From nobody Sat Feb  7 07:24:35 2026
Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com
 [209.85.214.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B9C4D312800
	for <linux-kernel@vger.kernel.org>; Mon,  5 Jan 2026 23:25:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1767655521; cv=none;
 b=QVhSO3xXmxnd/kJqcYprDjgAYGTQLsv6j/eiRX4AJ+xcujtou+YyaEv0WlPmsGaJpa0f972fGP/ej01zA3mp9jQo6QP0bQo6m3esM6CL5EK+VQAbqtWnrom1ldSphHgyhs//olhT3nnqPL9HLikXDgmGOz9CX+CEwQSjiWYiOaA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1767655521; c=relaxed/simple;
	bh=js80mMuNlBOELx5P2UoLJmgXleXwUwNvjgLX75BgXhY=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=Ufhkw1u/Re0bnyAKAZNSW84WEF6kvelWKXl+MixJ/Pdz2ZbLeKqzr7NKwRF1BTg8uZfYJ6r9JnT2Cn55UhYbK7d8Oi/PMndvFt1I9alR0rdi00F1jDcgQbTN/7wf1aQkmoyrvMVMUSNLxgmm4cxdUYM6GKUg+SQo7/tkwljRRV8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--joshwash.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=e1KfrNlL; arc=none smtp.client-ip=209.85.214.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--joshwash.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="e1KfrNlL"
Received: by mail-pl1-f201.google.com with SMTP id
 d9443c01a7336-2a31087af17so15546485ad.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 05 Jan 2026 15:25:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1767655518; x=1768260318;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=CaBC/zjYASseD43BuH+r33jZDmmTVbBGwAo1c95yI+w=;
        b=e1KfrNlL5iJhICSoJX19mnFU/cQ4b1WQT8j8QD0lNGLmt1W+qNr2Cc3yODwY9qr1IG
         Ozaz+MA29a39UvOiprKDeTPGNOmztMuk+dCmM/HyXaTgi8Mabd2kp0Kq3SJboS7drEen
         OL9Pihz0tRzjjHQiS+KZ4rbyvPyB6rQTiuUgQnOKXvwNGvN+erRoszBaAQi5Df6PZVVe
         DtnAT+FJbmlbHj7+ntedsBdH7kWqMA2zzwMbNSUQlmoWwW51v7uV+hhczCFg4hQ9wLNE
         juOeRHnzCEYtY4wnCxkj52ACAYvy11JQdcKYRV2/gquUQxta5HzjyrCciemFFEe9ePVh
         GwyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767655518; x=1768260318;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=CaBC/zjYASseD43BuH+r33jZDmmTVbBGwAo1c95yI+w=;
        b=M+VnM4FLAyC/tp20Zk7QvTE958JZP7TDCQoT3A5IW2udZuezIpH4WMJs8V1FjFeyy+
         jLBay+NTNYVSIvtjDTw6WpfWTnN6WEl/xdJ8gydbGMeBbcaA22CMjjZH6AFSJoXVhQFO
         J0k04Kam4tPXMna7Vvz66is5qc9wDVD/3YYZXqsIYbgMJgiC053bCBVhGxnkB/y7R7M+
         GGmRl2oDnlQX4b6tUOXRMEa0EUBPdRL8T9JN7IG4m6sfk7+97q+W//ZXZzuMWmcqceEl
         4adrqkL/ygGmpy7EDSAkH3xMSBwdcdCUQgcezV0u/TD5DBbDZrNs+ytndniboZs0aPwN
         TnaA==
X-Forwarded-Encrypted: i=1;
 AJvYcCUVh9xphPLrIM7X/j5bH0F0/XUDfyaFDuwE7o1pC9npWGS7TsGrHerHHtxyVEkrKhWxVVQKC32HSdPk/iA=@vger.kernel.org
X-Gm-Message-State: AOJu0Yw6Qu+lr9UUMc9rlbh188GRJoNP4/jA8Z6JzG9mAG3AXdEC/tBt
	zPfQ1KgKVZ2+hC67odi1DBKwv7nUC0SXKcWXYKtB5fR5xJwfUEhj8tx49vPlc50virOSGxUYxX5
	M5YV1cPaHqPlikw==
X-Google-Smtp-Source: 
 AGHT+IHXpHpj9+WxYW0qaP3FdAeMzFc4rHpm9LwJDeBgnInJ161+oTAeH7D0fibEzqWpHxxkCLrrXNQTPtnIug==
X-Received: from plht14.prod.google.com ([2002:a17:903:2f0e:b0:295:50ce:4dd])
 (user=joshwash job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:903:1cc:b0:2a1:325b:2cba with SMTP id
 d9443c01a7336-2a3e2e1e6b0mr10915985ad.53.1767655517984;
 Mon, 05 Jan 2026 15:25:17 -0800 (PST)
Date: Mon,  5 Jan 2026 15:25:04 -0800
In-Reply-To: <20260105232504.3791806-1-joshwash@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260105232504.3791806-1-joshwash@google.com>
X-Mailer: git-send-email 2.52.0.351.gbe84eed79e-goog
Message-ID: <20260105232504.3791806-3-joshwash@google.com>
Subject: [PATCH net 2/2] gve: drop packets on invalid queue indices in DQO TX
 path
From: Joshua Washington <joshwash@google.com>
To: netdev@vger.kernel.org
Cc: Joshua Washington <joshwash@google.com>,
 Harshitha Ramamurthy <hramamurthy@google.com>,
	Andrew Lunn <andrew+netdev@lunn.ch>, "David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
 Paolo Abeni <pabeni@redhat.com>,
	Willem de Bruijn <willemb@google.com>, Ankit Garg <nktgrg@google.com>,
	Praveen Kaligineedi <pkaligineedi@google.com>,
 Catherine Sullivan <csully@google.com>,
	Luigi Rizzo <lrizzo@google.com>, Jon Olson <jonolson@google.com>,
 Sagi Shahar <sagis@google.com>,
	Bailey Forrest <bcf@google.com>, linux-kernel@vger.kernel.org,
 stable@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Ankit Garg <nktgrg@google.com>

