On Thu, Dec 20, 2012 at 11:37:12PM +0100, Marcin Slusarz wrote: > When hash collision occurs and it's near ramht object boundary, we could > read and possibly overwrite some memory after ramht object. > > Signed-off-by: Marcin Slusarz <marcin.slus...@gmail.com> > Cc: sta...@vger.kernel.org > --- > drivers/gpu/drm/nouveau/core/core/ramht.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/nouveau/core/core/ramht.c > b/drivers/gpu/drm/nouveau/core/core/ramht.c > index 86a6404..6da314c 100644 > --- a/drivers/gpu/drm/nouveau/core/core/ramht.c > +++ b/drivers/gpu/drm/nouveau/core/core/ramht.c > @@ -59,7 +59,7 @@ nouveau_ramht_insert(struct nouveau_ramht *ramht, int chid, > } > > co += 8; > - if (co >= nv_gpuobj(ramht)->size) > + if (co + 8 > nv_gpuobj(ramht)->size) I might just be really tired, but, how exactly is the original wrong? The original could even just be (co == size) and still work correctly as far as I can tell.
Ben. > co = 0; > } while (co != ho); > > -- > 1.8.0.2 > > _______________________________________________ > Nouveau mailing list > Nouveau@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/nouveau _______________________________________________ Nouveau mailing list Nouveau@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/nouveau
