drm/radeon: fix a bug in the SA code

Aligning offset can make it bigger than tmp->offset
leading to an overrun bug in the following subtraction.

v2: Against initial suspicions this can't happen in mainline,
    so no need to push it into stable.

Signed-off-by: Christian König <deathsimple@vodafone.de>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Reviewed-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

diff --git a/drivers/gpu/drm/radeon/radeon_sa.c b/drivers/gpu/drm/radeon/radeon_sa.c
index 4cce47e7dc0dd2b983b55c4d0cd5c4c65d7711ee..8fbfe69b7bcb51454edcf5b8907123d146f89e15 100644 (file)
--- a/drivers/gpu/drm/radeon/radeon_sa.c
+++ b/drivers/gpu/drm/radeon/radeon_sa.c
@@ -150,7 +150,7 @@ int radeon_sa_bo_new(struct radeon_device *rdev,
        offset = 0;
        list_for_each_entry(tmp, &sa_manager->sa_bo, list) {
                /* room before this object ? */
-               if ((tmp->offset - offset) >= size) {
+               if (offset < tmp->offset && (tmp->offset - offset) >= size) {
                        head = tmp->list.prev;
                        goto out;
                }