\t\t promisc_m);\n@@ -304,9 +305,19 @@ static int ice_clear_promisc(struct ice_vsi vsi, u8 promisc_m)\n \t\treturn 0;\n \n \tif (ice_vsi_has_non_zero_vlans(vsi)) {\n-\t\tpromisc_m \|= (ICE_PROMISC_VLAN_RX \| ICE_PROMISC_VLAN_TX);\n+\t\tint vid0_status;\n+\n+\t\t/* set time used either recipe (per-VID PROMISC_VLAN, or vid=0\n+\t\t * PROMISC via the ice_set_promisc() else branch), so clear\n+\t\t * both; clearing an absent rule succeeds\n+\t\t /\n \t\tstatus = ice_fltr_clear_vlan_vsi_promisc(\u0026vsi-\u003eback-\u003ehw, vsi,\n-\t\t\t\t\t\t\t promisc_m);\n+\t\t\t\tpromisc_m \| ICE_PROMISC_VLAN_RX \|\n+\t\t\t\tICE_PROMISC_VLAN_TX);\n+\t\tvid0_status = ice_fltr_clear_vsi_promisc(\u0026vsi-\u003eback-\u003ehw,\n+\t\t\t\t\t\t\t vsi-\u003eidx, promisc_m, 0);\n+\t\tif (!status)\n+\t\t\tstatus = vid0_status;\n \t} else {\n \t\tstatus = ice_fltr_clear_vsi_promisc(\u0026vsi-\u003eback-\u003ehw, vsi-\u003eidx,\n \t\t\t\t\t\t promisc_m, 0);\n@@ -317,6 +328,49 @@ static int ice_clear_promisc(struct ice_vsi vsi, u8 promisc_m)\n \treturn status;\n }\n \n+/*\n+ ice_vsi_exit_dflt_promisc - drop the default VSI Rx rule on promisc off\n+ * @vsi: the VSI leaving promiscuous mode\n+ \n+ For an IFF_ALLMULTI VSI with VLANs the per-VID multicast rules are\n+ * reinstated before the default rule is cleared so coverage never lapses;\n+ * the then redundant vid=0 rule is dropped best-effort. The callees log\n+ * their own failures, so error returns are not re-logged here.\n+ \n+ Return: 0 on success, negative on error with the default rule left in place.\n+ /\n+static int ice_vsi_exit_dflt_promisc(struct ice_vsi vsi)\n+{\n+\tstruct ice_vsi_vlan_ops vlan_ops = ice_get_compat_vsi_vlan_ops(vsi);\n+\tstruct net_device netdev = vsi-\u003enetdev;\n+\tstruct ice_hw hw = \u0026vsi-\u003eback-\u003ehw;\n+\tbool restore_mc;\n+\tint err;\n+\n+\trestore_mc = (vsi-\u003ecurrent_netdev_flags \u0026 IFF_ALLMULTI) \u0026\u0026\n+\t\t ice_vsi_has_non_zero_vlans(vsi);\n+\n+\tif (restore_mc) {\n+\t\terr = ice_fltr_set_vlan_vsi_promisc(hw, vsi,\n+\t\t\t\t\t\t ICE_MCAST_VLAN_PROMISC_BITS);\n+\t\tif (err \u0026\u0026 err != -EEXIST)\n+\t\t\treturn err;\n+\t}\n+\n+\terr = ice_clear_dflt_vsi(vsi);\n+\tif (err)\n+\t\treturn err;\n+\n+\tif (netdev-\u003efeatures \u0026 NETIF_F_HW_VLAN_CTAG_FILTER)\n+\t\tvlan_ops-\u003eena_rx_filtering(vsi);\n+\n+\tif (restore_mc)\n+\t\tice_fltr_clear_vsi_promisc(hw, vsi-\u003eidx, ICE_MCAST_PROMISC_BITS,\n+\t\t\t\t\t 0);\n+\n+\treturn 0;\n+}\n+\n /\n ice_vsi_sync_fltr - Update the VSI filter list to the HW\n * @vsi: ptr to the VSI\n@@ -442,17 +496,12 @@ static int ice_vsi_sync_fltr(struct ice_vsi vsi)\n \t\t} else {\n \t\t\t/ Clear Rx filter to remove traffic from wire /\n \t\t\tif (ice_is_vsi_dflt_vsi(vsi)) {\n-\t\t\t\terr = ice_clear_dflt_vsi(vsi);\n+\t\t\t\terr = ice_vsi_exit_dflt_promisc(vsi);\n \t\t\t\tif (err) {\n-\t\t\t\t\tnetdev_err(netdev, \"Error %d clearing default VSI %i Rx rule\\n\",\n-\t\t\t\t\t\t err, vsi-\u003evsi_num);\n \t\t\t\t\tvsi-\u003ecurrent_netdev_flags \|=\n \t\t\t\t\t\tIFF_PROMISC;\n \t\t\t\t\tgoto out_promisc;\n \t\t\t\t}\n-\t\t\t\tif (vsi-\u003enetdev-\u003efeatures \u0026\n-\t\t\t\t NETIF_F_HW_VLAN_CTAG_FILTER)\n-\t\t\t\t\tvlan_ops-\u003eena_rx_filtering(vsi);\n \t\t\t}\n \n \t\t\t/ disable allmulti here, but only if allmulti is not\n@@ -3675,10 +3724,9 @@ int ice_vlan_rx_add_vid(struct net_device netdev, __be16 proto, u16 vid)\n \twhile (test_and_set_bit(ICE_CFG_BUSY, vsi-\u003estate))\n \t\tusleep_range(1000, 2000);\n \n-\t/ Add multicast promisc rule for the VLAN ID to be added if\n-\t * all-multicast is currently enabled.\n-\t /\n-\tif (vsi-\u003ecurrent_netdev_flags \u0026 IFF_ALLMULTI) {\n+\t/ skip the per-VID rule when the DFLT Rx rule already covers this VID /\n+\tif ((vsi-\u003ecurrent_netdev_flags \u0026 IFF_ALLMULTI) \u0026\u0026\n+\t !ice_is_vsi_dflt_vsi(vsi)) {\n \t\tret = ice_fltr_set_vsi_promisc(\u0026vsi-\u003eback-\u003ehw, vsi-\u003eidx,\n \t\t\t\t\t ICE_MCAST_VLAN_PROMISC_BITS,\n \t\t\t\t\t vid);\n@@ -3696,11 +3744,12 @@ int ice_vlan_rx_add_vid(struct net_device netdev, __be16 proto, u16 vid)\n \tif (ret)\n \t\tgoto finish;\n \n-\t/* If all-multicast is currently enabled and this VLAN ID is only one\n-\t * besides VLAN-0 we have to update look-up type of multicast promisc\n-\t * rule for VLAN-0 from ICE_SW_LKUP_PROMISC to ICE_SW_LKUP_PROMISC_VLAN.\n+\t/* On the first non-zero VLAN, promote the VLAN-0 multicast promisc\n+\t * rule from ICE_SW_LKUP_PROMISC to ICE_SW_LKUP_PROMISC_VLAN. Skip when\n+\t * the DFLT Rx rule is installed; it already covers every VID.\n \t /\n \tif ((vsi-\u003ecurrent_netdev_flags \u0026 IFF_ALLMULTI) \u0026\u0026\n+\t !ice_is_vsi_dflt_vsi(vsi) \u0026\u0026\n \t ice_vsi_num_non_zero_vlans(vsi) == 1) {\n \t\tice_fltr_clear_vsi_promisc(\u0026vsi-\u003eback-\u003ehw, vsi-\u003eidx,\n \t\t\t\t\t ICE_MCAST_PROMISC_BITS, 0);\n@@ -3763,11 +3812,12 @@ int ice_vlan_rx_kill_vid(struct net_device netdev, __be16 proto, u16 vid)\n \t\t\t\t\t ICE_MCAST_VLAN_PROMISC_BITS, vid);\n \n \tif (!ice_vsi_has_non_zero_vlans(vsi)) {\n-\t\t/* Update look-up type of multicast promisc rule for VLAN 0\n-\t\t * from ICE_SW_LKUP_PROMISC_VLAN to ICE_SW_LKUP_PROMISC when\n-\t\t * all-multicast is enabled and VLAN 0 is the only VLAN rule.\n+\t\t/* Last non-zero VLAN gone: demote the VLAN-0 multicast promisc\n+\t\t * rule back to ICE_SW_LKUP_PROMISC. Skip when the DFLT Rx rule\n+\t\t * is installed; no recipe swap is needed.\n \t\t */\n-\t\tif (vsi-\u003ecurrent_netdev_flags \u0026 IFF_ALLMULTI) {\n+\t\tif ((vsi-\u003ecurrent_netdev_flags \u0026 IFF_ALLMULTI) \u0026\u0026\n+\t\t !ice_is_vsi_dflt_vsi(vsi)) {\n \t\t\tice_fltr_clear_vsi_promisc(\u0026vsi-\u003eback-\u003ehw, vsi-\u003eidx,\n \t\t\t\t\t\t ICE_MCAST_VLAN_PROMISC_BITS,\n \t\t\t\t\t\t 0);\n" }
