Commit 95beb690 authored by Alex Deucher's avatar Alex Deucher Committed by Dave Airlie

drm/radeon/kms/atom: fix gpio i2c table overrun (v2)

The GPIO_I2C_INFO table does not always have
ATOM_MAX_SUPPORTED_DEVICE entries. Limit
the number of indices to the size of the
table.

Should fix Novell bug 589022.

v2: fix typo
Signed-off-by: default avatarAlex Deucher <alexdeucher@gmail.com>
Cc: Stable <stable@kernel.org>
Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
parent 57b54ea6
...@@ -69,16 +69,19 @@ static inline struct radeon_i2c_bus_rec radeon_lookup_i2c_gpio(struct radeon_dev ...@@ -69,16 +69,19 @@ static inline struct radeon_i2c_bus_rec radeon_lookup_i2c_gpio(struct radeon_dev
struct radeon_i2c_bus_rec i2c; struct radeon_i2c_bus_rec i2c;
int index = GetIndexIntoMasterTable(DATA, GPIO_I2C_Info); int index = GetIndexIntoMasterTable(DATA, GPIO_I2C_Info);
struct _ATOM_GPIO_I2C_INFO *i2c_info; struct _ATOM_GPIO_I2C_INFO *i2c_info;
uint16_t data_offset; uint16_t data_offset, size;
int i; int i, num_indices;
memset(&i2c, 0, sizeof(struct radeon_i2c_bus_rec)); memset(&i2c, 0, sizeof(struct radeon_i2c_bus_rec));
i2c.valid = false; i2c.valid = false;
if (atom_parse_data_header(ctx, index, NULL, NULL, NULL, &data_offset)) { if (atom_parse_data_header(ctx, index, &size, NULL, NULL, &data_offset)) {
i2c_info = (struct _ATOM_GPIO_I2C_INFO *)(ctx->bios + data_offset); i2c_info = (struct _ATOM_GPIO_I2C_INFO *)(ctx->bios + data_offset);
for (i = 0; i < ATOM_MAX_SUPPORTED_DEVICE; i++) { num_indices = (size - sizeof(ATOM_COMMON_TABLE_HEADER)) /
sizeof(ATOM_GPIO_I2C_ASSIGMENT);
for (i = 0; i < num_indices; i++) {
gpio = &i2c_info->asGPIO_Info[i]; gpio = &i2c_info->asGPIO_Info[i];
if (gpio->sucI2cId.ucAccess == id) { if (gpio->sucI2cId.ucAccess == id) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment