From 6765bd6dd28eb3c087e5011a2944c00872dd5906 Mon Sep 17 00:00:00 2001 From: Jani Nikula Date: Thu, 14 Jan 2016 17:12:07 +0200 Subject: [PATCH] drm/i915/bios: Fix the sequence size calculations for MIPI seq v3 MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Two errors in a single line. The size was read from the wrong offset, and the end index didn't take the five bytes for sequence byte and size of sequence into account. Fix it all, and break up the calculations a bit to make it clearer. Cc: Ville Syrjälä Reported-and-tested-by: Mika Kahola Reviewed-by: Ville Syrjälä Fixes: 2a33d93486f2 ("drm/i915/bios: add support for MIPI sequence block v3") Signed-off-by: Jani Nikula Link: http://patchwork.freedesktop.org/patch/msgid/1452784327-27258-1-git-send-email-jani.nikula@intel.com --- drivers/gpu/drm/i915/intel_bios.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/i915/intel_bios.c b/drivers/gpu/drm/i915/intel_bios.c index 12e2f8b8bf9c..bf62a19c8f69 100644 --- a/drivers/gpu/drm/i915/intel_bios.c +++ b/drivers/gpu/drm/i915/intel_bios.c @@ -842,6 +842,7 @@ static int goto_next_sequence_v3(const u8 *data, int index, int total) { int seq_end; u16 len; + u32 size_of_sequence; /* * Could skip sequence based on Size of Sequence alone, but also do some @@ -852,14 +853,24 @@ static int goto_next_sequence_v3(const u8 *data, int index, int total) return 0; } - seq_end = index + *((const u32 *)(data + 1)); + /* Skip Sequence Byte. */ + index++; + + /* + * Size of Sequence. Excludes the Sequence Byte and the size itself, + * includes MIPI_SEQ_ELEM_END byte, excludes the final MIPI_SEQ_END + * byte. + */ + size_of_sequence = *((const uint32_t *)(data + index)); + index += 4; + + seq_end = index + size_of_sequence; if (seq_end > total) { DRM_ERROR("Invalid sequence size\n"); return 0; } - /* Skip Sequence Byte and Size of Sequence. */ - for (index = index + 5; index < total; index += len) { + for (; index < total; index += len) { u8 operation_byte = *(data + index); index++; -- 2.20.1