VBT version 196 increased the size of common_child_dev_config. The parser code assumed that the size of this structure would not change. So now, instead of checking for smaller size, check that the VBT entry is not too large and memcpy only child_dev_size amount of data, leaving any trailing entries as zero. If this is not good enough for the future, we can always sprinkle extra version checks in there. Signed-off-by: Antti Koskipaa <antti.koskipaa@xxxxxxxxxxxxxxx> --- drivers/gpu/drm/i915/intel_bios.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/i915/intel_bios.c b/drivers/gpu/drm/i915/intel_bios.c index 2ff9eb0..763a636 100644 --- a/drivers/gpu/drm/i915/intel_bios.c +++ b/drivers/gpu/drm/i915/intel_bios.c @@ -1022,10 +1022,15 @@ parse_device_mapping(struct drm_i915_private *dev_priv, DRM_DEBUG_KMS("No general definition block is found, no devices defined.\n"); return; } - if (p_defs->child_dev_size < sizeof(*p_child)) { + /* Historically, child_dev_size has to be at least 33 bytes in size. */ + if (p_defs->child_dev_size < 33) { DRM_ERROR("General definiton block child device size is too small.\n"); return; } + if (p_defs->child_dev_size > sizeof(*p_child)) { + DRM_ERROR("General definiton block child device size is too large.\n"); + return; + } /* get the block size of general definitions */ block_size = get_blocksize(p_defs); /* get the number of child device */ @@ -1070,7 +1075,7 @@ parse_device_mapping(struct drm_i915_private *dev_priv, child_dev_ptr = dev_priv->vbt.child_dev + count; count++; - memcpy(child_dev_ptr, p_child, sizeof(*p_child)); + memcpy(child_dev_ptr, p_child, p_defs->child_dev_size); } return; } -- 2.3.6 _______________________________________________ Intel-gfx mailing list Intel-gfx@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/intel-gfx