From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 73B543A1A41 for ; Thu, 7 May 2026 14:25:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778163908; cv=none; b=ozC87RHd2VoqMvkBbzZvV4t77RAkvgRj8XdWSU5VMkMv8NLWx7PlLDphZQhO6zGxCAWIBijVz6X+oOMcZkCwcvVsj9ms+DEPdTOIZkctM8aCdtv0uhA43mPpF+2XCf+s6W8aSg5jBprclMQhKIGH2Oos9tNzVBFEZQqduaqOx7o= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778163908; c=relaxed/simple; bh=rpONTYyBHvb3/ty0Cn6LLhwjJ8jU8C2TLAGIYKpBTSo=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=JdxFzGmAzWJfqq+tqLe6djx81pqcg351aXuV14ezHj3Jf05X7xOsHR+0hFvwZhzwtlx/C/zkIFGfj/K6lu7sEDYUdzSfnbxXUesV4itJ3xHxHInT/Hzo8+KL/ZB1YpHRSNZYjaoGRAxqNIVnUfYni7XfIItiVtnAJz7XuvmzMe4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=SCd+t8m8; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=Oq37BxOo; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="SCd+t8m8"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="Oq37BxOo" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1778163906; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=IiqZW49hh0OIaoHIFoPmjirkZjGaDDvaDEv00sXgKKg=; b=SCd+t8m8Sd/Td4rBpvJ7O4QK2rEOcZz80cs6Gtiwo/JvqCGz8HaDQ5cw/VBqqURR6NrGSA rnBVt6FvnP4WFkk0c26OE+eq61EcGEOW7iEMZ0oUid3BmYEDHjzlSvqrooNuElF5xYIBN6 1eY75qHTQVwr49N/0J/g1POSGVPFFLY= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-689-1M2xqTNbMyKU5_0775AtjQ-1; Thu, 07 May 2026 10:25:05 -0400 X-MC-Unique: 1M2xqTNbMyKU5_0775AtjQ-1 X-Mimecast-MFC-AGG-ID: 1M2xqTNbMyKU5_0775AtjQ_1778163904 Received: by mail-wr1-f71.google.com with SMTP id ffacd0b85a97d-44f1b4d0fb0so655240f8f.1 for ; Thu, 07 May 2026 07:25:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1778163904; x=1778768704; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=IiqZW49hh0OIaoHIFoPmjirkZjGaDDvaDEv00sXgKKg=; b=Oq37BxOoOHbOceTyj5i2vZVt5/WcPJG7tWmpXNCEdAOz9hT9C6oTHLBEEuSi6/G4qi D2Bs/T7gvtHgapM4sfsrZ4PqmIxjGLer30oNPWlYJ0X/D5ZgDEAJd0y/TMcMRPYzD9Sj gMv4vgGb8hMcfxyHnk6oGRjuvtkCuz0FSa6swGhWI9pYp+ezGycJnFwZdpTEMPPE7n/J Ns0Cj0e3TQfCMsIr1wzxhjZ1fYgGRX8vkaM9eBnHMYAgmMip0Z3mOG2DMlC2bGfIeFqy yobOSluxGTjeleTgJORYLaMl1Ad/wmmz+oHrlu9IWW7p61VYKYMG2+NXM7Oe+fjW0QDk GJbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778163904; x=1778768704; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=IiqZW49hh0OIaoHIFoPmjirkZjGaDDvaDEv00sXgKKg=; b=rcAn1xBtqg/Cbeg644P8K9Q6VqoQjWNFVSDiUYycwvwYttkQvWlDTg/EIgd/+sNPTJ HesW1MmlacJACf8A9tsoO0kHym6mRxW8ywrAgtg+v7RDRN28aUmHDr7JonwBmHzS35H2 DxJ5MCe0emIucvLBzVNC5lrJAJwS9o0f68s7WbdNEXiLXKd7I2bskcncnj7Be0X6A5Ej Zmj0Mt2bTwSGODvpn3WK9siH6GoIE72taakeMhOQzpo2MLkVRp2+L9XYGgWtHvFtirWl 5sWMvnlp4qbmtJkiOGZH8v8cOMaePyISPl0ZsQpg7LUYtFSJGZZnZYuT/sEvurB1ZMD8 eiRw== X-Forwarded-Encrypted: i=1; AFNElJ9cS+W3x2LcdoKGCPxNDV1kRKtCKvJ/ElQjp1Eu5EvdNq2Q7EJDYksGRAOeAVfbcpU16gQMKtG3qxncO7g=@vger.kernel.org X-Gm-Message-State: AOJu0YzD+tO/aBrMLBMEojPeM6k8CH/64lB3Bd/ozLYFYu1Oshv99Iyr iZicxaDPBmSeTc4s3M4EWXSMJG2lynueE26+rAS0d1Ncz6OQFCOt6HGSbOCOL71BS1rYaN14/Yq p1JHmsGHpZjjYt0J7N0qQQD+H3HaytC3DlERTP5/pufSVtV8zKXZWv/2+AkTHF1nptQ== X-Gm-Gg: AeBDiesmxFW/nQsRByeU8sBAfHvqxmXx6nqGY4lM7sHtzp0qx6sPRaKlOLgEHmiusD2 zd49AxrJ5t3NQiGS9Chi5ijGeYsSOlkFJDl5h3fY8rCPauo+SgtLiWqGjsq3rQJdhC5/Z/wwtIR