2/1	2026/06/22 11:55	agent	patch-evaluator	0m Model: gemini-3.1-pro-preview Args: null Results: { "EnableConfigs": null, "FocusSymbols": [], "Reasoning": "The patch modifies the Intel Ethernet Connection E800 Series Linux Driver (ice). This driver is for physical PCIe hardware and lacks software emulation in QEMU or the Linux kernel. Therefore, the modified code paths are impossible to reach and test in virtualized environments like GCE or QEMU.", "WorthFuzzing": false } Instruction: You are an expert Linux kernel maintainer. Your job is to review a provided patch series and determine if it makes functional changes to the kernel that should be fuzzed. IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively use your code access tools to examine the actual source code and confirm any assumptions. Return WorthFuzzing=false if the patch only contains: - Modifications to Documentation/, Kconfig files, or code comments. - Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints. - Changes to numeric constants or macros that do not functionally alter execution flow. - Code paths that are impossible to reach in virtualized environments like GCE or QEMU, even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim). If it modifies reachable core kernel logic, drivers, or architectures, use your code search tools to verify the code can be executed, then return WorthFuzzing=true. When returning WorthFuzzing=true, you MUST ALSO: 1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols. Avoid listing generic hot-path functions to prevent skewed test distributions. 2. Identify any specific CONFIG_ options required to properly test this new/modified feature. Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions. Do not list too generic configs (we already have them enabled). Only list those that specifically cover the modified code. List them in the EnableConfigs output array, and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4"). Prefer calling several tools at the same time to save round-trips. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: For your convenience, here is the diff of the changes: commit 7e932ab6ae8c99afbc33c1940ee33e1b909af7e7 Author: syz-cluster <triage@syzkaller.com> Date: Mon Jun 22 11:55:28 2026 +0000 syz-cluster: applied patch under review diff --git a/drivers/net/ethernet/intel/ice/ice_eswitch.c b/drivers/net/ethernet/intel/ice/ice_eswitch.c index 2e4f0969035f77..48273ef9f69dc8 100644 --- a/drivers/net/ethernet/intel/ice/ice_eswitch.c +++ b/drivers/net/ethernet/intel/ice/ice_eswitch.c @@ -66,8 +66,10 @@ static int ice_eswitch_setup_env(struct ice_pf pf) ice_cfg_dflt_vsi(uplink_vsi->port_info, uplink_vsi->idx, false, ICE_FLTR_TX); err_def_tx: - ice_cfg_dflt_vsi(uplink_vsi->port_info, uplink_vsi->idx, false, - ICE_FLTR_RX); + / keep the Rx DFLT rule if the uplink is promiscuous (see release_env) / + if (!(uplink_vsi->netdev->flags & IFF_PROMISC)) + ice_cfg_dflt_vsi(uplink_vsi->port_info, uplink_vsi->idx, + false, ICE_FLTR_RX); err_def_rx: ice_vsi_del_vlan_zero(uplink_vsi); err_vlan_zero: @@ -278,8 +280,16 @@ static void ice_eswitch_release_env(struct ice_pf pf) vlan_ops->ena_rx_filtering(uplink_vsi); ice_cfg_dflt_vsi(uplink_vsi->port_info, uplink_vsi->idx, false, ICE_FLTR_TX); - ice_cfg_dflt_vsi(uplink_vsi->port_info, uplink_vsi->idx, false, - ICE_FLTR_RX); + + /* Keep the Rx DFLT rule if the uplink is promiscuous; it must outlive + * the session. Test the live netdev->flags, the same value + * ena_rx_filtering() -> ice_cfg_vlan_pruning() above keys its decision + * on, so the preserved DFLT rule and the pruning state stay consistent. + / + if (!(uplink_vsi->netdev->flags & IFF_PROMISC)) + ice_cfg_dflt_vsi(uplink_vsi->port_info, uplink_vsi->idx, + false, ICE_FLTR_RX); + ice_fltr_add_mac_and_broadcast(uplink_vsi, uplink_vsi->port_info->mac.perm_addr, ICE_FWD_TO_VSI); diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c index e2fbe111f84969..efb1f536de6c7a 100644 --- a/drivers/net/ethernet/intel/ice/ice_main.c +++ b/drivers/net/ethernet/intel/ice/ice_main.c @@ -274,7 +274,8 @@ static int ice_set_promisc(struct ice_vsi vsi, u8 promisc_m) if (vsi->type != ICE_VSI_PF) return 0; - if (ice_vsi_has_non_zero_vlans(vsi)) { + /* skip per-VID expansion; the DFLT Rx rule already covers every VID / + if (ice_vsi_has_non_zero_vlans(vsi) && !ice_is_vsi_dflt_vsi(vsi)) { promisc_m \|= (ICE_PROMISC_VLAN_RX \| ICE_PROMISC_VLAN_TX); status = ice_fltr_set_vlan_vsi_promisc(&vsi->back->hw, vsi, promisc_m); @@ -304,9 +305,19 @@ static int ice_clear_promisc(struct ice_vsi vsi, u8 promisc_m) return 0; if (ice_vsi_has_non_zero_vlans(vsi)) { - promisc_m \|= (ICE_PROMISC_VLAN_RX \| ICE_PROMISC_VLAN_TX); + int vid0_status; + + /* set time used either recipe (per-VID PROMISC_VLAN, or vid=0 + * PROMISC via the ice_set_promisc() else branch), so clear + * both; clearing an absent rule succeeds + / status = ice_fltr_clear_vlan_vsi_promisc(&vsi->back->hw, vsi, - promisc_m); + promisc_m \| ICE_PROMISC_VLAN_RX \| + ICE_PROMISC_VLAN_TX); + vid0_status = ice_fltr_clear_vsi_promisc(&vsi->back->hw, + vsi->idx, promisc_m, 0); + if (!status) + status = vid0_status; } else { status = ice_fltr_clear_vsi_promisc(&vsi->back->hw, vsi->idx, promisc_m, 0); @@ -317,6 +328,49 @@ static int ice_clear_promisc(struct ice_vsi vsi, u8 promisc_m) return status; } +/** + * ice_vsi_exit_dflt_promisc - drop the default VSI Rx rule on promisc off + * @vsi: the VSI leaving promiscuous mode + * + * For an IFF_ALLMULTI VSI with VLANs the per-VID multicast rules are + * reinstated before the default rule is cleared so coverage never lapses; + * the then redundant vid=0 rule is dropped best-effort. The callees log + * their own failures, so error returns are not re-logged here. + * + * Return: 0 on success, negative on error with the default rule left in place. + / +static int ice_vsi_exit_dflt_promisc(struct ice_vsi vsi) +{ + struct ice_vsi_vlan_ops vlan_ops = ice_get_compat_vsi_vlan_ops(vsi); + struct net_device netdev = vsi->netdev; + struct ice_hw hw = &vsi->back->hw; + bool restore_mc; + int err; + + restore_mc = (vsi->current_netdev_flags & IFF_ALLMULTI) && + ice_vsi_has_non_zero_vlans(vsi); + + if (restore_mc) { + err = ice_fltr_set_vlan_vsi_promisc(hw, vsi, + ICE_MCAST_VLAN_PROMISC_BITS); + if (err && err != -EEXIST) + return err; + } + + err = ice_clear_dflt_vsi(vsi); + if (err) + return err; + + if (netdev->features & NETIF_F_HW_VLAN_CTAG_FILTER) + vlan_ops->ena_rx_filtering(vsi); + + if (restore_mc) + ice_fltr_clear_vsi_promisc(hw, vsi->idx, ICE_MCAST_PROMISC_BITS, + 0); + + return 0; +} + /* * ice_vsi_sync_fltr - Update the VSI filter list to the HW * @vsi: ptr to the VSI @@ -442,17 +496,12 @@ static int ice_vsi_sync_fltr(struct ice_vsi vsi) } else { / Clear Rx filter to remove traffic from wire / if (ice_is_vsi_dflt_vsi(vsi)) { - err = ice_clear_dflt_vsi(vsi); + err = ice_vsi_exit_dflt_promisc(vsi); if (err) { - netdev_err(netdev, "Error %d clearing default VSI %i Rx rule\n", - err, vsi->vsi_num); vsi->current_netdev_flags \|= IFF_PROMISC; goto out_promisc; } - if (vsi->netdev->features & - NETIF_F_HW_VLAN_CTAG_FILTER) - vlan_ops->ena_rx_filtering(vsi); } / disable