drm: shmem: Off by one in drm_gem_shmem_fault()

The shmem->pages[] array has "num_pages" elements so the > should be >= to prevent reading beyond the end of the array. The shmem->pages[] array is allocated in drm_gem_shmem_prime_import_sg_table(). Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Eric Anholt <eric@anholt.net> Reviewed-by: Eric Anholt <eric@anholt.net> Link: https://patchwork.freedesktop.org/patch/msgid/20190322064125.GA12551@kadam
2019-03-22 09:41:25 +03:00 · 2019-03-22 09:41:25 +03:00 · 3a3fe6e766
commit 3a3fe6e766
parent 3051719af1
1 changed files with 1 additions and 1 deletions
--- a/drivers/gpu/drm/drm_gem_shmem_helper.c
+++ b/drivers/gpu/drm/drm_gem_shmem_helper.c
@ -408,7 +408,7 @@ static vm_fault_t drm_gem_shmem_fault(struct vm_fault *vmf)
 	loff_t num_pages = obj->size >> PAGE_SHIFT;
 	struct page *page;

-	if (vmf->pgoff > num_pages || WARN_ON_ONCE(!shmem->pages))
+	if (vmf->pgoff >= num_pages || WARN_ON_ONCE(!shmem->pages))
 		return VM_FAULT_SIGBUS;

 	page = shmem->pages[vmf->pgoff];