Commit cd025c1e authored Jan 19, 2026 by Eugenio Pérez Committed by Michael S. Tsirkin Jan 28, 2026

vhost: move vdpa group bound check to vhost_vdpa



Remove duplication by consolidating these here.  This reduces the
posibility of a parent driver missing them.

While we're at it, fix a bug in vdpa_sim where a valid ASID can be
assigned to a group equal to ngroups, causing an out of bound write.

Cc: stable@vger.kernel.org
Fixes: bda324fd ("vdpasim: control virtqueue support")
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260119143306.1818855-2-eperezma@redhat.com>

parent 74bc5f69

drivers/vdpa/mlx5/net/mlx5_vnet.c

+0 −3

Original line number	Diff line number	Diff line
		@@ -3640,9 +3640,6 @@ static int mlx5_set_group_asid(struct vdpa_device *vdev, u32 group,
		struct mlx5_vdpa_dev *mvdev = to_mvdev(vdev);
		int err = 0;

		if (group >= MLX5_VDPA_NUMVQ_GROUPS)
		return -EINVAL;

		mvdev->mres.group2asid[group] = asid;

		mutex_lock(&mvdev->mres.lock);

drivers/vdpa/vdpa_sim/vdpa_sim.c

+0 −6

Original line number	Diff line number	Diff line
		@@ -606,12 +606,6 @@ static int vdpasim_set_group_asid(struct vdpa_device *vdpa, unsigned int group,
		struct vhost_iotlb *iommu;
		int i;

		if (group > vdpasim->dev_attr.ngroups)
		return -EINVAL;

		if (asid >= vdpasim->dev_attr.nas)
		return -EINVAL;

		iommu = &vdpasim->iommu[asid];

		mutex_lock(&vdpasim->mutex);

drivers/vhost/vdpa.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -680,7 +680,7 @@ static long vhost_vdpa_vring_ioctl(struct vhost_vdpa *v, unsigned int cmd,
		case VHOST_VDPA_SET_GROUP_ASID:
		if (copy_from_user(&s, argp, sizeof(s)))
		return -EFAULT;
		if (s.num >= vdpa->nas)
		if (idx >= vdpa->ngroups \|\| s.num >= vdpa->nas)
		return -EINVAL;
		if (!ops->set_group_asid)
		return -EOPNOTSUPP;