allmulti here, but only if allmulti is not @@ -3675,10 +3724,9 @@ int ice_vlan_rx_add_vid(struct net_device netdev, __be16 proto, u16 vid) while (test_and_set_bit(ICE_CFG_BUSY, vsi->state)) usleep_range(1000, 2000); - / Add multicast promisc rule for the VLAN ID to be added if - * all-multicast is currently enabled. - / - if (vsi->current_netdev_flags & IFF_ALLMULTI) { + / skip the per-VID rule when the DFLT Rx rule already covers this VID / + if ((vsi->current_netdev_flags & IFF_ALLMULTI) && + !ice_is_vsi_dflt_vsi(vsi)) { ret = ice_fltr_set_vsi_promisc(&vsi->back->hw, vsi->idx, ICE_MCAST_VLAN_PROMISC_BITS, vid); @@ -3696,11 +3744,12 @@ int ice_vlan_rx_add_vid(struct net_device netdev, __be16 proto, u16 vid) if (ret) goto finish; - /* If all-multicast is currently enabled and this VLAN ID is only one - * besides VLAN-0 we have to update look-up type of multicast promisc - * rule for VLAN-0 from ICE_SW_LKUP_PROMISC to ICE_SW_LKUP_PROMISC_VLAN. + /* On the first non-zero VLAN, promote the VLAN-0 multicast promisc + * rule from ICE_SW_LKUP_PROMISC to ICE_SW_LKUP_PROMISC_VLAN. Skip when + * the DFLT Rx rule is installed; it already covers every VID. / if ((vsi->current_netdev_flags & IFF_ALLMULTI) && + !ice_is_vsi_dflt_vsi(vsi) && ice_vsi_num_non_zero_vlans(vsi) == 1) { ice_fltr_clear_vsi_promisc(&vsi->back->hw, vsi->idx, ICE_MCAST_PROMISC_BITS, 0); @@ -3763,11 +3812,12 @@ int ice_vlan_rx_kill_vid(struct net_device netdev, __be16 proto, u16 vid) ICE_MCAST_VLAN_PROMISC_BITS, vid); if (!ice_vsi_has_non_zero_vlans(vsi)) { - /* Update look-up type of multicast promisc rule for VLAN 0 - * from ICE_SW_LKUP_PROMISC_VLAN to ICE_SW_LKUP_PROMISC when - * all-multicast is enabled and VLAN 0 is the only VLAN rule. + /* Last non-zero VLAN gone: demote the VLAN-0 multicast promisc + * rule back to ICE_SW_LKUP_PROMISC. Skip when the DFLT Rx rule + * is installed; no recipe swap is needed. */ - if (vsi->current_netdev_flags & IFF_ALLMULTI) { + if ((vsi->current_netdev_flags & IFF_ALLMULTI) && + !ice_is_vsi_dflt_vsi(vsi)) { ice_fltr_clear_vsi_promisc(&vsi->back->hw, vsi->idx, ICE_MCAST_VLAN_PROMISC_BITS, 0);
3/2	2026/06/22 11:55	llm	patch-evaluator	0m Model: gemini-3.1-pro-preview Args: null Results: null Tokens: input: 4886 output: 22 thoughts: 528 Thoughts: Fuzzing Feasibility of the Ice Driver Patch Okay, here's what I'm thinking. This patch series touches the `ice` driver, specifically `ice_eswitch.c` and `ice_main.c`. It's altering promiscuous mode and VLAN handling within the Intel Ethernet Connection E800 Series driver. Clearly, this is a functional change. My initial thought is to check if these changes are reachable in a fuzzed environment. My first concern is whether this is easily fuzzable. It's a network driver and therefore could be vulnerable. However, it’s for the Intel E800 series hardware. My initial thought is to check if these changes are reachable in a fuzzed environment. This means it's likely a physical hardware device. If it's a physical device, I need to know if it's emulated in any virtualized environment. Let me quickly check if QEMU or Google Compute Engine (GCE) emulates the Intel E800 series (ice). No, QEMU emulates e1000, igb, and virtio-net, but not ice. I need to confirm if there is any software emulation or if this is entirely hardware-dependent. If it's hardware-dependent, it will be hard to fuzz, unless we have PCI passthrough. The instructions I have explicitly state to mark patches as "WorthFuzzing=false" if they contain code paths unreachable in virtualized environments, even with software-emulated hardware. So, the critical question is: can I test the `ice` driver in QEMU? Normally, `drivers/net/ethernet/intel/ice/` requires actual Intel E800 hardware. Let me double-check if there's any `ice` emulation in QEMU. No. Is there any way to trigger this code without hardware? Let's check if there's a mock or some kind of workaround. I'll use `grepper` to search for any tests or mock implementations related to the `ice` driver. This will be the deciding factor.
4/2	2026/06/22 11:55	tool	grepper	0m Args: { "Expression": "ice_eswitch_setup_env" } Results: { "Output": "drivers/net/ethernet/intel/ice/ice_eswitch.c-13-/*\ndrivers/net/ethernet/intel/ice/ice_eswitch.c:14: ice_eswitch_setup_env - configure eswitch HW filters\ndrivers/net/ethernet/intel/ice/ice_eswitch.c-15- * @pf: pointer to PF struct\n--\ndrivers/net/ethernet/intel/ice/ice_eswitch.c-19- /\ndrivers/net/ethernet/intel/ice/ice_eswitch.c:20:static int ice_eswitch_setup_env(struct ice_pf pf)\ndrivers/net/ethernet/intel/ice/ice_eswitch.c-21-{\n--\ndrivers/net/ethernet/intel/ice/ice_eswitch.c=303=static int ice_eswitch_enable_switchdev(struct ice_pf *pf)\n--\ndrivers/net/ethernet/intel/ice/ice_eswitch.c-318-\ndrivers/net/ethernet/intel/ice/ice_eswitch.c:319:\tif (ice_eswitch_setup_env(pf))\ndrivers/net/ethernet/intel/ice/ice_eswitch.c-320-\t\treturn -ENODEV;\n" }
5/2	2026/06/22 11:55	llm	patch-evaluator	0m Model: gemini-3.1-pro-preview Args: null Results: null Tokens: input: 6213 output: 17 thoughts: 108 Thoughts: Analyzing the `ice` Driver for Fuzzing Suitability Okay, so I'm looking at this `ice` driver, specifically for those Intel E800 series PCIe network cards. My immediate thought is, "This is a physical device driver." We're talking about direct interaction with hardware through the PCIe bus. And there's no software emulation I'm aware of in QEMU or even baked into the Linux kernel itself – nothing like a `mac80211_hwsim` or a `netdevsim` to mimic the behavior of this kind of network adapter. Given that reality, and assuming this is for virtualized environments, like GCE or QEMU, the code paths are basically unreachable. I can't imagine a scenario where I could trigger any meaningful interactions with the driver, because the underlying hardware simply isn't there to respond. In other words, there's nothing to "fuzz". Therefore, without further investigation, my initial conclusion is that the `WorthFuzzing` flag should be set to `false`. Let me just quickly confirm if I'm missing something, though... Let me double check if there's any emulation for `ice`... I'll check my memory and do a cursory search.
6/2	2026/06/22 11:55	tool	grepper	0m Args: { "Expression": "CONFIG_ICE" } Results: { "Output": "arch/loongarch/configs/loongson32_defconfig=592=CONFIG_I40E=y\narch/loongarch/configs/loongson32_defconfig:593:CONFIG_ICE=y\narch/loongarch/configs/loongson32_defconfig-594-CONFIG_FM10K=y\n--\narch/loongarch/configs/loongson64_defconfig=608=CONFIG_I40E=y\narch/loongarch/configs/loongson64_defconfig:609:CONFIG_ICE=y\narch/loongarch/configs/loongson64_defconfig-610-CONFIG_FM10K=y\n--\ndrivers/net/ethernet/intel/Makefile=19=obj-$(CONFIG_FM10K) += fm10k/\ndrivers/net/ethernet/intel/Makefile:20:obj-$(CONFIG_ICE) += ice/\ndrivers/net/ethernet/intel/Makefile-21-obj-$(CONFIG_IDPF) += idpf/\n--\ndrivers/net/ethernet/intel/ice/Makefile=8=subdir-ccflags-y += -I$(src)\ndrivers/net/ethernet/intel/ice/Makefile:9:obj-$(CONFIG_ICE) += ice.o\ndrivers/net/ethernet/intel/ice/Makefile-10-\n--\ndrivers/net/ethernet/intel/ice/Makefile=60=ice-$(CONFIG_XDP_SOCKETS) += ice_xsk.o\ndrivers/net/ethernet/intel/ice/Makefile:61:ice-$(CONFIG_ICE_SWITCHDEV) += ice_eswitch.o ice_eswitch_br.o\ndrivers/net/ethernet/intel/ice/Makefile-62-ice-$(CONFIG_GNSS) += ice_gnss.o\ndrivers/net/ethernet/intel/ice/Makefile:63:ice-$(CONFIG_ICE_HWMON) += ice_hwmon.o\n--\ndrivers/net/ethernet/intel/ice/ice_eswitch.h-9-\ndrivers/net/ethernet/intel/ice/ice_eswitch.h:10:#ifdef CONFIG_ICE_SWITCHDEV\ndrivers/net/ethernet/intel/ice/ice_eswitch.h-11-void ice_eswitch_detach_vf(struct ice_pf pf, struct ice_vf vf);\n--\ndrivers/net/ethernet/intel/ice/ice_eswitch.h=34=void ice_eswitch_decfg_vsi(struct ice_vsi vsi, const u8 mac);\ndrivers/net/ethernet/intel/ice/ice_eswitch.h:35:#else /* CONFIG_ICE_SWITCHDEV /\ndrivers/net/ethernet/intel/ice/ice_eswitch.h-36-static inline void\n--\ndrivers/net/ethernet/intel/ice/ice_eswitch.h=98=static inline void ice_eswitch_decfg_vsi(struct ice_vsi vsi, const u8 mac) { }\ndrivers/net/ethernet/intel/ice/ice_eswitch.h:99:#endif / CONFIG_ICE_SWITCHDEV /\ndrivers/net/ethernet/intel/ice/ice_eswitch.h-100-#endif / _ICE_ESWITCH_H_ /\n--\ndrivers/net/ethernet/intel/ice/ice_hwmon.h-6-\ndrivers/net/ethernet/intel/ice/ice_hwmon.h:7:#ifdef CONFIG_ICE_HWMON\ndrivers/net/ethernet/intel/ice/ice_hwmon.h-8-void ice_hwmon_init(struct ice_pf pf);\ndrivers/net/ethernet/intel/ice/ice_hwmon.h=9=void ice_hwmon_exit(struct ice_pf pf);\ndrivers/net/ethernet/intel/ice/ice_hwmon.h:10:#else / CONFIG_ICE_HWMON /\ndrivers/net/ethernet/intel/ice/ice_hwmon.h-11-static inline void ice_hwmon_init(struct ice_pf pf) { }\ndrivers/net/ethernet/intel/ice/ice_hwmon.h=12=static inline void ice_hwmon_exit(struct ice_pf pf) { }\ndrivers/net/ethernet/intel/ice/ice_hwmon.h:13:#endif / CONFIG_ICE_HWMON /\ndrivers/net/ethernet/intel/ice/ice_hwmon.h-14-\n--\ndrivers/net/ethernet/intel/ice/ice_ptp.c=2036=static const struct ice_crosststamp_cfg ice_crosststamp_cfg_e82x = {\n--\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2048-\ndrivers/net/ethernet/intel/ice/ice_ptp.c:2049:#ifdef CONFIG_ICE_HWTS\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2050-static const struct ice_crosststamp_cfg ice_crosststamp_cfg_e830 = {\n--\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2062-\ndrivers/net/ethernet/intel/ice/ice_ptp.c:2063:#endif / CONFIG_ICE_HWTS /\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2064-/\n--\ndrivers/net/ethernet/intel/ice/ice_ptp.c=2175=static int ice_ptp_getcrosststamp(struct ptp_clock_info info,\n--\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2188-\t\tbreak;\ndrivers/net/ethernet/intel/ice/ice_ptp.c:2189:#ifdef CONFIG_ICE_HWTS\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2190-\tcase ICE_MAC_E830:\n--\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2192-\t\tbreak;\ndrivers/net/ethernet/intel/ice/ice_ptp.c:2193:#endif /* CONFIG_ICE_HWTS /\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2194-\tdefault:\n--\ndrivers/net/ethernet/intel/ice/ice_ptp.c=2523=static void ice_ptp_set_funcs_e830(struct ice_pf pf)\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2524-{\ndrivers/net/ethernet/intel/ice/ice_ptp.c:2525:#ifdef CONFIG_ICE_HWTS\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2526-\tif (pcie_ptm_enabled(pf-\u003epdev) \u0026\u0026 boot_cpu_has(X86_FEATURE_ART))\n--\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2528-\ndrivers/net/ethernet/intel/ice/ice_ptp.c:2529:#endif /* CONFIG_ICE_HWTS /\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2530-\t/ Rest of the config is the same as base E810 */\n" }
7/2	2026/06/22 11:55	llm	patch-evaluator	0m Model: gemini-3.1-pro-preview Args: null Results: null Tokens: input: 8452 output: 92 thoughts: 92 Thoughts: Analyzing the WorthFuzzing Flag for the `ice` Driver Okay, so I've been looking at this `ice` driver, which, as we know, is specifically designed for the Intel E800 Series PCIe network cards. This means it's a physical hardware driver, not something abstract. Now, considering my experience with virtualization, especially in environments like GCE and QEMU, it's clear there's no software emulation of this specific hardware or, for that matter, its driver present within either QEMU's or the standard Linux kernel codebase. If the hardware is not present, then its respective driver's functions are not likely to get invoked. Given that, I'm forced to conclude that any code paths related to the `ice` driver are effectively unreachable within these virtualized environments. Therefore, there's no practical value in fuzzing this driver within a virtual context, as the intended conditions that would trigger the fuzzing do not exist. Consequently, I'm going to set the `WorthFuzzing` flag to `false`. I believe my reasoning, based on the hardware dependence and the lack of emulation in common virtualization platforms, is sound. This is more of an assessment of practical feasibility rather than an intrinsic characteristic of the code. We can't safely test this in QEMU.
8/2	2026/06/22 11:55	tool	set-results	0m Args: { "EnableConfigs": [], "FocusSymbols": [], "Reasoning": "The patch modifies the Intel Ethernet Connection E800 Series Linux Driver (ice). This driver is for physical PCIe hardware and lacks software emulation in QEMU or the Linux kernel. Therefore, the modified code paths are impossible to reach and test in virtualized environments like GCE or QEMU.", "WorthFuzzing": false } Results: { "EnableConfigs": null, "FocusSymbols": [], "Reasoning": "The patch modifies the Intel Ethernet Connection E800 Series Linux Driver (ice). This driver is for physical PCIe hardware and lacks software emulation in QEMU or the Linux kernel. Therefore, the modified code paths are impossible to reach and test in virtualized environments like GCE or QEMU.", "WorthFuzzing": false }

