[Nouveau] [PATCH] drm/nouveau: fix ramht wraparound
Marcin Slusarz
marcin.slusarz at gmail.com
Fri Dec 21 00:02:17 PST 2012
On Fri, Dec 21, 2012 at 10:15:48AM +1000, Ben Skeggs wrote:
> On Thu, Dec 20, 2012 at 11:37:12PM +0100, Marcin Slusarz wrote:
> > When hash collision occurs and it's near ramht object boundary, we could
> > read and possibly overwrite some memory after ramht object.
> >
> > Signed-off-by: Marcin Slusarz <marcin.slusarz at gmail.com>
> > Cc: stable at vger.kernel.org
> > ---
> > drivers/gpu/drm/nouveau/core/core/ramht.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/nouveau/core/core/ramht.c b/drivers/gpu/drm/nouveau/core/core/ramht.c
> > index 86a6404..6da314c 100644
> > --- a/drivers/gpu/drm/nouveau/core/core/ramht.c
> > +++ b/drivers/gpu/drm/nouveau/core/core/ramht.c
> > @@ -59,7 +59,7 @@ nouveau_ramht_insert(struct nouveau_ramht *ramht, int chid,
> > }
> >
> > co += 8;
> > - if (co >= nv_gpuobj(ramht)->size)
> > + if (co + 8 > nv_gpuobj(ramht)->size)
> I might just be really tired, but, how exactly is the original wrong?
> The original could even just be (co == size) and still work correctly as
> far as I can tell.
Ah, crap, I didn't see that both hash value and ramht->size are divisible by 8.
So original code is correct (although it relies on the above) and my version
does not really fix anything.
Marcin
More information about the Nouveau
mailing list