From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 29 Jun 2021 08:25:13 +0000 (+0300)
Subject: gve: DQO: Fix off by one in gve_rx_dqo()
X-Git-Tag: howlett/maple/20220722_2~2864^2~3
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=ecd89c02da85f724a2d24bc5a7e28043cc24b5d7;p=users%2Fjedix%2Flinux-maple.git

gve: DQO: Fix off by one in gve_rx_dqo()

The rx->dqo.buf_states[] array is allocated in gve_rx_alloc_ring_dqo()
and it has rx->dqo.num_buf_states so this > needs to >= to prevent an
out of bounds access.

Fixes: 9b8dd5e5ea48 ("gve: DQO: Add RX path")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/drivers/net/ethernet/google/gve/gve_rx_dqo.c b/drivers/net/ethernet/google/gve/gve_rx_dqo.c
index 8738db020061..77bb8227f89b 100644
--- a/drivers/net/ethernet/google/gve/gve_rx_dqo.c
+++ b/drivers/net/ethernet/google/gve/gve_rx_dqo.c
@@ -525,7 +525,7 @@ static int gve_rx_dqo(struct napi_struct *napi, struct gve_rx_ring *rx,
 	struct gve_priv *priv = rx->gve;
 	u16 buf_len;
 
-	if (unlikely(buffer_id > rx->dqo.num_buf_states)) {
+	if (unlikely(buffer_id >= rx->dqo.num_buf_states)) {
 		net_err_ratelimited("%s: Invalid RX buffer_id=%u\n",
 				    priv->dev->name, buffer_id);
 		return -EINVAL;