[PATCH] vduse: Fix off by one in vduse_dev_mmap()

From: Dan Carpenter
Date: Tue Feb 27 2024 - 10:22:21 EST

Next message: Jonathan Bergh: "[PATCH] staging: gdm724x: Remove spurious whitespace in macro definition and tidy up defines"
Previous message: Zi Yan: "Re: [PATCH] mm/huge_memory: fix swap entry values of tail pages of THP"
Next in thread: Michael S. Tsirkin: "Re: [PATCH] vduse: Fix off by one in vduse_dev_mmap()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The dev->vqs[] array has "dev->vq_num" elements. It's allocated in
vduse_dev_init_vqs(). Thus, this > comparison needs to be >= to avoid
reading one element beyond the end of the array.

Fixes: 316ecd1346b0 ("vduse: Add file operation for mmap")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
drivers/vdpa/vdpa_user/vduse_dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
index b7a1fb88c506..9150c8281953 100644
--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -1532,7 +1532,7 @@ static int vduse_dev_mmap(struct file *file, struct vm_area_struct *vma)
if ((vma->vm_flags & VM_SHARED) == 0)
return -EINVAL;

- if (index > dev->vq_num)
+ if (index >= dev->vq_num)
return -EINVAL;

vq = dev->vqs[index];
--
2.43.0

Next message: Jonathan Bergh: "[PATCH] staging: gdm724x: Remove spurious whitespace in macro definition and tidy up defines"
Previous message: Zi Yan: "Re: [PATCH] mm/huge_memory: fix swap entry values of tail pages of THP"
Next in thread: Michael S. Tsirkin: "Re: [PATCH] vduse: Fix off by one in vduse_dev_mmap()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]