[Nouveau] [PATCH] drm/nouveau: fix ramht wraparound

Marcin Slusarz Thu, 20 Dec 2012 14:39:25 -0800

When hash collision occurs and it's near ramht object boundary, we could
read and possibly overwrite some memory after ramht object.


Signed-off-by: Marcin Slusarz <[email protected]>
Cc: [email protected]
---
 drivers/gpu/drm/nouveau/core/core/ramht.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/nouveau/core/core/ramht.c 
b/drivers/gpu/drm/nouveau/core/core/ramht.c
index 86a6404..6da314c 100644
--- a/drivers/gpu/drm/nouveau/core/core/ramht.c
+++ b/drivers/gpu/drm/nouveau/core/core/ramht.c
@@ -59,7 +59,7 @@ nouveau_ramht_insert(struct nouveau_ramht *ramht, int chid,
                }
 
                co += 8;
-               if (co >= nv_gpuobj(ramht)->size)
+               if (co + 8 > nv_gpuobj(ramht)->size)
                        co = 0;
        } while (co != ho);
 
-- 
1.8.0.2

_______________________________________________
Nouveau mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/nouveau

[Nouveau] [PATCH] drm/nouveau: fix ramht wraparound

Reply via email to