drm/vgem: off by one in vgem_gem_fault()

Message ID	20180703122921.brlfxl4vx2ybvrd2@kili.mountain (mailing list archive)
State	New, archived
Headers	show Return-Path: <dri-devel-bounces@lists.freedesktop.org> Date: Tue, 3 Jul 2018 15:29:21 +0300 From: Dan Carpenter <dan.carpenter@oracle.com> To: David Airlie <airlied@linux.ie>, Laura Abbott <labbott@redhat.com> Subject: [PATCH] drm/vgem: off by one in vgem_gem_fault() Message-ID: <20180703122921.brlfxl4vx2ybvrd2@kili.mountain> MIME-Version: 1.0 Content-Disposition: inline User-Agent: NeoMutt/20170113 (1.7.2) Precedence: list Cc: Matthew Wilcox <willy@infradead.org>, Daniel Vetter <daniel.vetter@ffwll.ch>, Brian Norris <briannorris@chromium.org>, kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org, Cihangir Akturk <cakturk@gmail.com>, Souptick Joarder <jrdr.linux@gmail.com> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Message ID

20180703122921.brlfxl4vx2ybvrd2@kili.mountain (mailing list archive)

State

New, archived

Headers

Date: Tue, 3 Jul 2018 15:29:21 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: David Airlie <airlied@linux.ie>, Laura Abbott <labbott@redhat.com>
Subject: [PATCH] drm/vgem: off by one in vgem_gem_fault()
Message-ID: <20180703122921.brlfxl4vx2ybvrd2@kili.mountain>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: NeoMutt/20170113 (1.7.2)
Precedence: list
Cc: Matthew Wilcox <willy@infradead.org>,
	Daniel Vetter <daniel.vetter@ffwll.ch>,
	Brian Norris <briannorris@chromium.org>,
	kernel-janitors@vger.kernel.org, 
	dri-devel@lists.freedesktop.org, Cihangir Akturk <cakturk@gmail.com>, 
	Souptick Joarder <jrdr.linux@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

If page_offset is == num_pages then we end up reading beyond the end of obj->pages[]. Fixes: af33a9190d02 ("drm/vgem: Enable dmabuf import interfaces") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- Static analysis. Not tested

Comments

Daniel Vetter July 3, 2018, 1:06 p.m. UTC | #1

On Tue, Jul 03, 2018 at 03:29:21PM +0300, Dan Carpenter wrote:
> If page_offset is == num_pages then we end up reading beyond the end of
> obj->pages[].
> 
> Fixes: af33a9190d02 ("drm/vgem: Enable dmabuf import interfaces")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> Static analysis.  Not tested

Applied, thanks.
-Daniel

> 
> diff --git a/drivers/gpu/drm/vgem/vgem_drv.c b/drivers/gpu/drm/vgem/vgem_drv.c
> index c64a85950c82..0e5620f76ee0 100644
> --- a/drivers/gpu/drm/vgem/vgem_drv.c
> +++ b/drivers/gpu/drm/vgem/vgem_drv.c
> @@ -74,7 +74,7 @@ static vm_fault_t vgem_gem_fault(struct vm_fault *vmf)
>  
>  	num_pages = DIV_ROUND_UP(obj->base.size, PAGE_SIZE);
>  
> -	if (page_offset > num_pages)
> +	if (page_offset >= num_pages)
>  		return VM_FAULT_SIGBUS;
>  
>  	mutex_lock(&obj->pages_lock);

diff --git a/drivers/gpu/drm/vgem/vgem_drv.c b/drivers/gpu/drm/vgem/vgem_drv.c
index c64a85950c82..0e5620f76ee0 100644
--- a/drivers/gpu/drm/vgem/vgem_drv.c
+++ b/drivers/gpu/drm/vgem/vgem_drv.c
@@ -74,7 +74,7 @@  static vm_fault_t vgem_gem_fault(struct vm_fault *vmf)
 
 	num_pages = DIV_ROUND_UP(obj->base.size, PAGE_SIZE);
 
-	if (page_offset > num_pages)
+	if (page_offset >= num_pages)
 		return VM_FAULT_SIGBUS;
 
 	mutex_lock(&obj->pages_lock);

drm/vgem: off by one in vgem_gem_fault()

Commit Message

Comments

Patch