vdpasim: Off by one in vdpasim_set_group_asid()
authorDan Carpenter <dan.carpenter@oracle.com>
Mon, 23 May 2022 08:30:57 +0000 (11:30 +0300)
committerMichael S. Tsirkin <mst@redhat.com>
Tue, 31 May 2022 16:45:10 +0000 (12:45 -0400)
The > comparison needs to be >= to prevent an out of bounds access
of the vdpasim->iommu[] array.  The vdpasim->iommu[] is allocated in
vdpasim_create() and it has vdpasim->dev_attr.nas elements.

Fixes: 87e5afeac247 ("vdpasim: control virtqueue support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Message-Id: <YotGQU1q224RKZR8@kili>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
drivers/vdpa/vdpa_sim/vdpa_sim.c

index 50d721072beb9fd501426bc7f6646569262ee19d..0f28658996472b2306b721b0e2bd4b5c83d1fb37 100644 (file)
@@ -567,7 +567,7 @@ static int vdpasim_set_group_asid(struct vdpa_device *vdpa, unsigned int group,
        if (group > vdpasim->dev_attr.ngroups)
                return -EINVAL;
 
-       if (asid > vdpasim->dev_attr.nas)
+       if (asid >= vdpasim->dev_attr.nas)
                return -EINVAL;
 
        iommu = &vdpasim->iommu[asid];