From 96e8d9b85a09160c8878c7036ab2e0ceb1859541 Mon Sep 17 00:00:00 2001
From: rea <rea@FreeBSD.org>
Date: Fri, 28 Nov 2014 12:14:59 +0000
Subject: [PATCH] DRM2: fix off-by-one overflow in ioctl processing

Call to the driver-specific ioctl used to process ioctl number
that will lead to the out-of-bounds access to the ioctl handler
array.

PR:		193367
Approved by:	kib
MFC after:	1 week
---
 sys/dev/drm2/drm_drv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/dev/drm2/drm_drv.c b/sys/dev/drm2/drm_drv.c
index 81fcee3dbe7c..d86cbbd27ccc 100644
--- a/sys/dev/drm2/drm_drv.c
+++ b/sys/dev/drm2/drm_drv.c
@@ -905,7 +905,7 @@ int drm_ioctl(struct cdev *kdev, u_long cmd, caddr_t data, int flags,
 	if (ioctl->func == NULL && nr >= DRM_COMMAND_BASE) {
 		/* The array entries begin at DRM_COMMAND_BASE ioctl nr */
 		nr -= DRM_COMMAND_BASE;
-		if (nr > dev->driver->max_ioctl) {
+		if (nr >= dev->driver->max_ioctl) {
 			DRM_DEBUG("Bad driver ioctl number, 0x%x (of 0x%x)\n",
 			    nr, dev->driver->max_ioctl);
 			return EINVAL;