From: Simon Horman <horms@kernel.org>
To: nb@tipi-net.de
Cc: Simon Horman <horms@kernel.org>,
kuba@kernel.org, opendmb@gmail.com, arnd@arndb.de,
hkallweit1@gmail.com, florian.fainelli@broadcom.com,
bhargava.marreddy@broadcom.com,
bcm-kernel-feedback-list@broadcom.com, edumazet@google.com,
andrew+netdev@lunn.ch, pabeni@redhat.com,
mbloch@rooftopnetworks.de, netdev@vger.kernel.org,
davem@davemloft.net, rajashekar.hudumula@broadcom.com,
linux-kernel@vger.kernel.org, ebiggers@kernel.org,
vikas.gupta@broadcom.com
Subject: Re: [net-next,v2,4/6] net: bcmgenet: add XDP_TX support
Date: Tue, 17 Mar 2026 16:20:30 +0000 [thread overview]
Message-ID: <20260317162030.1759004-1-horms@kernel.org> (raw)
In-Reply-To: <20260315214914.1555777-5-nb@tipi-net.de>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
---
net: bcmgenet: add XDP_TX support
Implement XDP_TX using ring 16 (DESC_INDEX), the hardware default
descriptor ring, dedicated to XDP TX for isolation from SKB TX queues.
Ring 16 gets 32 BDs carved from ring 0's allocation. TX completion is
piggybacked on RX NAPI poll since ring 16's INTRL2_1 bit collides with
RX ring 0, similar to how bnxt, ice, and other XDP drivers handle TX
completion within the RX poll path.
> diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
> index f6a2567af7cb..922895bc7461 100644
> --- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
> +++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
[ ... ]
> @@ -3637,6 +3782,7 @@ static void bcmgenet_timeout(struct net_device *dev, unsigned int txqueue)
>
> for (q = 0; q <= priv->hw_params->tx_queues; q++)
> bcmgenet_dump_tx_queue(&priv->tx_rings[q]);
> + bcmgenet_dump_tx_queue(&priv->tx_rings[DESC_INDEX]);
Does this trigger an out-of-bounds array access?
Looking at bcmgenet_dump_tx_queue():
static void bcmgenet_dump_tx_queue(struct bcmgenet_tx_ring *ring)
{
...
struct netdev_queue *txq = netdev_get_tx_queue(priv->dev, ring->index);
...
}
For the XDP TX ring, ring->index is DESC_INDEX (16), so this calls
netdev_get_tx_queue(priv->dev, 16). But the device only has 5 TX queues
(indices 0-4), allocated via alloc_etherdev_mqs() with GENET_MAX_MQ_CNT+1=5.
This means the code accesses dev->_tx[16] which is beyond the allocated
array, and the returned txq pointer points to memory past the array. This
is then dereferenced by netif_tx_queue_stopped(txq) which reads txq->state
from invalid memory.
In debug builds this triggers DEBUG_NET_WARN_ON_ONCE, and it could crash or
corrupt data.
next prev parent reply other threads:[~2026-03-17 16:20 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-15 21:49 [PATCH net-next v2 0/6] net: bcmgenet: add XDP support Nicolai Buchwitz
2026-03-15 21:49 ` [PATCH net-next v2 1/6] net: bcmgenet: convert RX path to page_pool Nicolai Buchwitz
2026-03-15 21:49 ` [PATCH net-next v2 2/6] net: bcmgenet: register xdp_rxq_info for each RX ring Nicolai Buchwitz
2026-03-15 21:49 ` [PATCH net-next v2 3/6] net: bcmgenet: add basic XDP support (PASS/DROP) Nicolai Buchwitz
2026-03-17 16:19 ` [net-next,v2,3/6] " Simon Horman
2026-03-17 19:27 ` Nicolai Buchwitz
2026-03-15 21:49 ` [PATCH net-next v2 4/6] net: bcmgenet: add XDP_TX support Nicolai Buchwitz
2026-03-17 16:20 ` Simon Horman [this message]
2026-03-17 19:25 ` [net-next,v2,4/6] " Nicolai Buchwitz
2026-03-15 21:49 ` [PATCH net-next v2 5/6] net: bcmgenet: add XDP_REDIRECT and ndo_xdp_xmit support Nicolai Buchwitz
2026-03-15 21:49 ` [PATCH net-next v2 6/6] net: bcmgenet: add XDP statistics counters Nicolai Buchwitz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260317162030.1759004-1-horms@kernel.org \
--to=horms@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=arnd@arndb.de \
--cc=bcm-kernel-feedback-list@broadcom.com \
--cc=bhargava.marreddy@broadcom.com \
--cc=davem@davemloft.net \
--cc=ebiggers@kernel.org \
--cc=edumazet@google.com \
--cc=florian.fainelli@broadcom.com \
--cc=hkallweit1@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mbloch@rooftopnetworks.de \
--cc=nb@tipi-net.de \
--cc=netdev@vger.kernel.org \
--cc=opendmb@gmail.com \
--cc=pabeni@redhat.com \
--cc=rajashekar.hudumula@broadcom.com \
--cc=vikas.gupta@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox