From nobody Sat Feb 7 06:13:38 2026 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 719EA2DECA0 for ; Mon, 5 Jan 2026 23:25:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767655516; cv=none; b=Th2IcDrERL+J+3hy8s0WphqCVfthXuPQMrGBOqUCfeyH7CsaCeZ7fZtPoEZWIEnypcyVawG2tttZwvt6VvKa24HYx6zTChRnVIznSc1H4ryjy2Sox88XC4MlFOrLf7eT4uzIGgTLRu0803mTPot/yfjz1BI6Lneqn16r3ywEl9k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767655516; c=relaxed/simple; bh=VQ67d+cxAVjhU4M2j8i97cyQAifn3zmTtF/xVJaVNsY=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=ZVOlSFZ0BAmwU/t6P0xreD54uT0lj4F/dNl3i8Acy9gAvNdYpSvWBugdg1zDOBUvXXms5EDObtuf8W5X2NwO8F259ONvlPYj2nb/buiHy5x1DE6z00F/AOaapX5jlpwe69zbcKEsGWBlKohREOklDU0UEFWcSDQn/tJj5zNQmwk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--joshwash.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=xM5KiGKv; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--joshwash.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="xM5KiGKv" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-2a0a4b748a0so8301325ad.1 for ; Mon, 05 Jan 2026 15:25:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1767655515; x=1768260315; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=dv/AzMBffbd1t9Mo3netnMTGMz6k1glaV6nzZVsJtVU=; b=xM5KiGKvioYCJTgT5oLkNwbiIdp1i0htmbNb5AUgs6R1uZdIRiooStqt8637R4o0k0 BcetVC/iZ/V79iNHMMYRD0+yEf+TmeKz9vBdZiiFGbvVHrPIqOeiTOpLqMxtCAzELWPx U8McOxiGMJrfOKE6JkXJUKbetKWxe/+08DGWQFiQ88TKmkgMOLOGN2lnMVvXgGbhQ0De X4q3YCg89AkXiqdw00oUSlW0NDVuQ6X9y1tImc640yls+B+nsMm4QQk8B5E5hh7XvZP2 3LMFuANtqBDSyERFlOJz5mqgGsCwrh19BiB8rzIGlg4UJra9kfVpF6YecLHwTtlaqcZT jSIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767655515; x=1768260315; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=dv/AzMBffbd1t9Mo3netnMTGMz6k1glaV6nzZVsJtVU=; b=ZOfXhfVExQKXz76wzAU71RBwOfbqGzB82FRTj+kj6IJYei65WJUvaT0y8pPIJO/n6F z4MyR7S2fK4ev2N/VxJGdyuAQZ0+b+uEngsErmrHa3KrJ2Wf72WHFtXVxpy1myAhMYiO oEXYUjOVDyw3TVSWF2fNG+S0eGD9vQ3JSgUG/F48g/XEq1s0gcKK9JpPpF0Zi/sg4+kV ZEUFDkucZOrbDmMJ+S3SgcFzRuMaZCQv13wgRdDnTtIwtzZPdMfaVH9Y9xtSErrTvV5X Yq9QDQE0EUNL7nNngTTdw3gtdUj/RyFE+T2orzXBnVYLq067mHe4bYY7n8+s3+DZrQHA LELg== X-Forwarded-Encrypted: i=1; AJvYcCXO64U+YdwdqvF8Lrw/pgGa9dkhc5eASOSnbawUdr5/RVplPP+5T7J90dheHoyAoGlfEr1b1vgiEUCnueo=@vger.kernel.org X-Gm-Message-State: AOJu0YzcvaH1RpLZ5OMvsOPUEpzs6rkCfE9Zm+lBoRXHTbj9vTXW4q0H FUfUZOeU9xpLFvuhRpAq2gUKPxyozxQTF/JHCJ50lEAfFo5dbzxEOLuIyDeIIdw5ChMUlxHmaZT bDDmFGYC7m1CB+Q== X-Google-Smtp-Source: AGHT+IGZZwIyBUX7xyTYXcUilepjhdaGAz/44UQzr7Rgx6T6tVd+plSImOIDqYcmxFSYI3K9hlnpblJwmNDmBg== X-Received: from plxm9.prod.google.com ([2002:a17:902:db09:b0:29d:5afa:2d5]) (user=joshwash job=prod-delivery.src-stubby-dispatcher) by 2002:a17:903:4765:b0:2a0:e195:b846 with SMTP id d9443c01a7336-2a3e2df4b9emr9691705ad.54.1767655514648; Mon, 05 Jan 2026 15:25:14 -0800 (PST) Date: Mon, 5 Jan 2026 15:25:03 -0800 In-Reply-To: <20260105232504.3791806-1-joshwash@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260105232504.3791806-1-joshwash@google.com> X-Mailer: git-send-email 2.52.0.351.gbe84eed79e-goog Message-ID: <20260105232504.3791806-2-joshwash@google.com> Subject: [PATCH net 1/2] gve: drop packets on invalid queue indices in GQI TX path From: Joshua Washington To: netdev@vger.kernel.org Cc: Joshua Washington , Harshitha Ramamurthy , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Willem de Bruijn , Ankit Garg , Praveen Kaligineedi , Catherine Sullivan , Luigi Rizzo , Jon Olson , Sagi Shahar , Bailey Forrest , linux-kernel@vger.kernel.org, stable@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Ankit Garg The driver currently assumes that the skb queue mapping is within the range of configured TX queues. However, the stack may provide an index that exceeds the number of active queues. In GQI format, an out-of-range index triggered a warning but continues to dereference tx array, potentially causing a crash like below: [ 6.700970] Call Trace: [ 6.703576] ? __warn+0x94/0xe0 [ 6.706863] ? gve_tx+0xa9f/0xc30 [gve] [ 6.712223] ? gve_tx+0xa9f/0xc30 [gve] [ 6.716197] ? report_bug+0xb1/0xe0 [ 6.721195] ? do_error_trap+0x9e/0xd0 [ 6.725084] ? do_invalid_op+0x36/0x40 [ 6.730355] ? gve_tx+0xa9f/0xc30 [gve] [ 6.734353] ? invalid_op+0x14/0x20 [ 6.739372] ? gve_tx+0xa9f/0xc30 [gve] [ 6.743350] ? netif_skb_features+0xcf/0x2a0 [ 6.749137] dev_hard_start_xmit+0xd7/0x240 Change that behavior to log a warning and drop the packet. Cc: stable@vger.kernel.org Fixes: f5cedc84a30d ("gve: Add transmit and receive support") Signed-off-by: Ankit Garg Reviewed-by: Harshitha Ramamurthy Signed-off-by: Joshua Washington --- drivers/net/ethernet/google/gve/gve_tx.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/google/gve/gve_tx.c b/drivers/net/etherne= t/google/gve/gve_tx.c index 97efc8d..30d1686 100644 --- a/drivers/net/ethernet/google/gve/gve_tx.c +++ b/drivers/net/ethernet/google/gve/gve_tx.c @@ -739,12 +739,18 @@ drop: netdev_tx_t gve_tx(struct sk_buff *skb, struct net_device *dev) { struct gve_priv *priv =3D netdev_priv(dev); + u16 qid =3D skb_get_queue_mapping(skb); struct gve_tx_ring *tx; int nsegs; =20 - WARN(skb_get_queue_mapping(skb) >=3D priv->tx_cfg.num_queues, - "skb queue index out of range"); - tx =3D &priv->tx[skb_get_queue_mapping(skb)]; + if (unlikely(qid >=3D priv->tx_cfg.num_queues)) { + net_warn_ratelimited("%s: skb qid %d out of range, num tx queue %d. drop= ping packet", + dev->name, qid, priv->tx_cfg.num_queues); + dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + + tx =3D &priv->tx[qid]; if (unlikely(gve_maybe_stop_tx(priv, tx, skb))) { /* We need to ring the txq doorbell -- we have stopped the Tx * queue for want of resources, but prior calls to gve_tx() --=20 2.52.0.351.gbe84eed79e-goog