On Fri, Dec 21, 2012 at 10:15:48AM +1000, Ben Skeggs wrote: > On Thu, Dec 20, 2012 at 11:37:12PM +0100, Marcin Slusarz wrote: > > When hash collision occurs and it's near ramht object boundary, we could > > read and possibly overwrite some memory after ramht object. > > > > Signed-off-by: Marcin Slusarz <marcin.slus...@gmail.com> > > Cc: sta...@vger.kernel.org > > --- > > drivers/gpu/drm/nouveau/core/core/ramht.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/gpu/drm/nouveau/core/core/ramht.c > > b/drivers/gpu/drm/nouveau/core/core/ramht.c > > index 86a6404..6da314c 100644 > > --- a/drivers/gpu/drm/nouveau/core/core/ramht.c > > +++ b/drivers/gpu/drm/nouveau/core/core/ramht.c > > @@ -59,7 +59,7 @@ nouveau_ramht_insert(struct nouveau_ramht *ramht, int > > chid, > > } > > > > co += 8; > > - if (co >= nv_gpuobj(ramht)->size) > > + if (co + 8 > nv_gpuobj(ramht)->size) > I might just be really tired, but, how exactly is the original wrong? > The original could even just be (co == size) and still work correctly as > far as I can tell.
Ah, crap, I didn't see that both hash value and ramht->size are divisible by 8. So original code is correct (although it relies on the above) and my version does not really fix anything. Marcin _______________________________________________ Nouveau mailing list Nouveau@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/nouveau