pO/oY9DvUbP0zW8jFgPa0iDuyImK509Ue/5IYi8aNmITWIPgv8PXOPrDup0hqHqaeJUi1gJHMxd x+yO5VZ5lHlmi3/IUjg5wzvYj+a+u03XDWcDjxqFXW9VfgTKWDDav4iQ8uxYDcl6FOUfU2EJBg4 JFRlNS4fcPZ1tpPskzvG3VAbtzwGlA+aNOScJFRCiTONyklYOxfKuZ+YO+oIlhJZkt/pwm4d9+X bZoBgGePIJSpPGYRcOEkaGKl5o1OMGUpHqCoGT/817mS/x3ucVAbpccXLTluOEX7/rA== X-Received: by 2002:a05:6000:2304:b0:44a:52d5:e4f1 with SMTP id ffacd0b85a97d-4515b057373mr13747071f8f.5.1778163903165; Thu, 07 May 2026 07:25:03 -0700 (PDT) X-Received: by 2002:a05:6000:2304:b0:44a:52d5:e4f1 with SMTP id ffacd0b85a97d-4515b057373mr13746976f8f.5.1778163902357; Thu, 07 May 2026 07:25:02 -0700 (PDT) Received: from [192.168.88.32] ([150.228.93.82]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45055960022sm21167533f8f.26.2026.05.07.07.25.01 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 07 May 2026 07:25:01 -0700 (PDT) Message-ID: <295255d8-ef21-4d0e-b651-74ec1d21f51c@redhat.com> Date: Thu, 7 May 2026 16:25:00 +0200 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH net-next v5 1/5] veth: fix OOB txq access in veth_poll() with asymmetric queue counts To: hawk@kernel.org, netdev@vger.kernel.org Cc: kernel-team@cloudflare.com, Sashiko , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Alexei Starovoitov , Daniel Borkmann , John Fastabend , Stanislav Fomichev , Toshiaki Makita , linux-kernel@vger.kernel.org, bpf@vger.kernel.org References: <20260505132159.241305-1-hawk@kernel.org> <20260505132159.241305-2-hawk@kernel.org> Content-Language: en-US From: Paolo Abeni In-Reply-To: <20260505132159.241305-2-hawk@kernel.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 5/5/26 3:21 PM, hawk@kernel.org wrote: > From: Jesper Dangaard Brouer > > XDP redirect into a veth device (via bpf_redirect()) calls > veth_xdp_xmit(), which enqueues frames into the peer's ptr_ring using > smp_processor_id() % peer->real_num_rx_queues > as the ring index. With an asymmetric veth pair where the peer has > fewer TX queues than RX queues, that index can exceed > peer->real_num_tx_queues. > > veth_poll() then resolves peer_txq for the ring via: > > peer_txq = peer_dev ? netdev_get_tx_queue(peer_dev, queue_idx) : NULL; > > where queue_idx = rq->xdp_rxq.queue_index. When queue_idx exceeds > peer_dev->real_num_tx_queues this is an out-of-bounds (OOB) access > into the peer's netdev_queue array, triggering DEBUG_NET_WARN_ON_ONCE > in netdev_get_tx_queue(). > > The normal ndo_start_xmit path is not affected: the stack clamps > skb->queue_mapping via netdev_cap_txqueue() before invoking > ndo_start_xmit, so rxq in veth_xmit() never exceeds real_num_tx_queues. > > Fix veth_poll() by clamping: only dereference peer_txq when queue_idx is > within bounds, otherwise set it to NULL. The out-of-range rings are fed > exclusively via XDP redirect (veth_xdp_xmit), never via ndo_start_xmit > (veth_xmit), so the peer txq was never stopped and there is nothing to > wake; NULL is the correct fallback. > > Reported-by: Sashiko > Closes: https://lore.kernel.org/all/20260502071828.616C3C19425@smtp.kernel.org/ > Fixes: dc82a33297fc ("veth: apply qdisc backpressure on full ptr_ring to reduce TX drops") > Signed-off-by: Jesper Dangaard Brouer This looks fairly uncontroversial, but it's IMHO net material. Let me apply it there. /P