| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260105232504.3791806-2-joshwash@google.com>
Date: Mon, 5 Jan 2026 15:25:03 -0800
From: Joshua Washington <joshwash@...gle.com>
To: netdev@...r.kernel.org
Cc: Joshua Washington <joshwash@...gle.com>, Harshitha Ramamurthy <hramamurthy@...gle.com>,
Andrew Lunn <andrew+netdev@...n.ch>, "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Willem de Bruijn <willemb@...gle.com>, Ankit Garg <nktgrg@...gle.com>,
Praveen Kaligineedi <pkaligineedi@...gle.com>, Catherine Sullivan <csully@...gle.com>,
Luigi Rizzo <lrizzo@...gle.com>, Jon Olson <jonolson@...gle.com>, Sagi Shahar <sagis@...gle.com>,
Bailey Forrest <bcf@...gle.com>, linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: [PATCH net 1/2] gve: drop packets on invalid queue indices in GQI TX path
From: Ankit Garg <nktgrg@...gle.com>
The driver currently assumes that the skb queue mapping is within the
range of configured TX queues. However, the stack may provide an index
that exceeds the number of active queues.
In GQI format, an out-of-range index triggered a warning but continues
to dereference tx array, potentially causing a crash like below:
[ 6.700970] Call Trace:
[ 6.703576] ? __warn+0x94/0xe0
[ 6.706863] ? gve_tx+0xa9f/0xc30 [gve]
[ 6.712223] ? gve_tx+0xa9f/0xc30 [gve]
[ 6.716197] ? report_bug+0xb1/0xe0
[ 6.721195] ? do_error_trap+0x9e/0xd0
[ 6.725084] ? do_invalid_op+0x36/0x40
[ 6.730355] ? gve_tx+0xa9f/0xc30 [gve]
[ 6.734353] ? invalid_op+0x14/0x20
[ 6.739372] ? gve_tx+0xa9f/0xc30 [gve]
[ 6.743350] ? netif_skb_features+0xcf/0x2a0
[ 6.749137] dev_hard_start_xmit+0xd7/0x240
Change that behavior to log a warning and drop the packet.
Cc: stable@...r.kernel.org
Fixes: f5cedc84a30d ("gve: Add transmit and receive support")
Signed-off-by: Ankit Garg <nktgrg@...gle.com>
Reviewed-by: Harshitha Ramamurthy <hramamurthy@...gle.com>
Signed-off-by: Joshua Washington <joshwash@...gle.com>
---
drivers/net/ethernet/google/gve/gve_tx.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/google/gve/gve_tx.c b/drivers/net/ethernet/google/gve/gve_tx.c
index 97efc8d..30d1686 100644
--- a/drivers/net/ethernet/google/gve/gve_tx.c
+++ b/drivers/net/ethernet/google/gve/gve_tx.c
@@ -739,12 +739,18 @@ drop:
netdev_tx_t gve_tx(struct sk_buff *skb, struct net_device *dev)
{
struct gve_priv *priv = netdev_priv(dev);
+ u16 qid = skb_get_queue_mapping(skb);
struct gve_tx_ring *tx;
int nsegs;
- WARN(skb_get_queue_mapping(skb) >= priv->tx_cfg.num_queues,
- "skb queue index out of range");
- tx = &priv->tx[skb_get_queue_mapping(skb)];
+ if (unlikely(qid >= priv->tx_cfg.num_queues)) {
+ net_warn_ratelimited("%s: skb qid %d out of range, num tx queue %d. dropping packet",
+ dev->name, qid, priv->tx_cfg.num_queues);
+ dev_kfree_skb_any(skb);
+ return NETDEV_TX_OK;
+ }
+
+ tx = &priv->tx[qid];
if (unlikely(gve_maybe_stop_tx(priv, tx, skb))) {
/* We need to ring the txq doorbell -- we have stopped the Tx
* queue for want of resources, but prior calls to gve_tx()
--
2.52.0.351.gbe84eed79e-goog
Powered by blists - more mailing lists