On Tue, Dec 07, 2021 at 02:21:46PM +0300, Dan Carpenter wrote: > The "config.offset" comes from the user. There needs to a check to > prevent it being out of bounds. The "config.offset" and > "dev->config_size" variables are both type u32. So if the offset if > out of bounds then the "dev->config_size - config.offset" subtraction > results in a very high u32 value. > > Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > --- > v2: version 1 had a reversed if statement Xie Yongji pointed out that vhost_vdpa_config_validate() had a similar issue so I'll send a v3. regards, dan carpenter