drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply()

The bo array has req->nr_buffers elements so the > should be >= so we don't read beyond the end of the array. Fixes: a1606a9596e5 ("drm/nouveau: new gem pushbuf interface, bump to 0.0.16") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
author: Dan Carpenter <dan.carpenter@oracle.com> 2018-07-03 08:30:56 -0400
committer: Ben Skeggs <bskeggs@redhat.com> 2018-07-16 03:59:58 -0400
commit: 7f073d011f93e92d4d225526b9ab6b8b0bbd6613 (patch)
tree: ca32ac9414693e0f70b5199ae00bb544a973329b
parent: df0c97e2c7d06b4f3cc5855604af79fd1a964619 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
index 300daee74209..e6ccafcb9c41 100644
--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -616,7 +616,7 @@ nouveau_gem_pushbuf_reloc_apply(struct nouveau_cli *cli,
                struct nouveau_bo *nvbo;
                uint32_t data;
-                if (unlikely(r->bo_index > req->nr_buffers)) {
+                if (unlikely(r->bo_index >= req->nr_buffers)) {
                        NV_PRINTK(err, cli, "reloc bo index invalid\n");
                        ret = -EINVAL;
                        break;
@@ -626,7 +626,7 @@ nouveau_gem_pushbuf_reloc_apply(struct nouveau_cli *cli,
                if (b->presumed.valid)
                        continue;
-                if (unlikely(r->reloc_bo_index > req->nr_buffers)) {
+                if (unlikely(r->reloc_bo_index >= req->nr_buffers)) {
                        NV_PRINTK(err, cli, "reloc container bo index invalid\n");
                        ret = -EINVAL;
                        break;
author	Dan Carpenter <dan.carpenter@oracle.com>	2018-07-03 08:30:56 -0400
committer	Ben Skeggs <bskeggs@redhat.com>	2018-07-16 03:59:58 -0400
commit	7f073d011f93e92d4d225526b9ab6b8b0bbd6613 (patch)
tree	ca32ac9414693e0f70b5199ae00bb544a973329b
parent	df0c97e2c7d06b4f3cc5855604af79fd1a964619 (diff)

diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c index 300daee74209..e6ccafcb9c41 100644 --- a/drivers/gpu/drm/nouveau/nouveau_gem.c +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -616,7 +616,7 @@ nouveau_gem_pushbuf_reloc_apply(struct nouveau_cli *cli,
616	struct nouveau_bo *nvbo;	616	struct nouveau_bo *nvbo;
617	uint32_t data;	617	uint32_t data;
618		618
619	if (unlikely(r->bo_index > req->nr_buffers)) {	619	if (unlikely(r->bo_index >= req->nr_buffers)) {
620	NV_PRINTK(err, cli, "reloc bo index invalid\n");	620	NV_PRINTK(err, cli, "reloc bo index invalid\n");
621	ret = -EINVAL;	621	ret = -EINVAL;
622	break;	622	break;
@@ -626,7 +626,7 @@ nouveau_gem_pushbuf_reloc_apply(struct nouveau_cli *cli,
626	if (b->presumed.valid)	626	if (b->presumed.valid)
627	continue;	627	continue;
628		628
629	if (unlikely(r->reloc_bo_index > req->nr_buffers)) {	629	if (unlikely(r->reloc_bo_index >= req->nr_buffers)) {
630	NV_PRINTK(err, cli, "reloc container bo index invalid\n");	630	NV_PRINTK(err, cli, "reloc container bo index invalid\n");
631	ret = -EINVAL;	631	ret = -EINVAL;
632	break;	632	break;