summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--eurasia_km/services4/srvkm/env/linux/mmap.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/eurasia_km/services4/srvkm/env/linux/mmap.c b/eurasia_km/services4/srvkm/env/linux/mmap.c
index ab9a902..c31b83a 100644
--- a/eurasia_km/services4/srvkm/env/linux/mmap.c
+++ b/eurasia_km/services4/srvkm/env/linux/mmap.c
@@ -380,6 +380,7 @@ create_gem_wrapper(struct drm_device *dev, LinuxMemArea *psLinuxMemArea,
struct page **pages = NULL;
unsigned long paddr = 0;
int i, npages = PAGE_ALIGN(ui32ByteSize) / PAGE_SIZE;
+ int srcnpages;
/* from GEM buffer object point of view, we are either mapping
@@ -427,7 +428,18 @@ create_gem_wrapper(struct drm_device *dev, LinuxMemArea *psLinuxMemArea,
break;
case LINUX_MEM_AREA_ALLOC_PAGES:
pages = kmalloc(sizeof(pages) * npages, GFP_KERNEL);
- for (i = 0; i < npages; i++) {
+ /*
+ * The number of pages allocated at NewAllocPagesLinuxMemArea
+ * [eurasia_km/services4/srvkm/env/linux/mm.c] is stored in
+ * psLinuxMemArea->ui32ByteSize.
+ * However, the number of pages required is not at times the
+ * same as calculated in BM_GetVirtualSize.
+ *
+ * Its ok to allocate a bigger array of pages, but let's not
+ * try to access the source array beyond the array bounds.
+ */
+ srcnpages = PAGE_ALIGN(psLinuxMemArea->ui32ByteSize) / PAGE_SIZE;
+ for (i = 0; i < srcnpages; i++) {
pages[i] = psLinuxMemArea->uData.sPageList.ppsPageList[i + PHYS_TO_PFN(ui32ByteOffset)];
}
break;