iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

drm/radeon: fix a bug in the SA code

Browse Source 
Aligning offset can make it bigger than tmp->offset
leading to an overrun bug in the following subtraction.

v2: Against initial suspicions this can't happen in mainline,
    so no need to push it into stable.

Signed-off-by: Christian König <deathsimple@vodafone.de>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Reviewed-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
This commit is contained in:
Christian König 2012-05-02 15:11:14 +02:00 committed by Dave Airlie
parent 36abacaed3
commit 96050bca22
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/gpu/drm/radeon/radeon_sa.c
View File

@ -150,7 +150,7 @@ int radeon_sa_bo_new(struct radeon_device *rdev,
offset = 0; offset = 0;
list_for_each_entry(tmp, &sa_manager->sa_bo, list) { list_for_each_entry(tmp, &sa_manager->sa_bo, list) {
/* room before this object ? */ /* room before this object ? */
if ((tmp->offset - offset) >= size) { if (offset < tmp->offset && (tmp->offset - offset) >= size) {
head = tmp->list.prev; head = tmp->list.prev;
goto out; goto out;
} }