| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Tue, 3 Jul 2018 15:30:56 +0300 |
| Subject: drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply() |
| |
| commit 7f073d011f93e92d4d225526b9ab6b8b0bbd6613 upstream. |
| |
| The bo array has req->nr_buffers elements so the > should be >= so we |
| don't read beyond the end of the array. |
| |
| Fixes: a1606a9596e5 ("drm/nouveau: new gem pushbuf interface, bump to 0.0.16") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Ben Skeggs <bskeggs@redhat.com> |
| [bwh: Backported to 3.16: adjust context] |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| drivers/gpu/drm/nouveau/nouveau_gem.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/drivers/gpu/drm/nouveau/nouveau_gem.c |
| +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c |
| @@ -613,7 +613,7 @@ nouveau_gem_pushbuf_reloc_apply(struct n |
| struct nouveau_bo *nvbo; |
| uint32_t data; |
| |
| - if (unlikely(r->bo_index > req->nr_buffers)) { |
| + if (unlikely(r->bo_index >= req->nr_buffers)) { |
| NV_ERROR(cli, "reloc bo index invalid\n"); |
| ret = -EINVAL; |
| break; |
| @@ -623,7 +623,7 @@ nouveau_gem_pushbuf_reloc_apply(struct n |
| if (b->presumed.valid) |
| continue; |
| |
| - if (unlikely(r->reloc_bo_index > req->nr_buffers)) { |
| + if (unlikely(r->reloc_bo_index >= req->nr_buffers)) { |
| NV_ERROR(cli, "reloc container bo index invalid\n"); |
| ret = -EINVAL; |
| break; |