CVE-2026-23386

In the Linux kernel, the following vulnerability has been resolved:

gve: fix incorrect buffer cleanup in gvetxcleanpendingpackets for QPL

In DQ-QPL mode, gvetxcleanpendingpackets() incorrectly uses the RDA buffer cleanup path. It iterates num_bufs times and attempts to unmap entries in the dma array.

This leads to two issues: 1. The dma array shares storage with txqplbufids (union). Interpreting buffer IDs as DMA addresses results in attempting to unmap incorrect memory locations. 2. numbufs in QPL mode (counting 2K chunks) can significantly exceed the size of the dma array, causing out-of-bounds access warnings (trace below is how we noticed this issue).

UBSAN: array-index-out-of-bounds in drivers/net/ethernet/drivers/net/ethernet/google/gve/gvetxdqo.c:178:5 index 18 is out of range for type 'dmaaddrt[18]' (aka 'unsigned long long[18]') Workqueue: gve gveservicetask [gve] Call Trace: <TASK> dumpstacklvl+0x33/0xa0 __ubsanhandleoutofbounds+0xdc/0x110 gvetxstopringdqo+0x182/0x200 [gve] gveclose+0x1be/0x450 [gve] gvereset+0x99/0x120 [gve] gveservicetask+0x61/0x100 [gve] processscheduledworks+0x1e9/0x380

Fix this by properly checking for QPL mode and delegating to gvefreetxqplbufs() to reclaim the buffers.