If page_offset is == num_pages then we end up reading beyond the end of obj->pages[].
Fixes: af33a9190d02 ("drm/vgem: Enable dmabuf import interfaces") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com --- Static analysis. Not tested
diff --git a/drivers/gpu/drm/vgem/vgem_drv.c b/drivers/gpu/drm/vgem/vgem_drv.c index c64a85950c82..0e5620f76ee0 100644 --- a/drivers/gpu/drm/vgem/vgem_drv.c +++ b/drivers/gpu/drm/vgem/vgem_drv.c @@ -74,7 +74,7 @@ static vm_fault_t vgem_gem_fault(struct vm_fault *vmf)
num_pages = DIV_ROUND_UP(obj->base.size, PAGE_SIZE);
- if (page_offset > num_pages) + if (page_offset >= num_pages) return VM_FAULT_SIGBUS;
mutex_lock(&obj->pages_lock);
On Tue, Jul 03, 2018 at 03:29:21PM +0300, Dan Carpenter wrote:
Applied, thanks. -Daniel
dri-devel@lists.freedesktop.org
-
Dan Carpenter -
Daniel Vetter