Trajectory: (Expand/Collapse All)

Seq

Timestamp

Type

Name

Duration

0/0

2026/06/22 11:55

flow

patch-triage

Args:

null

Results:

{
  "EnableConfigs": null,
  "FocusSymbols": [],
  "Reasoning": "The patch modifies the Intel Ethernet Connection E800 Series Linux Driver (ice). This driver is for physical PCIe hardware and lacks software emulation in QEMU or the Linux kernel. Therefore, the modified code paths are impossible to reach and test in virtualized environments like GCE or QEMU.",
  "WorthFuzzing": false
}

1/1

2026/06/22 11:55

action

read-patch-diff

Args:

null

Results:

{
  "PatchDiff": "commit 7e932ab6ae8c99afbc33c1940ee33e1b909af7e7\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate:   Mon Jun 22 11:55:28 2026 +0000\n\n    syz-cluster: applied patch under review\n\ndiff --git a/drivers/net/ethernet/intel/ice/ice_eswitch.c b/drivers/net/ethernet/intel/ice/ice_eswitch.c\nindex 2e4f0969035f77..48273ef9f69dc8 100644\n--- a/drivers/net/ethernet/intel/ice/ice_eswitch.c\n+++ b/drivers/net/ethernet/intel/ice/ice_eswitch.c\n@@ -66,8 +66,10 @@ static int ice_eswitch_setup_env(struct ice_pf *pf)\n \tice_cfg_dflt_vsi(uplink_vsi-\u003eport_info, uplink_vsi-\u003eidx, false,\n \t\t\t ICE_FLTR_TX);\n err_def_tx:\n-\tice_cfg_dflt_vsi(uplink_vsi-\u003eport_info, uplink_vsi-\u003eidx, false,\n-\t\t\t ICE_FLTR_RX);\n+\t/* keep the Rx DFLT rule if the uplink is promiscuous (see release_env) */\n+\tif (!(uplink_vsi-\u003enetdev-\u003eflags \u0026 IFF_PROMISC))\n+\t\tice_cfg_dflt_vsi(uplink_vsi-\u003eport_info, uplink_vsi-\u003eidx,\n+\t\t\t\t false, ICE_FLTR_RX);\n err_def_rx:\n \tice_vsi_del_vlan_zero(uplink_vsi);\n err_vlan_zero:\n@@ -278,8 +280,16 @@ static void ice_eswitch_release_env(struct ice_pf *pf)\n \tvlan_ops-\u003eena_rx_filtering(uplink_vsi);\n \tice_cfg_dflt_vsi(uplink_vsi-\u003eport_info, uplink_vsi-\u003eidx, false,\n \t\t\t ICE_FLTR_TX);\n-\tice_cfg_dflt_vsi(uplink_vsi-\u003eport_info, uplink_vsi-\u003eidx, false,\n-\t\t\t ICE_FLTR_RX);\n+\n+\t/* Keep the Rx DFLT rule if the uplink is promiscuous; it must outlive\n+\t * the session. Test the live netdev-\u003eflags, the same value\n+\t * ena_rx_filtering() -\u003e ice_cfg_vlan_pruning() above keys its decision\n+\t * on, so the preserved DFLT rule and the pruning state stay consistent.\n+\t */\n+\tif (!(uplink_vsi-\u003enetdev-\u003eflags \u0026 IFF_PROMISC))\n+\t\tice_cfg_dflt_vsi(uplink_vsi-\u003eport_info, uplink_vsi-\u003eidx,\n+\t\t\t\t false, ICE_FLTR_RX);\n+\n \tice_fltr_add_mac_and_broadcast(uplink_vsi,\n \t\t\t\t       uplink_vsi-\u003eport_info-\u003emac.perm_addr,\n \t\t\t\t       ICE_FWD_TO_VSI);\ndiff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c\nindex e2fbe111f84969..efb1f536de6c7a 100644\n--- a/drivers/net/ethernet/intel/ice/ice_main.c\n+++ b/drivers/net/ethernet/intel/ice/ice_main.c\n@@ -274,7 +274,8 @@ static int ice_set_promisc(struct ice_vsi *vsi, u8 promisc_m)\n \tif (vsi-\u003etype != ICE_VSI_PF)\n \t\treturn 0;\n \n-\tif (ice_vsi_has_non_zero_vlans(vsi)) {\n+\t/* skip per-VID expansion; the DFLT Rx rule already covers every VID */\n+\tif (ice_vsi_has_non_zero_vlans(vsi) \u0026\u0026 !ice_is_vsi_dflt_vsi(vsi)) {\n \t\tpromisc_m |= (ICE_PROMISC_VLAN_RX | ICE_PROMISC_VLAN_TX);\n \t\tstatus = ice_fltr_set_vlan_vsi_promisc(\u0026vsi-\u003eback-\u003ehw, vsi,\n \t\t\t\t\t\t       promisc_m);\n@@ -304,9 +305,19 @@ static int ice_clear_promisc(struct ice_vsi *vsi, u8 promisc_m)\n \t\treturn 0;\n \n \tif (ice_vsi_has_non_zero_vlans(vsi)) {\n-\t\tpromisc_m |= (ICE_PROMISC_VLAN_RX | ICE_PROMISC_VLAN_TX);\n+\t\tint vid0_status;\n+\n+\t\t/* set time used either recipe (per-VID PROMISC_VLAN, or vid=0\n+\t\t * PROMISC via the ice_set_promisc() else branch), so clear\n+\t\t * both; clearing an absent rule succeeds\n+\t\t */\n \t\tstatus = ice_fltr_clear_vlan_vsi_promisc(\u0026vsi-\u003eback-\u003ehw, vsi,\n-\t\t\t\t\t\t\t promisc_m);\n+\t\t\t\tpromisc_m | ICE_PROMISC_VLAN_RX |\n+\t\t\t\tICE_PROMISC_VLAN_TX);\n+\t\tvid0_status = ice_fltr_clear_vsi_promisc(\u0026vsi-\u003eback-\u003ehw,\n+\t\t\t\t\t\t\t vsi-\u003eidx, promisc_m, 0);\n+\t\tif (!status)\n+\t\t\tstatus = vid0_status;\n \t} else {\n \t\tstatus = ice_fltr_clear_vsi_promisc(\u0026vsi-\u003eback-\u003ehw, vsi-\u003eidx,\n \t\t\t\t\t\t    promisc_m, 0);\n@@ -317,6 +328,49 @@ static int ice_clear_promisc(struct ice_vsi *vsi, u8 promisc_m)\n \treturn status;\n }\n \n+/**\n+ * ice_vsi_exit_dflt_promisc - drop the default VSI Rx rule on promisc off\n+ * @vsi: the VSI leaving promiscuous mode\n+ *\n+ * For an IFF_ALLMULTI VSI with VLANs the per-VID multicast rules are\n+ * reinstated before the default rule is cleared so coverage never lapses;\n+ * the then redundant vid=0 rule is dropped best-effort. The callees log\n+ * their own failures, so error returns are not re-logged here.\n+ *\n+ * Return: 0 on success, negative on error with the default rule left in place.\n+ */\n+static int ice_vsi_exit_dflt_promisc(struct ice_vsi *vsi)\n+{\n+\tstruct ice_vsi_vlan_ops *vlan_ops = ice_get_compat_vsi_vlan_ops(vsi);\n+\tstruct net_device *netdev = vsi-\u003enetdev;\n+\tstruct ice_hw *hw = \u0026vsi-\u003eback-\u003ehw;\n+\tbool restore_mc;\n+\tint err;\n+\n+\trestore_mc = (vsi-\u003ecurrent_netdev_flags \u0026 IFF_ALLMULTI) \u0026\u0026\n+\t\t     ice_vsi_has_non_zero_vlans(vsi);\n+\n+\tif (restore_mc) {\n+\t\terr = ice_fltr_set_vlan_vsi_promisc(hw, vsi,\n+\t\t\t\t\t\t    ICE_MCAST_VLAN_PROMISC_BITS);\n+\t\tif (err \u0026\u0026 err != -EEXIST)\n+\t\t\treturn err;\n+\t}\n+\n+\terr = ice_clear_dflt_vsi(vsi);\n+\tif (err)\n+\t\treturn err;\n+\n+\tif (netdev-\u003efeatures \u0026 NETIF_F_HW_VLAN_CTAG_FILTER)\n+\t\tvlan_ops-\u003eena_rx_filtering(vsi);\n+\n+\tif (restore_mc)\n+\t\tice_fltr_clear_vsi_promisc(hw, vsi-\u003eidx, ICE_MCAST_PROMISC_BITS,\n+\t\t\t\t\t   0);\n+\n+\treturn 0;\n+}\n+\n /**\n  * ice_vsi_sync_fltr - Update the VSI filter list to the HW\n  * @vsi: ptr to the VSI\n@@ -442,17 +496,12 @@ static int ice_vsi_sync_fltr(struct ice_vsi *vsi)\n \t\t} else {\n \t\t\t/* Clear Rx filter to remove traffic from wire */\n \t\t\tif (ice_is_vsi_dflt_vsi(vsi)) {\n-\t\t\t\terr = ice_clear_dflt_vsi(vsi);\n+\t\t\t\terr = ice_vsi_exit_dflt_promisc(vsi);\n \t\t\t\tif (err) {\n-\t\t\t\t\tnetdev_err(netdev, \"Error %d clearing default VSI %i Rx rule\\n\",\n-\t\t\t\t\t\t   err, vsi-\u003evsi_num);\n \t\t\t\t\tvsi-\u003ecurrent_netdev_flags |=\n \t\t\t\t\t\tIFF_PROMISC;\n \t\t\t\t\tgoto out_promisc;\n \t\t\t\t}\n-\t\t\t\tif (vsi-\u003enetdev-\u003efeatures \u0026\n-\t\t\t\t    NETIF_F_HW_VLAN_CTAG_FILTER)\n-\t\t\t\t\tvlan_ops-\u003eena_rx_filtering(vsi);\n \t\t\t}\n \n \t\t\t/* disable allmulti here, but only if allmulti is not\n@@ -3675,10 +3724,9 @@ int ice_vlan_rx_add_vid(struct net_device *netdev, __be16 proto, u16 vid)\n \twhile (test_and_set_bit(ICE_CFG_BUSY, vsi-\u003estate))\n \t\tusleep_range(1000, 2000);\n \n-\t/* Add multicast promisc rule for the VLAN ID to be added if\n-\t * all-multicast is currently enabled.\n-\t */\n-\tif (vsi-\u003ecurrent_netdev_flags \u0026 IFF_ALLMULTI) {\n+\t/* skip the per-VID rule when the DFLT Rx rule already covers this VID */\n+\tif ((vsi-\u003ecurrent_netdev_flags \u0026 IFF_ALLMULTI) \u0026\u0026\n+\t    !ice_is_vsi_dflt_vsi(vsi)) {\n \t\tret = ice_fltr_set_vsi_promisc(\u0026vsi-\u003eback-\u003ehw, vsi-\u003eidx,\n \t\t\t\t\t       ICE_MCAST_VLAN_PROMISC_BITS,\n \t\t\t\t\t       vid);\n@@ -3696,11 +3744,12 @@ int ice_vlan_rx_add_vid(struct net_device *netdev, __be16 proto, u16 vid)\n \tif (ret)\n \t\tgoto finish;\n \n-\t/* If all-multicast is currently enabled and this VLAN ID is only one\n-\t * besides VLAN-0 we have to update look-up type of multicast promisc\n-\t * rule for VLAN-0 from ICE_SW_LKUP_PROMISC to ICE_SW_LKUP_PROMISC_VLAN.\n+\t/* On the first non-zero VLAN, promote the VLAN-0 multicast promisc\n+\t * rule from ICE_SW_LKUP_PROMISC to ICE_SW_LKUP_PROMISC_VLAN. Skip when\n+\t * the DFLT Rx rule is installed; it already covers every VID.\n \t */\n \tif ((vsi-\u003ecurrent_netdev_flags \u0026 IFF_ALLMULTI) \u0026\u0026\n+\t    !ice_is_vsi_dflt_vsi(vsi) \u0026\u0026\n \t    ice_vsi_num_non_zero_vlans(vsi) == 1) {\n \t\tice_fltr_clear_vsi_promisc(\u0026vsi-\u003eback-\u003ehw, vsi-\u003eidx,\n \t\t\t\t\t   ICE_MCAST_PROMISC_BITS, 0);\n@@ -3763,11 +3812,12 @@ int ice_vlan_rx_kill_vid(struct net_device *netdev, __be16 proto, u16 vid)\n \t\t\t\t\t   ICE_MCAST_VLAN_PROMISC_BITS, vid);\n \n \tif (!ice_vsi_has_non_zero_vlans(vsi)) {\n-\t\t/* Update look-up type of multicast promisc rule for VLAN 0\n-\t\t * from ICE_SW_LKUP_PROMISC_VLAN to ICE_SW_LKUP_PROMISC when\n-\t\t * all-multicast is enabled and VLAN 0 is the only VLAN rule.\n+\t\t/* Last non-zero VLAN gone: demote the VLAN-0 multicast promisc\n+\t\t * rule back to ICE_SW_LKUP_PROMISC. Skip when the DFLT Rx rule\n+\t\t * is installed; no recipe swap is needed.\n \t\t */\n-\t\tif (vsi-\u003ecurrent_netdev_flags \u0026 IFF_ALLMULTI) {\n+\t\tif ((vsi-\u003ecurrent_netdev_flags \u0026 IFF_ALLMULTI) \u0026\u0026\n+\t\t    !ice_is_vsi_dflt_vsi(vsi)) {\n \t\t\tice_fltr_clear_vsi_promisc(\u0026vsi-\u003eback-\u003ehw, vsi-\u003eidx,\n \t\t\t\t\t\t   ICE_MCAST_VLAN_PROMISC_BITS,\n \t\t\t\t\t\t   0);\n"
}

