From nobody Thu Apr 2 22:28:59 2026 Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com [209.85.215.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C76FD78F4A for ; Sat, 14 Feb 2026 00:12:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771027953; cv=none; b=t5LruwIKAq4QENQUBgj07PUR46zETG4rbIR6Ih/vGQBEZdcIQpwLZVLNm1C1FqgtHphjv8qvfqAPP7VW/u1KEGG16NmVDtNhpH3mIakSMncc7ZdU0xYKdAfcRuwWgXJ7kRc9wOKChcvgh4ziHPtFbHbRGcV9j9Nz0LRHwm/rQXA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771027953; c=relaxed/simple; bh=aBiHy1g5Xkc5IxdeCktMrrpGsFp7xUT4c0xxkiTjR9I=; h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type; b=FSrA6Vhp44p79fK1lgrh1YUApimetwbTLTlVcJB7d+e3m4I78/TqttwCA8OpyyoK6VQI2fxwsIixoDkLZmoasDXqPVc0HKb0jshVH0jVcGFXoQouMNHxD3obzIFl4QvQqO2U5kv2Bqo1b5VZJ2tnxWWVbpwCwErvdnA8Id0KlQw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--joshwash.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=K8zzbYU9; arc=none smtp.client-ip=209.85.215.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--joshwash.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="K8zzbYU9" Received: by mail-pg1-f202.google.com with SMTP id 41be03b00d2f7-c61dee98720so1072732a12.0 for ; Fri, 13 Feb 2026 16:12:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1771027950; x=1771632750; darn=vger.kernel.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=/SseZuPVACGvCyr+zfyDhJIPT4Lkz8kZ02Cj7LiP/hw=; b=K8zzbYU9+hAD31AsSqII/oDsvF+VT4t2EaZti+P0lZrFDiW6HPhMS8dc1OGauzer14 gm614zNXU4GvDJvVmOtJu3MYE+ngD0xiRm/0CdesaH24F3POOgf+8qZ+bk9mKbrGvaGX 0Qf7NqTG6xbYV7+vcPWIID4Gc23FJdPpSmPEkhJWR2I3dzBJC20pKbBNg8amB/U4Qe4/ tIOK4TJk0wVuxOFfesnikc39KkvUqE6Z2q7KTS8ktl6i+6AywhfVdx+jxzua4gd4B4b7 aDHhj8/U1y9x32pbN7Zm8/2laQRrcEdQKqxIXqXfcteBxNQAJMWV2qfqJiy6FgH9w07Z XugQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771027950; x=1771632750; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=/SseZuPVACGvCyr+zfyDhJIPT4Lkz8kZ02Cj7LiP/hw=; b=dC3gjQxy5U5IE5UFrDRjP5WlWq77pxgi78IqfJMv08xBHWjznlKnygCukhQ4TWV/ig wawd+ahFpLDmV8+K5jeLAfeyKDO16vy2RMLLfAuxoFEYFoCVkG4XrriC963AxTpha/to lTKVi09WWKrDK8TI60AKYxCSUAhowmp+sW0klsN7YbkV+ktcXVWd5H6kVIsBCvSj+xpL NHA4/FkupyGGkHXECfzLRPt9i7hZO8gHIM/1A2J14zAvp+IhIPhyeKhUjvZSkGRm5IDY azopyvc5omB1qbp2PNMCcYySB267E/EoCUx6ZHc13zq+xEkj3kG14rfo58Tq2ZKgemUL aSOg== X-Forwarded-Encrypted: i=1; AJvYcCXdHxoEoWdGxJUumYX4apZwV2QRNWASFNYBZOXcWUg4JTJNAyAkua4NMt09DIeT4tTzGJY5kQjs2RkDS20=@vger.kernel.org X-Gm-Message-State: AOJu0YzUamzcEfa4yJXJqWTDZlxMnOjDyp3Idv84oCAfht3XcaLWlzTW E0iGlAv3WPHzTAQ6WwDiTYatiDT/zy2GXnhg21ABVs/FiuKVHOI0UO7w4vX1OEJvlIwTa/1SSGs ZWv9CfNPE6v9/Dw== X-Received: from pgbfe12.prod.google.com ([2002:a05:6a02:288c:b0:c64:8fdc:63f7]) (user=joshwash job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a21:e598:b0:38d:fa67:e87f with SMTP id adf61e73a8af0-394837805a6mr901084637.12.1771027949947; Fri, 13 Feb 2026 16:12:29 -0800 (PST) Date: Fri, 13 Feb 2026 16:12:26 -0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Mailer: git-send-email 2.53.0.273.g2a3d683680-goog Message-ID: <20260214001226.744193-1-joshwash@google.com> Subject: [PATCH net] gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL From: Joshua Washington To: netdev@vger.kernel.org Cc: Joshua Washington , Harshitha Ramamurthy , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Willem de Bruijn , Praveen Kaligineedi , Rushil Gupta , Bailey Forrest , linux-kernel@vger.kernel.org, Ankit Garg , stable@vger.kernel.org, Jordan Rhee Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Ankit Garg In DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA buffer cleanup path. It iterates num_bufs times and attempts to unmap entries in the dma array. This leads to two issues: 1. The dma array shares storage with tx_qpl_buf_ids (union). Interpreting buffer IDs as DMA addresses results in attempting to unmap incorrect memory locations. 2. num_bufs in QPL mode (counting 2K chunks) can significantly exceed the size of the dma array, causing out-of-bounds access warnings (trace below is how we noticed this issue). UBSAN: array-index-out-of-bounds in drivers/net/ethernet/drivers/net/ethernet/google/gve/gve_tx_dqo.c:178:5 ind= ex 18 is out of range for type 'dma_addr_t[18]' (aka 'unsigned long long[18]') Workqueue: gve gve_service_task [gve] Call Trace: dump_stack_lvl+0x33/0xa0 __ubsan_handle_out_of_bounds+0xdc/0x110 gve_tx_stop_ring_dqo+0x182/0x200 [gve] gve_close+0x1be/0x450 [gve] gve_reset+0x99/0x120 [gve] gve_service_task+0x61/0x100 [gve] process_scheduled_works+0x1e9/0x380 Fix this by properly checking for QPL mode and delegating to gve_free_tx_qpl_bufs() to reclaim the buffers. Cc: stable@vger.kernel.org Fixes: a6fb8d5a8b69 ("gve: Tx path for DQO-QPL") Signed-off-by: Ankit Garg Reviewed-by: Jordan Rhee Reviewed-by: Harshitha Ramamurthy Signed-off-by: Joshua Washington --- drivers/net/ethernet/google/gve/gve_tx_dqo.c | 27 ++++++++++++------------= --- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/drivers/net/ethernet/google/gve/gve_tx_dqo.c b/drivers/net/eth= ernet/google/gve/gve_tx_dqo.c index 40b89b3e..6a31cb49 100644 --- a/drivers/net/ethernet/google/gve/gve_tx_dqo.c +++ b/drivers/net/ethernet/google/gve/gve_tx_dqo.c @@ -167,6 +167,9 @@ gve_free_pending_packet(struct gve_tx_ring *tx, } } =20 +static void gve_unmap_packet(struct device *dev, + struct gve_tx_pending_packet_dqo *pkt); + /* gve_tx_free_desc - Cleans up all pending tx requests and buffers. */ static void gve_tx_clean_pending_packets(struct gve_tx_ring *tx) @@ -176,21 +179,12 @@ static void gve_tx_clean_pending_packets(struct gve_t= x_ring *tx) for (i =3D 0; i < tx->dqo.num_pending_packets; i++) { struct gve_tx_pending_packet_dqo *cur_state =3D &tx->dqo.pending_packets[i]; - int j; - - for (j =3D 0; j < cur_state->num_bufs; j++) { - if (j =3D=3D 0) { - dma_unmap_single(tx->dev, - dma_unmap_addr(cur_state, dma[j]), - dma_unmap_len(cur_state, len[j]), - DMA_TO_DEVICE); - } else { - dma_unmap_page(tx->dev, - dma_unmap_addr(cur_state, dma[j]), - dma_unmap_len(cur_state, len[j]), - DMA_TO_DEVICE); - } - } + + if (tx->dqo.qpl) + gve_free_tx_qpl_bufs(tx, cur_state); + else + gve_unmap_packet(tx->dev, cur_state); + if (cur_state->skb) { dev_consume_skb_any(cur_state->skb); cur_state->skb =3D NULL; @@ -1165,6 +1159,9 @@ static void gve_unmap_packet(struct device *dev, { int i; =20 + if (!pkt->num_bufs) + return; + /* SKB linear portion is guaranteed to be mapped */ dma_unmap_single(dev, dma_unmap_addr(pkt, dma[0]), dma_unmap_len(pkt, len[0]), DMA_TO_DEVICE); --=20 2.53.0.273.g2a3d683680-goog