Re: [PATCH v2] ibmvnic: fix OOB array access in ibmvnic_xmit on queue count reduction

Next message: Chunyu Hu: "[PATCH v8 1/6] selftests/mm/guard-regions: skip collapse test when thp not enabled"
Previous message: Gary Guo: "Re: [PATCH 13/33] rust: block: update `const_refs_to_static` MSRV TODO comment"
In reply to: Tyllis Xu: "[PATCH v2] ibmvnic: fix OOB array access in ibmvnic_xmit on queue count reduction"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Wed Apr 01 2026 - 21:46:14 EST

On Wed, 1 Apr 2026 00:08:45 -0500 Tyllis Xu wrote:
> When the number of TX queues is reduced (e.g., via ethtool -L), the
> Qdisc layer retains previously enqueued skbs with queue mappings from
> before the reduction. After the reset completes and tx_queues_active is
> set to true, netif_tx_start_all_queues() drains these stale skbs through
> ibmvnic_xmit(). The queue index from skb_get_queue_mapping() may exceed
> the newly allocated array bounds, causing out-of-bounds reads on
> tx_scrq[] and tx_pool[]/tso_pool[].

This should not happen if the interface configures itself correctly, see
https://lore.kernel.org/all/20260106182244.7188a8f6@xxxxxxxxxx/

Please share are a repro if you have one.