[PATCH 06/24] drm/radeon: fix a critical bug in the SA code

From: j.glisse@gmail.com
To: dri-devel@lists.freedesktop.org
Cc: "Christian König" <deathsimple@vodafone.de>
Subject: [PATCH 06/24] drm/radeon: fix a critical bug in the SA code
Date: Wed, 25 Apr 2012 15:03:11 -0400	[thread overview]
Message-ID: <1335380609-5804-7-git-send-email-j.glisse@gmail.com> (raw)
In-Reply-To: <1335380609-5804-1-git-send-email-j.glisse@gmail.com>

From: Christian König <deathsimple@vodafone.de>

Aligning offset can make it bigger than tmp->offset
leading to an overrun bug in the following subtraction.

Signed-off-by: Christian König <deathsimple@vodafone.de>
---
 drivers/gpu/drm/radeon/radeon_sa.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/gpu/drm/radeon/radeon_sa.c b/drivers/gpu/drm/radeon/radeon_sa.c
index 4cce47e..8fbfe69 100644
--- a/drivers/gpu/drm/radeon/radeon_sa.c
+++ b/drivers/gpu/drm/radeon/radeon_sa.c
@@ -150,7 +150,7 @@ int radeon_sa_bo_new(struct radeon_device *rdev,
 	offset = 0;
 	list_for_each_entry(tmp, &sa_manager->sa_bo, list) {
 		/* room before this object ? */
-		if ((tmp->offset - offset) >= size) {
+		if (offset < tmp->offset && (tmp->offset - offset) >= size) {
 			head = tmp->list.prev;
 			goto out;
 		}
-- 
1.7.7.6

_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/dri-devel
