From nobody Sat Feb 7 05:01:13 2026 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 719EA2DECA0 for ; Mon, 5 Jan 2026 23:25:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767655516; cv=none; b=Th2IcDrERL+J+3hy8s0WphqCVfthXuPQMrGBOqUCfeyH7CsaCeZ7fZtPoEZWIEnypcyVawG2tttZwvt6VvKa24HYx6zTChRnVIznSc1H4ryjy2Sox88XC4MlFOrLf7eT4uzIGgTLRu0803mTPot/yfjz1BI6Lneqn16r3ywEl9k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767655516; c=relaxed/simple; bh=VQ67d+cxAVjhU4M2j8i97cyQAifn3zmTtF/xVJaVNsY=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=ZVOlSFZ0BAmwU/t6P0xreD54uT0lj4F/dNl3i8Acy9gAvNdYpSvWBugdg1zDOBUvXXms5EDObtuf8W5X2NwO8F259ONvlPYj2nb/buiHy5x1DE6z00F/AOaapX5jlpwe69zbcKEsGWBlKohREOklDU0UEFWcSDQn/tJj5zNQmwk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--joshwash.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=xM5KiGKv; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--joshwash.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="xM5KiGKv" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-2a0a4b748a0so8301325ad.1 for ; Mon, 05 Jan 2026 15:25:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1767655515; x=1768260315; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=dv/AzMBffbd1t9Mo3netnMTGMz6k1glaV6nzZVsJtVU=; b=xM5KiGKvioYCJTgT5oLkNwbiIdp1i0htmbNb5AUgs6R1uZdIRiooStqt8637R4o0k0 BcetVC/iZ/V79iNHMMYRD0+yEf+TmeKz9vBdZiiFGbvVHrPIqOeiTOpLqMxtCAzELWPx U8McOxiGMJrfOKE6JkXJUKbetKWxe/+08DGWQFiQ88TKmkgMOLOGN2lnMVvXgGbhQ0De X4q3YCg89AkXiqdw00oUSlW0NDVuQ6X9y1tImc640yls+B+nsMm4QQk8B5E5hh7XvZP2 3LMFuANtqBDSyERFlOJz5mqgGsCwrh19BiB8rzIGlg4UJra9kfVpF6YecLHwTtlaqcZT jSIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767655515; x=1768260315; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=dv/AzMBffbd1t9Mo3netnMTGMz6k1glaV6nzZVsJtVU=; b=ZOfXhfVExQKXz76wzAU71RBwOfbqGzB82FRTj+kj6IJYei65WJUvaT0y8pPIJO/n6F z4MyR7S2fK4ev2N/VxJGdyuAQZ0+b+uEngsErmrHa3KrJ2Wf72WHFtXVxpy1myAhMYiO oEXYUjOVDyw3TVSWF2fNG+S0eGD9vQ3JSgUG/F48g/XEq1s0gcKK9JpPpF0Zi/sg4+kV ZEUFDkucZOrbDmMJ+S3SgcFzRuMaZCQv13wgRdDnTtIwtzZPdMfaVH9Y9xtSErrTvV5X Yq9QDQE0EUNL7nNngTTdw3gtdUj/RyFE+T2orzXBnVYLq067mHe4bYY7n8+s3+DZrQHA LELg== X-Forwarded-Encrypted: i=1; AJvYcCXO64U+YdwdqvF8Lrw/pgGa9dkhc5eASOSnbawUdr5/RVplPP+5T7J90dheHoyAoGlfEr1b1vgiEUCnueo=@vger.kernel.org X-Gm-Message-State: AOJu0YzcvaH1RpLZ5OMvsOPUEpzs6rkCfE9Zm+lBoRXHTbj9vTXW4q0H FUfUZOeU9xpLFvuhRpAq2gUKPxyozxQTF/JHCJ50lEAfFo5dbzxEOLuIyDeIIdw5ChMUlxHmaZT bDDmFGYC7m1CB+Q== X-Google-Smtp-Source: AGHT+IGZZwIyBUX7xyTYXcUilepjhdaGAz/44UQzr7Rgx6T6tVd+plSImOIDqYcmxFSYI3K9hlnpblJwmNDmBg== X-Received: from plxm9.prod.google.com ([2002:a17:902:db09:b0:29d:5afa:2d5]) (user=joshwash job=prod-delivery.src-stubby-dispatcher) by 2002:a17:903:4765:b0:2a0:e195:b846 with SMTP id d9443c01a7336-2a3e2df4b9emr9691705ad.54.1767655514648; Mon, 05 Jan 2026 15:25:14 -0800 (PST) Date: Mon, 5 Jan 2026 15:25:03 -0800 In-Reply-To: <20260105232504.3791806-1-joshwash@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260105232504.3791806-1-joshwash@google.com> X-Mailer: git-send-email 2.52.0.351.gbe84eed79e-goog Message-ID: <20260105232504.3791806-2-joshwash@google.com> Subject: [PATCH net 1/2] gve: drop packets on invalid queue indices in GQI TX path From: Joshua Washington To: netdev@vger.kernel.org Cc: Joshua Washington , Harshitha Ramamurthy , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Willem de Bruijn , Ankit Garg , Praveen Kaligineedi , Catherine Sullivan , Luigi Rizzo , Jon Olson , Sagi Shahar , Bailey Forrest , linux-kernel@vger.kernel.org, stable@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Ankit Garg The driver currently assumes that the skb queue mapping is within the range of configured TX queues. However, the stack may provide an index that exceeds the number of active queues. In GQI format, an out-of-range index triggered a warning but continues to dereference tx array, potentially causing a crash like below: [ 6.700970] Call Trace: [ 6.703576] ? __warn+0x94/0xe0 [ 6.706863] ? gve_tx+0xa9f/0xc30 [gve] [ 6.712223] ? gve_tx+0xa9f/0xc30 [gve] [ 6.716197] ? report_bug+0xb1/0xe0 [ 6.721195] ? do_error_trap+0x9e/0xd0 [ 6.725084] ? do_invalid_op+0x36/0x40 [ 6.730355] ? gve_tx+0xa9f/0xc30 [gve] [ 6.734353] ? invalid_op+0x14/0x20 [ 6.739372] ? gve_tx+0xa9f/0xc30 [gve] [ 6.743350] ? netif_skb_features+0xcf/0x2a0 [ 6.749137] dev_hard_start_xmit+0xd7/0x240 Change that behavior to log a warning and drop the packet. Cc: stable@vger.kernel.org Fixes: f5cedc84a30d ("gve: Add transmit and receive support") Signed-off-by: Ankit Garg Reviewed-by: Harshitha Ramamurthy Signed-off-by: Joshua Washington --- drivers/net/ethernet/google/gve/gve_tx.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/google/gve/gve_tx.c b/drivers/net/etherne= t/google/gve/gve_tx.c index 97efc8d..30d1686 100644 --- a/drivers/net/ethernet/google/gve/gve_tx.c +++ b/drivers/net/ethernet/google/gve/gve_tx.c @@ -739,12 +739,18 @@ drop: netdev_tx_t gve_tx(struct sk_buff *skb, struct net_device *dev) { struct gve_priv *priv =3D netdev_priv(dev); + u16 qid =3D skb_get_queue_mapping(skb); struct gve_tx_ring *tx; int nsegs; =20 - WARN(skb_get_queue_mapping(skb) >=3D priv->tx_cfg.num_queues, - "skb queue index out of range"); - tx =3D &priv->tx[skb_get_queue_mapping(skb)]; + if (unlikely(qid >=3D priv->tx_cfg.num_queues)) { + net_warn_ratelimited("%s: skb qid %d out of range, num tx queue %d. drop= ping packet", + dev->name, qid, priv->tx_cfg.num_queues); + dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + + tx =3D &priv->tx[qid]; if (unlikely(gve_maybe_stop_tx(priv, tx, skb))) { /* We need to ring the txq doorbell -- we have stopped the Tx * queue for want of resources, but prior calls to gve_tx() --=20 2.52.0.351.gbe84eed79e-goog From nobody Sat