drm/vgem: off by one in vgem_gem_fault()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If page_offset is == num_pages then we end up reading beyond the end of
obj->pages[].

Fixes: af33a9190d02 ("drm/vgem: Enable dmabuf import interfaces")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20180703122921.brlfxl4vx2ybvrd2@kili.mountain

authored by

Dan Carpenter and committed by

Daniel Vetter 7 years ago de10eba0 a1de8d0a

+1 -1

1 changed file

expand all

drivers

gpu

drm

vgem

vgem_drv.c

+1 -1

drivers/gpu/drm/vgem/vgem_drv.c

··· 74 74 75 75 num_pages = DIV_ROUND_UP(obj->base.size, PAGE_SIZE); 76 76 77 - if (page_offset > num_pages) 77 + if (page_offset >= num_pages) 78 78 return VM_FAULT_SIGBUS; 79 79 80 80 mutex_lock(&obj->pages_lock);