kernel / kernel-source

Clone
Source Code
GIT

Files

  1.   a99b602ac2b8c237ced40a4769f19ed10f16288a
  2.   patches.suse
  3.   gve-DQO-Fix-off-by-one-in-gve_rx_dqo.patch
Blob Blame History Raw 
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 29 Jun 2021 11:25:13 +0300
Subject: gve: DQO: Fix off by one in gve_rx_dqo()
Patch-mainline: v5.14-rc1
Git-commit: ecd89c02da85f724a2d24bc5a7e28043cc24b5d7
References: bsc#1176940

The rx->dqo.buf_states[] array is allocated in gve_rx_alloc_ring_dqo()
and it has rx->dqo.num_buf_states so this > needs to >= to prevent an
out of bounds access.

Fixes: 9b8dd5e5ea48 ("gve: DQO: Add RX path")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
---
 drivers/net/ethernet/google/gve/gve_rx_dqo.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/google/gve/gve_rx_dqo.c
+++ b/drivers/net/ethernet/google/gve/gve_rx_dqo.c
@@ -525,7 +525,7 @@ static int gve_rx_dqo(struct napi_struct
 	struct gve_priv *priv = rx->gve;
 	u16 buf_len;
 
-	if (unlikely(buffer_id > rx->dqo.num_buf_states)) {
+	if (unlikely(buffer_id >= rx->dqo.num_buf_states)) {
 		net_err_ratelimited("%s: Invalid RX buffer_id=%u\n",
 				    priv->dev->name, buffer_id);
 		return -EINVAL;
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.