Feb 7 05:01:13 2026 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B9C4D312800 for ; Mon, 5 Jan 2026 23:25:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767655521; cv=none; b=QVhSO3xXmxnd/kJqcYprDjgAYGTQLsv6j/eiRX4AJ+xcujtou+YyaEv0WlPmsGaJpa0f972fGP/ej01zA3mp9jQo6QP0bQo6m3esM6CL5EK+VQAbqtWnrom1ldSphHgyhs//olhT3nnqPL9HLikXDgmGOz9CX+CEwQSjiWYiOaA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767655521; c=relaxed/simple; bh=js80mMuNlBOELx5P2UoLJmgXleXwUwNvjgLX75BgXhY=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=Ufhkw1u/Re0bnyAKAZNSW84WEF6kvelWKXl+MixJ/Pdz2ZbLeKqzr7NKwRF1BTg8uZfYJ6r9JnT2Cn55UhYbK7d8Oi/PMndvFt1I9alR0rdi00F1jDcgQbTN/7wf1aQkmoyrvMVMUSNLxgmm4cxdUYM6GKUg+SQo7/tkwljRRV8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--joshwash.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=e1KfrNlL; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--joshwash.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="e1KfrNlL" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-2a31087af17so15546485ad.1 for ; Mon, 05 Jan 2026 15:25:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1767655518; x=1768260318; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=CaBC/zjYASseD43BuH+r33jZDmmTVbBGwAo1c95yI+w=; b=e1KfrNlL5iJhICSoJX19mnFU/cQ4b1WQT8j8QD0lNGLmt1W+qNr2Cc3yODwY9qr1IG Ozaz+MA29a39UvOiprKDeTPGNOmztMuk+dCmM/HyXaTgi8Mabd2kp0Kq3SJboS7drEen OL9Pihz0tRzjjHQiS+KZ4rbyvPyB6rQTiuUgQnOKXvwNGvN+erRoszBaAQi5Df6PZVVe DtnAT+FJbmlbHj7+ntedsBdH7kWqMA2zzwMbNSUQlmoWwW51v7uV+hhczCFg4hQ9wLNE juOeRHnzCEYtY4wnCxkj52ACAYvy11JQdcKYRV2/gquUQxta5HzjyrCciemFFEe9ePVh GwyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767655518; x=1768260318; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=CaBC/zjYASseD43BuH+r33jZDmmTVbBGwAo1c95yI+w=; b=M+VnM4FLAyC/tp20Zk7QvTE958JZP7TDCQoT3A5IW2udZuezIpH4WMJs8V1FjFeyy+ jLBay+NTNYVSIvtjDTw6WpfWTnN6WEl/xdJ8gydbGMeBbcaA22CMjjZH6AFSJoXVhQFO J0k04Kam4tPXMna7Vvz66is5qc9wDVD/3YYZXqsIYbgMJgiC053bCBVhGxnkB/y7R7M+ GGmRl2oDnlQX4b6tUOXRMEa0EUBPdRL8T9JN7IG4m6sfk7+97q+W//ZXZzuMWmcqceEl 4adrqkL/ygGmpy7EDSAkH3xMSBwdcdCUQgcezV0u/TD5DBbDZrNs+ytndniboZs0aPwN TnaA== X-Forwarded-Encrypted: i=1; AJvYcCUVh9xphPLrIM7X/j5bH0F0/XUDfyaFDuwE7o1pC9npWGS7TsGrHerHHtxyVEkrKhWxVVQKC32HSdPk/iA=@vger.kernel.org X-Gm-Message-State: AOJu0Yw6Qu+lr9UUMc9rlbh188GRJoNP4/jA8Z6JzG9mAG3AXdEC/tBt zPfQ1KgKVZ2+hC67odi1DBKwv7nUC0SXKcWXYKtB5fR5xJwfUEhj8tx49vPlc50virOSGxUYxX5 M5YV1cPaHqPlikw== X-Google-Smtp-Source: AGHT+IHXpHpj9+WxYW0qaP3FdAeMzFc4rHpm9LwJDeBgnInJ161+oTAeH7D0fibEzqWpHxxkCLrrXNQTPtnIug== X-Received: from plht14.prod.google.com ([2002:a17:903:2f0e:b0:295:50ce:4dd]) (user=joshwash job=prod-delivery.src-stubby-dispatcher) by 2002:a17:903:1cc:b0:2a1:325b:2cba with SMTP id d9443c01a7336-2a3e2e1e6b0mr10915985ad.53.1767655517984; Mon, 05 Jan 2026 15:25:17 -0800 (PST) Date: Mon, 5 Jan 2026 15:25:04 -0800 In-Reply-To: <20260105232504.3791806-1-joshwash@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260105232504.3791806-1-joshwash@google.com> X-Mailer: git-send-email 2.52.0.351.gbe84eed79e-goog Message-ID: <20260105232504.3791806-3-joshwash@google.com> Subject: [PATCH net 2/2] gve: drop packets on invalid queue indices in DQO TX path From: Joshua Washington To: netdev@vger.kernel.org Cc: Joshua Washington , Harshitha Ramamurthy , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Willem de Bruijn , Ankit Garg , Praveen Kaligineedi , Catherine Sullivan , Luigi Rizzo , Jon Olson , Sagi Shahar , Bailey Forrest , linux-kernel@vger.kernel.org, stable@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Ankit Garg The driver currently assumes that the skb queue mapping is within the range of configured TX queues. However, the stack may provide an index that exceeds the number of active queues. In DQO format, driver doesn't perform any validation and continues to dereference tx array, potentially causing a crash like below (trace is from GQI format, but how we handle OOB queue is same in both formats). [ 6.700970] Call Trace: [ 6.703576] ? __warn+0x94/0xe0 [ 6.706863] ? gve_tx+0xa9f/0xc30 [gve] [ 6.712223] ? gve_tx+0xa9f/0xc30 [gve] [ 6.716197] ? report_bug+0xb1/0xe0 [ 6.721195] ? do_error_trap+0x9e/0xd0 [ 6.725084] ? do_invalid_op+0x36/0x40 [ 6.730355] ? gve_tx+0xa9f/0xc30 [gve] [ 6.734353] ? invalid_op+0x14/0x20 [ 6.739372] ? gve_tx+0xa9f/0xc30 [gve] [ 6.743350] ? netif_skb_features+0xcf/0x2a0 [ 6.749137] dev_hard_start_xmit+0xd7/0x240 Change that behavior to log a warning and drop the packet. Cc: stable@vger.kernel.org Fixes: a57e5de476be ("gve: DQO: Add TX path") Signed-off-by: Ankit Garg Reviewed-by: Harshitha Ramamurthy Signed-off-by: Joshua Washington --- drivers/net/ethernet/google/gve/gve_tx_dqo.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/google/gve/gve_tx_dqo.c b/drivers/net/eth= ernet/google/gve/gve_tx_dqo.c index 40b89b3..8ebcc84 100644 --- a/drivers/net/ethernet/google/gve/gve_tx_dqo.c +++ b/drivers/net/ethernet/google/gve/gve_tx_dqo.c @@ -1045,9 +1045,16 @@ static void gve_xsk_reorder_queue_pop_dqo(struct gve= _tx_ring *tx) netdev_tx_t gve_tx_dqo(struct sk_buff *skb, struct net_device *dev) { struct gve_priv *priv =3D netdev_priv(dev); + u16 qid =3D skb_get_queue_mapping(skb); struct gve_tx_ring *tx; - tx =3D &priv->tx[skb_get_queue_mapping(skb)]; + if (unlikely(qid >=3D priv->tx_cfg.num_queues)) { + net_warn_ratelimited("%s: skb qid %d out of range, num tx queue %d. drop= ping packet", + dev->name, qid, priv->tx_cfg.num_queues); + dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + tx =3D &priv->tx[qid]; if (unlikely(gve_try_tx_skb(priv, tx, skb) < 0)) { /* We need to ring the txq doorbell -- we have stopped the Tx * queue for want of resources, but prior calls to gve_tx() -- 2.52.0.351.gbe84eed79e-goog