drm/evdi: Fix possible OOB in evdi_gem_fault BUG=b:287203840 TEST=Various boards including sarien and trogdor Change-Id: I109172dba4d1143f3bb5bf0377f770022065e228 Signed-off-by: Łukasz Spintzyk <lukasz.spintzyk@synaptics.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/4883469 Reviewed-by: Dominik Behr <dbehr@chromium.org>

commit: e2e07a89da87b5327149dad416d87c51c2a57b38 [log] [tgz]
author: Łukasz Spintzyk <lukasz.spintzyk@synaptics.com> Thu Sep 07 06:25:08 2023
committer: Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> Wed Oct 04 07:07:04 2023
tree: 95827eb9bbf5e160b6119d66b5629a9805ca2fba
parent: bdd898e5832323eecd337ad8cf8caade71a4cc01 [diff]
diff --git a/drivers/gpu/drm/evdi/evdi_gem.c b/drivers/gpu/drm/evdi/evdi_gem.c
index f71e0d6..4322748 100644
--- a/drivers/gpu/drm/evdi/evdi_gem.c
+++ b/drivers/gpu/drm/evdi/evdi_gem.c

@@ -126,13 +126,14 @@
 {
 	struct evdi_gem_object *obj = to_evdi_bo(vma->vm_private_data);
 	struct page *page;
-	unsigned int page_offset;
+	pgoff_t page_offset;
+	loff_t num_pages = obj->base.size >> PAGE_SHIFT;
 	int ret = 0;
 
 	page_offset = ((unsigned long)vmf->virtual_address - vma->vm_start) >>
 	    PAGE_SHIFT;
 
-	if (!obj->pages)
+	if (!obj->pages || page_offset >= num_pages)
 		return VM_FAULT_SIGBUS;
 
 	page = obj->pages[page_offset];
commit	e2e07a89da87b5327149dad416d87c51c2a57b38	[log] [tgz]
author	Łukasz Spintzyk <lukasz.spintzyk@synaptics.com>	Thu Sep 07 06:25:08 2023
committer	Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com>	Wed Oct 04 07:07:04 2023
tree	95827eb9bbf5e160b6119d66b5629a9805ca2fba
parent	bdd898e5832323eecd337ad8cf8caade71a4cc01 [diff]