The driver currently assumes that the skb queue mapping is within the
range of configured TX queues. However, the stack may provide an index
that exceeds the number of active queues.

In DQO format, driver doesn't perform any validation and continues to
dereference tx array, potentially causing a crash like below (trace is
from GQI format, but how we handle OOB queue is same in both formats).

[    6.700970] Call Trace:
[    6.703576]  ? __warn+0x94/0xe0
[    6.706863]  ? gve_tx+0xa9f/0xc30 [gve]
[    6.712223]  ? gve_tx+0xa9f/0xc30 [gve]
[    6.716197]  ? report_bug+0xb1/0xe0
[    6.721195]  ? do_error_trap+0x9e/0xd0
[    6.725084]  ? do_invalid_op+0x36/0x40
[    6.730355]  ? gve_tx+0xa9f/0xc30 [gve]
[    6.734353]  ? invalid_op+0x14/0x20
[    6.739372]  ? gve_tx+0xa9f/0xc30 [gve]
[    6.743350]  ? netif_skb_features+0xcf/0x2a0
[    6.749137]  dev_hard_start_xmit+0xd7/0x240

Change that behavior to log a warning and drop the packet.

Cc: stable@vger.kernel.org
Fixes: a57e5de476be ("gve: DQO: Add TX path")
Signed-off-by: Ankit Garg <nktgrg@google.com>
Reviewed-by: Harshitha Ramamurthy <hramamurthy@google.com>
Signed-off-by: Joshua Washington <joshwash@google.com>
---
 drivers/net/ethernet/google/gve/gve_tx_dqo.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/google/gve/gve_tx_dqo.c b/drivers/net/eth=
ernet/google/gve/gve_tx_dqo.c
index 40b89b3..8ebcc84 100644
--- a/drivers/net/ethernet/google/gve/gve_tx_dqo.c
+++ b/drivers/net/ethernet/google/gve/gve_tx_dqo.c
@@ -1045,9 +1045,16 @@ static void gve_xsk_reorder_queue_pop_dqo(struct gve=
_tx_ring *tx)
 netdev_tx_t gve_tx_dqo(struct sk_buff *skb, struct net_device *dev)
 {
 	struct gve_priv *priv =3D netdev_priv(dev);
+	u16 qid =3D skb_get_queue_mapping(skb);
 	struct gve_tx_ring *tx;

-	tx =3D &priv->tx[skb_get_queue_mapping(skb)];
+	if (unlikely(qid >=3D priv->tx_cfg.num_queues)) {
+		net_warn_ratelimited("%s: skb qid %d out of range, num tx queue %d. drop=
ping packet",
+				     dev->name, qid, priv->tx_cfg.num_queues);
+		dev_kfree_skb_any(skb);
+		return NETDEV_TX_OK;
+	}
+	tx =3D &priv->tx[qid];
 	if (unlikely(gve_try_tx_skb(priv, tx, skb) < 0)) {
 		/* We need to ring the txq doorbell -- we have stopped the Tx
 		 * queue for want of resources, but prior calls to gve_tx()
--
2.52.0.351.gbe84eed79e-goog