Commit ae092b69 authored by Dan Carpenter's avatar Dan Carpenter Committed by Kleber Sacilotto de Souza

drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply()

BugLink: https://bugs.launchpad.net/bugs/1792377

[ Upstream commit 7f073d01 ]

The bo array has req->nr_buffers elements so the > should be >= so we
don't read beyond the end of the array.

Fixes: a1606a95 ("drm/nouveau: new gem pushbuf interface, bump to 0.0.16")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarBen Skeggs <bskeggs@redhat.com>
Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
parent 2a41beb6
...@@ -602,7 +602,7 @@ nouveau_gem_pushbuf_reloc_apply(struct nouveau_cli *cli, ...@@ -602,7 +602,7 @@ nouveau_gem_pushbuf_reloc_apply(struct nouveau_cli *cli,
struct nouveau_bo *nvbo; struct nouveau_bo *nvbo;
uint32_t data; uint32_t data;
if (unlikely(r->bo_index > req->nr_buffers)) { if (unlikely(r->bo_index >= req->nr_buffers)) {
NV_PRINTK(err, cli, "reloc bo index invalid\n"); NV_PRINTK(err, cli, "reloc bo index invalid\n");
ret = -EINVAL; ret = -EINVAL;
break; break;
...@@ -612,7 +612,7 @@ nouveau_gem_pushbuf_reloc_apply(struct nouveau_cli *cli, ...@@ -612,7 +612,7 @@ nouveau_gem_pushbuf_reloc_apply(struct nouveau_cli *cli,
if (b->presumed.valid) if (b->presumed.valid)
continue; continue;
if (unlikely(r->reloc_bo_index > req->nr_buffers)) { if (unlikely(r->reloc_bo_index >= req->nr_buffers)) {
NV_PRINTK(err, cli, "reloc container bo index invalid\n"); NV_PRINTK(err, cli, "reloc container bo index invalid\n");
ret = -EINVAL; ret = -EINVAL;
break; break;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment