drm: shmem: Off by one in drm_gem_shmem_fault()

The shmem->pages[] array has "num_pages" elements so the > should be >= to prevent reading beyond the end of the array. The shmem->pages[] array is allocated in drm_gem_shmem_prime_import_sg_table(). Fixes: 2194a63 ("drm: Add library for shmem backed GEM objects") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Eric Anholt <eric@anholt.net> Reviewed-by: Eric Anholt <eric@anholt.net> Link: https://patchwork.freedesktop.org/patch/msgid/20190322064125.GA12551@kadam
mariux64 · Apr 1, 2019 · 3a3fe6e · 3a3fe6e
1 parent 3051719
commit 3a3fe6e
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c
@@ -408,7 +408,7 @@ static vm_fault_t drm_gem_shmem_fault(struct vm_fault *vmf)
 	loff_t num_pages = obj->size >> PAGE_SHIFT;
 	struct page *page;
 
-	if (vmf->pgoff > num_pages || WARN_ON_ONCE(!shmem->pages))
+	if (vmf->pgoff >= num_pages || WARN_ON_ONCE(!shmem->pages))
 		return VM_FAULT_SIGBUS;
 
 	page = shmem->pages[vmf->pgoff];