gve: DQO: Fix off by one in gve_rx_dqo()

The rx->dqo.buf_states[] array is allocated in gve_rx_alloc_ring_dqo()
and it has rx->dqo.num_buf_states so this > needs to >= to prevent an
out of bounds access.

Fixes: 9b8dd5e5ea48 ("gve: DQO: Add RX path")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/drivers/net/ethernet/google/gve/gve_rx_dqo.c b/drivers/net/ethernet/google/gve/gve_rx_dqo.c
index 8738db0..77bb822 100644 (file)
--- a/drivers/net/ethernet/google/gve/gve_rx_dqo.c
+++ b/drivers/net/ethernet/google/gve/gve_rx_dqo.c
@@ -525,7 +525,7 @@ static int gve_rx_dqo(struct napi_struct *napi, struct gve_rx_ring *rx,
        struct gve_priv *priv = rx->gve;
        u16 buf_len;
 
-       if (unlikely(buffer_id > rx->dqo.num_buf_states)) {
+       if (unlikely(buffer_id >= rx->dqo.num_buf_states)) {
                net_err_ratelimited("%s: Invalid RX buffer_id=%u\n",
                                    priv->dev->name, buffer_id);
                return -EINVAL;