2/1

2026/06/22 11:55

agent

patch-evaluator

Model:

gemini-3.1-pro-preview

Args:

null

Results:

{
  "EnableConfigs": null,
  "FocusSymbols": [],
  "Reasoning": "The patch modifies the Intel Ethernet Connection E800 Series Linux Driver (ice). This driver is for physical PCIe hardware and lacks software emulation in QEMU or the Linux kernel. Therefore, the modified code paths are impossible to reach and test in virtualized environments like GCE or QEMU.",
  "WorthFuzzing": false
}

Instruction:

You are an expert Linux kernel maintainer.
Your job is to review a provided patch series and determine
if it makes functional changes to the kernel that should be fuzzed.

IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in
your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively
use your code access tools to examine the actual source code and confirm any assumptions.

Return WorthFuzzing=false if the patch only contains:
- Modifications to Documentation/, Kconfig files, or code comments.
- Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints.
- Changes to numeric constants or macros that do not functionally alter execution flow.
- Code paths that are impossible to reach in virtualized environments like GCE or QEMU,
even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim).

If it modifies reachable core kernel logic, drivers, or architectures, use your code search
tools to verify the code can be executed, then return WorthFuzzing=true.

When returning WorthFuzzing=true, you MUST ALSO:
1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols.
   Avoid listing generic hot-path functions to prevent skewed test distributions.
2. Identify any specific CONFIG_ options required to properly test this new/modified feature.
   Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions.
   Do not list too generic configs (we already have them enabled). Only list those that
   specifically cover the modified code. List them in the EnableConfigs output array,
   and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4").
Prefer calling several tools at the same time to save round-trips.


Use set-results tool to provide results of the analysis.
It must be called exactly once before the final reply.
Ignore results of this tool.

Prompt:

For your convenience, here is the diff of the changes:
commit 7e932ab6ae8c99afbc33c1940ee33e1b909af7e7
Author: syz-cluster <triage@syzkaller.com>
Date:   Mon Jun 22 11:55:28 2026 +0000

    syz-cluster: applied patch under review

diff --git a/drivers/net/ethernet/intel/ice/ice_eswitch.c b/drivers/net/ethernet/intel/ice/ice_eswitch.c
index 2e4f0969035f77..48273ef9f69dc8 100644
--- a/drivers/net/ethernet/intel/ice/ice_eswitch.c
+++ b/drivers/net/ethernet/intel/ice/ice_eswitch.c
@@ -66,8 +66,10 @@ static int ice_eswitch_setup_env(struct ice_pf *pf)
 	ice_cfg_dflt_vsi(uplink_vsi->port_info, uplink_vsi->idx, false,
 			 ICE_FLTR_TX);
 err_def_tx:
-	ice_cfg_dflt_vsi(uplink_vsi->port_info, uplink_vsi->idx, false,
-			 ICE_FLTR_RX);
+	/* keep the Rx DFLT rule if the uplink is promiscuous (see release_env) */
+	if (!(uplink_vsi->netdev->flags & IFF_PROMISC))
+		ice_cfg_dflt_vsi(uplink_vsi->port_info, uplink_vsi->idx,
+				 false, ICE_FLTR_RX);
 err_def_rx:
 	ice_vsi_del_vlan_zero(uplink_vsi);
 err_vlan_zero:
@@ -278,8 +280,16 @@ static void ice_eswitch_release_env(struct ice_pf *pf)
 	vlan_ops->ena_rx_filtering(uplink_vsi);
 	ice_cfg_dflt_vsi(uplink_vsi->port_info, uplink_vsi->idx, false,
 			 ICE_FLTR_TX);
-	ice_cfg_dflt_vsi(uplink_vsi->port_info, uplink_vsi->idx, false,
-			 ICE_FLTR_RX);
+
+	/* Keep the Rx DFLT rule if the uplink is promiscuous; it must outlive
+	 * the session. Test the live netdev->flags, the same value
+	 * ena_rx_filtering() -> ice_cfg_vlan_pruning() above keys its decision
+	 * on, so the preserved DFLT rule and the pruning state stay consistent.
+	 */
+	if (!(uplink_vsi->netdev->flags & IFF_PROMISC))
+		ice_cfg_dflt_vsi(uplink_vsi->port_info, uplink_vsi->idx,
+				 false, ICE_FLTR_RX);
+
 	ice_fltr_add_mac_and_broadcast(uplink_vsi,
 				       uplink_vsi->port_info->mac.perm_addr,
 				       ICE_FWD_TO_VSI);
diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
index e2fbe111f84969..efb1f536de6c7a 100644
--- a/drivers/net/ethernet/intel/ice/ice_main.c
+++ b/drivers/net/ethernet/intel/ice/ice_main.c
@@ -274,7 +274,8 @@ static int ice_set_promisc(struct ice_vsi *vsi, u8 promisc_m)
 	if (vsi->type != ICE_VSI_PF)
 		return 0;
 
-	if (ice_vsi_has_non_zero_vlans(vsi)) {
+	/* skip per-VID expansion; the DFLT Rx rule already covers every VID */
+	if (ice_vsi_has_non_zero_vlans(vsi) && !ice_is_vsi_dflt_vsi(vsi)) {
 		promisc_m |= (ICE_PROMISC_VLAN_RX | ICE_PROMISC_VLAN_TX);
 		status = ice_fltr_set_vlan_vsi_promisc(&vsi->back->hw, vsi,
 						       promisc_m);
@@ -304,9 +305,19 @@ static int ice_clear_promisc(struct ice_vsi *vsi, u8 promisc_m)
 		return 0;
 
 	if (ice_vsi_has_non_zero_vlans(vsi)) {
-		promisc_m |= (ICE_PROMISC_VLAN_RX | ICE_PROMISC_VLAN_TX);
+		int vid0_status;
+
+		/* set time used either recipe (per-VID PROMISC_VLAN, or vid=0
+		 * PROMISC via the ice_set_promisc() else branch), so clear
+		 * both; clearing an absent rule succeeds
+		 */
 		status = ice_fltr_clear_vlan_vsi_promisc(&vsi->back->hw, vsi,
-							 promisc_m);
+				promisc_m | ICE_PROMISC_VLAN_RX |
+				ICE_PROMISC_VLAN_TX);
+		vid0_status = ice_fltr_clear_vsi_promisc(&vsi->back->hw,
+							 vsi->idx, promisc_m, 0);
+		if (!status)
+			status = vid0_status;
 	} else {
 		status = ice_fltr_clear_vsi_promisc(&vsi->back->hw, vsi->idx,
 						    promisc_m, 0);
@@ -317,6 +328,49 @@ static int ice_clear_promisc(struct ice_vsi *vsi, u8 promisc_m)
 	return status;
 }
 
+/**
+ * ice_vsi_exit_dflt_promisc - drop the default VSI Rx rule on promisc off
+ * @vsi: the VSI leaving promiscuous mode
+ *
+ * For an IFF_ALLMULTI VSI with VLANs the per-VID multicast rules are
+ * reinstated before the default rule is cleared so coverage never lapses;
+ * the then redundant vid=0 rule is dropped best-effort. The callees log
+ * their own failures, so error returns are not re-logged here.
+ *
+ * Return: 0 on success, negative on error with the default rule left in place.
+ */
+static int ice_vsi_exit_dflt_promisc(struct ice_vsi *vsi)
+{
+	struct ice_vsi_vlan_ops *vlan_ops = ice_get_compat_vsi_vlan_ops(vsi);
+	struct net_device *netdev = vsi->netdev;
+	struct ice_hw *hw = &vsi->back->hw;
+	bool restore_mc;
+	int err;
+
+	restore_mc = (vsi->current_netdev_flags & IFF_ALLMULTI) &&
+		     ice_vsi_has_non_zero_vlans(vsi);
+
+	if (restore_mc) {
+		err = ice_fltr_set_vlan_vsi_promisc(hw, vsi,
+						    ICE_MCAST_VLAN_PROMISC_BITS);
+		if (err && err != -EEXIST)
+			return err;
+	}
+
+	err = ice_clear_dflt_vsi(vsi);
+	if (err)
+		return err;
+
+	if (netdev->features & NETIF_F_HW_VLAN_CTAG_FILTER)
+		vlan_ops->ena_rx_filtering(vsi);
+
+	if (restore_mc)
+		ice_fltr_clear_vsi_promisc(hw, vsi->idx, ICE_MCAST_PROMISC_BITS,
+					   0);
+
+	return 0;
+}
+
 /**
  * ice_vsi_sync_fltr - Update the VSI filter list to the HW
  * @vsi: ptr to the VSI
@@ -442,17 +496,12 @@ static int ice_vsi_sync_fltr(struct ice_vsi *vsi)
 		} else {
 			/* Clear Rx filter to remove traffic from wire */
 			if (ice_is_vsi_dflt_vsi(vsi)) {
-				err = ice_clear_dflt_vsi(vsi);
+				err = ice_vsi_exit_dflt_promisc(vsi);
 				if (err) {
-					netdev_err(netdev, "Error %d clearing default VSI %i Rx rule\n",
-						   err, vsi->vsi_num);
 					vsi->current_netdev_flags |=
 						IFF_PROMISC;
 					goto out_promisc;
 				}
-				if (vsi->netdev->features &
-				    NETIF_F_HW_VLAN_CTAG_FILTER)
-					vlan_ops->ena_rx_filtering(vsi);
 			}
 
 			/* disable allmulti here, but only if allmulti is not
@@ -3675,10 +3724,9 @@ int ice_vlan_rx_add_vid(struct net_device *netdev, __be16 proto, u16 vid)
 	while (test_and_set_bit(ICE_CFG_BUSY, vsi->state))
 		usleep_range(1000, 2000);
 
-	/* Add multicast promisc rule for the VLAN ID to be added if
-	 * all-multicast is currently enabled.
-	 */
-	if (vsi->current_netdev_flags & IFF_ALLMULTI) {
+	/* skip the per-VID rule when the DFLT Rx rule already covers this VID */
+	if ((vsi->current_netdev_flags & IFF_ALLMULTI) &&
+	    !ice_is_vsi_dflt_vsi(vsi)) {
 		ret = ice_fltr_set_vsi_promisc(&vsi->back->hw, vsi->idx,
 					       ICE_MCAST_VLAN_PROMISC_BITS,
 					       vid);
@@ -3696,11 +3744,12 @@ int ice_vlan_rx_add_vid(struct net_device *netdev, __be16 proto, u16 vid)
 	if (ret)
 		goto finish;
 
-	/* If all-multicast is currently enabled and this VLAN ID is only one
-	 * besides VLAN-0 we have to update look-up type of multicast promisc
-	 * rule for VLAN-0 from ICE_SW_LKUP_PROMISC to ICE_SW_LKUP_PROMISC_VLAN.
+	/* On the first non-zero VLAN, promote the VLAN-0 multicast promisc
+	 * rule from ICE_SW_LKUP_PROMISC to ICE_SW_LKUP_PROMISC_VLAN. Skip when
+	 * the DFLT Rx rule is installed; it already covers every VID.
 	 */
 	if ((vsi->current_netdev_flags & IFF_ALLMULTI) &&
+	    !ice_is_vsi_dflt_vsi(vsi) &&
 	    ice_vsi_num_non_zero_vlans(vsi) == 1) {
 		ice_fltr_clear_vsi_promisc(&vsi->back->hw, vsi->idx,
 					   ICE_MCAST_PROMISC_BITS, 0);
@@ -3763,11 +3812,12 @@ int ice_vlan_rx_kill_vid(struct net_device *netdev, __be16 proto, u16 vid)
 					   ICE_MCAST_VLAN_PROMISC_BITS, vid);
 
 	if (!ice_vsi_has_non_zero_vlans(vsi)) {
-		/* Update look-up type of multicast promisc rule for VLAN 0
-		 * from ICE_SW_LKUP_PROMISC_VLAN to ICE_SW_LKUP_PROMISC when
-		 * all-multicast is enabled and VLAN 0 is the only VLAN rule.
+		/* Last non-zero VLAN gone: demote the VLAN-0 multicast promisc
+		 * rule back to ICE_SW_LKUP_PROMISC. Skip when the DFLT Rx rule
+		 * is installed; no recipe swap is needed.
 		 */
-		if (vsi->current_netdev_flags & IFF_ALLMULTI) {
+		if ((vsi->current_netdev_flags & IFF_ALLMULTI) &&
+		    !ice_is_vsi_dflt_vsi(vsi)) {
 			ice_fltr_clear_vsi_promisc(&vsi->back->hw, vsi->idx,
 						   ICE_MCAST_VLAN_PROMISC_BITS,
 						   0);

3/2

2026/06/22 11:55

llm

patch-evaluator

Model:

gemini-3.1-pro-preview

Args:

null

Results:

null

Tokens:

							input: 4886
							output: 22
							thoughts: 528

Thoughts:

**Fuzzing Feasibility of the Ice Driver Patch**

Okay, here's what I'm thinking. This patch series touches the `ice` driver, specifically `ice_eswitch.c` and `ice_main.c`. It's altering promiscuous mode and VLAN handling within the Intel Ethernet Connection E800 Series driver. Clearly, this is a functional change. My initial thought is to check if these changes are reachable in a fuzzed environment.

My first concern is whether this is easily fuzzable. It's a network driver and therefore could be vulnerable. However, it’s for the Intel E800 series hardware. My initial thought is to check if these changes are reachable in a fuzzed environment.

This means it's likely a physical hardware device. If it's a physical device, I need to know if it's emulated in any virtualized environment. Let me quickly check if QEMU or Google Compute Engine (GCE) emulates the Intel E800 series (ice). No, QEMU emulates e1000, igb, and virtio-net, but not ice.

I need to confirm if there is any software emulation or if this is entirely hardware-dependent. If it's hardware-dependent, it will be hard to fuzz, unless we have PCI passthrough.

The instructions I have explicitly state to mark patches as "WorthFuzzing=false" if they contain code paths unreachable in virtualized environments, even with software-emulated hardware.

So, the critical question is: can I test the `ice` driver in QEMU? Normally, `drivers/net/ethernet/intel/ice/` requires actual Intel E800 hardware. Let me double-check if there's any `ice` emulation in QEMU. No. Is there any way to trigger this code without hardware?

Let's check if there's a mock or some kind of workaround. I'll use `grepper` to search for any tests or mock implementations related to the `ice` driver. This will be the deciding factor.

4/2

2026/06/22 11:55

tool

grepper

Args:

{
  "Expression": "ice_eswitch_setup_env"
}

Results:

{
  "Output": "drivers/net/ethernet/intel/ice/ice_eswitch.c-13-/**\ndrivers/net/ethernet/intel/ice/ice_eswitch.c:14: * ice_eswitch_setup_env - configure eswitch HW filters\ndrivers/net/ethernet/intel/ice/ice_eswitch.c-15- * @pf: pointer to PF struct\n--\ndrivers/net/ethernet/intel/ice/ice_eswitch.c-19- */\ndrivers/net/ethernet/intel/ice/ice_eswitch.c:20:static int ice_eswitch_setup_env(struct ice_pf *pf)\ndrivers/net/ethernet/intel/ice/ice_eswitch.c-21-{\n--\ndrivers/net/ethernet/intel/ice/ice_eswitch.c=303=static int ice_eswitch_enable_switchdev(struct ice_pf *pf)\n--\ndrivers/net/ethernet/intel/ice/ice_eswitch.c-318-\ndrivers/net/ethernet/intel/ice/ice_eswitch.c:319:\tif (ice_eswitch_setup_env(pf))\ndrivers/net/ethernet/intel/ice/ice_eswitch.c-320-\t\treturn -ENODEV;\n"
}

5/2

2026/06/22 11:55

llm

patch-evaluator

Model:

gemini-3.1-pro-preview

Args:

null

Results:

null

Tokens:

							input: 6213
							output: 17
							thoughts: 108

Thoughts:

**Analyzing the `ice` Driver for Fuzzing Suitability**

Okay, so I'm looking at this `ice` driver, specifically for those Intel E800 series PCIe network cards. My immediate thought is, "This is a *physical* device driver." We're talking about direct interaction with hardware through the PCIe bus. And there's no software emulation I'm aware of in QEMU or even baked into the Linux kernel itself – nothing like a `mac80211_hwsim` or a `netdevsim` to mimic the behavior of this kind of network adapter.

Given that reality, and assuming this is for virtualized environments, like GCE or QEMU, the code paths are basically unreachable. I can't imagine a scenario where I could trigger any meaningful interactions with the driver, because the underlying hardware simply isn't there to respond. In other words, there's nothing to "fuzz".

Therefore, without further investigation, my initial conclusion is that the `WorthFuzzing` flag should be set to `false`. Let me just quickly confirm if I'm missing something, though... Let me double check if there's any emulation for `ice`... I'll check my memory and do a cursory search.

6/2

2026/06/22 11:55

tool

grepper

Args:

{
  "Expression": "CONFIG_ICE"
}

Results:

{
  "Output": "arch/loongarch/configs/loongson32_defconfig=592=CONFIG_I40E=y\narch/loongarch/configs/loongson32_defconfig:593:CONFIG_ICE=y\narch/loongarch/configs/loongson32_defconfig-594-CONFIG_FM10K=y\n--\narch/loongarch/configs/loongson64_defconfig=608=CONFIG_I40E=y\narch/loongarch/configs/loongson64_defconfig:609:CONFIG_ICE=y\narch/loongarch/configs/loongson64_defconfig-610-CONFIG_FM10K=y\n--\ndrivers/net/ethernet/intel/Makefile=19=obj-$(CONFIG_FM10K) += fm10k/\ndrivers/net/ethernet/intel/Makefile:20:obj-$(CONFIG_ICE) += ice/\ndrivers/net/ethernet/intel/Makefile-21-obj-$(CONFIG_IDPF) += idpf/\n--\ndrivers/net/ethernet/intel/ice/Makefile=8=subdir-ccflags-y += -I$(src)\ndrivers/net/ethernet/intel/ice/Makefile:9:obj-$(CONFIG_ICE) += ice.o\ndrivers/net/ethernet/intel/ice/Makefile-10-\n--\ndrivers/net/ethernet/intel/ice/Makefile=60=ice-$(CONFIG_XDP_SOCKETS) += ice_xsk.o\ndrivers/net/ethernet/intel/ice/Makefile:61:ice-$(CONFIG_ICE_SWITCHDEV) += ice_eswitch.o ice_eswitch_br.o\ndrivers/net/ethernet/intel/ice/Makefile-62-ice-$(CONFIG_GNSS) += ice_gnss.o\ndrivers/net/ethernet/intel/ice/Makefile:63:ice-$(CONFIG_ICE_HWMON) += ice_hwmon.o\n--\ndrivers/net/ethernet/intel/ice/ice_eswitch.h-9-\ndrivers/net/ethernet/intel/ice/ice_eswitch.h:10:#ifdef CONFIG_ICE_SWITCHDEV\ndrivers/net/ethernet/intel/ice/ice_eswitch.h-11-void ice_eswitch_detach_vf(struct ice_pf *pf, struct ice_vf *vf);\n--\ndrivers/net/ethernet/intel/ice/ice_eswitch.h=34=void ice_eswitch_decfg_vsi(struct ice_vsi *vsi, const u8 *mac);\ndrivers/net/ethernet/intel/ice/ice_eswitch.h:35:#else /* CONFIG_ICE_SWITCHDEV */\ndrivers/net/ethernet/intel/ice/ice_eswitch.h-36-static inline void\n--\ndrivers/net/ethernet/intel/ice/ice_eswitch.h=98=static inline void ice_eswitch_decfg_vsi(struct ice_vsi *vsi, const u8 *mac) { }\ndrivers/net/ethernet/intel/ice/ice_eswitch.h:99:#endif /* CONFIG_ICE_SWITCHDEV */\ndrivers/net/ethernet/intel/ice/ice_eswitch.h-100-#endif /* _ICE_ESWITCH_H_ */\n--\ndrivers/net/ethernet/intel/ice/ice_hwmon.h-6-\ndrivers/net/ethernet/intel/ice/ice_hwmon.h:7:#ifdef CONFIG_ICE_HWMON\ndrivers/net/ethernet/intel/ice/ice_hwmon.h-8-void ice_hwmon_init(struct ice_pf *pf);\ndrivers/net/ethernet/intel/ice/ice_hwmon.h=9=void ice_hwmon_exit(struct ice_pf *pf);\ndrivers/net/ethernet/intel/ice/ice_hwmon.h:10:#else /* CONFIG_ICE_HWMON */\ndrivers/net/ethernet/intel/ice/ice_hwmon.h-11-static inline void ice_hwmon_init(struct ice_pf *pf) { }\ndrivers/net/ethernet/intel/ice/ice_hwmon.h=12=static inline void ice_hwmon_exit(struct ice_pf *pf) { }\ndrivers/net/ethernet/intel/ice/ice_hwmon.h:13:#endif /* CONFIG_ICE_HWMON */\ndrivers/net/ethernet/intel/ice/ice_hwmon.h-14-\n--\ndrivers/net/ethernet/intel/ice/ice_ptp.c=2036=static const struct ice_crosststamp_cfg ice_crosststamp_cfg_e82x = {\n--\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2048-\ndrivers/net/ethernet/intel/ice/ice_ptp.c:2049:#ifdef CONFIG_ICE_HWTS\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2050-static const struct ice_crosststamp_cfg ice_crosststamp_cfg_e830 = {\n--\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2062-\ndrivers/net/ethernet/intel/ice/ice_ptp.c:2063:#endif /* CONFIG_ICE_HWTS */\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2064-/**\n--\ndrivers/net/ethernet/intel/ice/ice_ptp.c=2175=static int ice_ptp_getcrosststamp(struct ptp_clock_info *info,\n--\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2188-\t\tbreak;\ndrivers/net/ethernet/intel/ice/ice_ptp.c:2189:#ifdef CONFIG_ICE_HWTS\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2190-\tcase ICE_MAC_E830:\n--\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2192-\t\tbreak;\ndrivers/net/ethernet/intel/ice/ice_ptp.c:2193:#endif /* CONFIG_ICE_HWTS */\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2194-\tdefault:\n--\ndrivers/net/ethernet/intel/ice/ice_ptp.c=2523=static void ice_ptp_set_funcs_e830(struct ice_pf *pf)\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2524-{\ndrivers/net/ethernet/intel/ice/ice_ptp.c:2525:#ifdef CONFIG_ICE_HWTS\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2526-\tif (pcie_ptm_enabled(pf-\u003epdev) \u0026\u0026 boot_cpu_has(X86_FEATURE_ART))\n--\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2528-\ndrivers/net/ethernet/intel/ice/ice_ptp.c:2529:#endif /* CONFIG_ICE_HWTS */\ndrivers/net/ethernet/intel/ice/ice_ptp.c-2530-\t/* Rest of the config is the same as base E810 */\n"
}

7/2

2026/06/22 11:55

llm

patch-evaluator

Model:

gemini-3.1-pro-preview

Args:

null

Results:

null

Tokens:

							input: 8452
							output: 92
							thoughts: 92

Thoughts:

**Analyzing the WorthFuzzing Flag for the `ice` Driver**

Okay, so I've been looking at this `ice` driver, which, as we know, is specifically designed for the Intel E800 Series PCIe network cards. This means it's a physical hardware driver, not something abstract. Now, considering my experience with virtualization, especially in environments like GCE and QEMU, it's clear there's no software emulation of this specific hardware or, for that matter, its driver present within either QEMU's or the standard Linux kernel codebase. If the hardware is not present, then its respective driver's functions are not likely to get invoked.

Given that, I'm forced to conclude that any code paths related to the `ice` driver are effectively unreachable within these virtualized environments. Therefore, there's no practical value in fuzzing this driver within a virtual context, as the intended conditions that would trigger the fuzzing do not exist.

Consequently, I'm going to set the `WorthFuzzing` flag to `false`. I believe my reasoning, based on the hardware dependence and the lack of emulation in common virtualization platforms, is sound. This is more of an assessment of practical feasibility rather than an intrinsic characteristic of the code. We can't safely test this in QEMU.

8/2

2026/06/22 11:55

tool

set-results

Args:

{
  "EnableConfigs": [],
  "FocusSymbols": [],
  "Reasoning": "The patch modifies the Intel Ethernet Connection E800 Series Linux Driver (ice). This driver is for physical PCIe hardware and lacks software emulation in QEMU or the Linux kernel. Therefore, the modified code paths are impossible to reach and test in virtualized environments like GCE or QEMU.",
  "WorthFuzzing": false
}

Results:

{
  "EnableConfigs": null,
  "FocusSymbols": [],
  "Reasoning": "The patch modifies the Intel Ethernet Connection E800 Series Linux Driver (ice). This driver is for physical PCIe hardware and lacks software emulation in QEMU or the Linux kernel. Therefore, the modified code paths are impossible to reach and test in virtualized environments like GCE or QEMU.",
  "WorthFuzzing": false
}

LLM Calls Summary:
Total Calls	Total Tokens	Avg Tokens	Total Duration (Seconds)	Avg Duration (Seconds)

Tool Calls Summary:
Total Calls	Total Duration (Seconds)	Avg Duration (Seconds)