drm/nouveau/bios/bitP: check that table is long enough for optional pointers

Fixes OOB VBIOS accesses on some boards.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>

drivers/gpu/drm/nouveau/nvkm/subdev/bios/boost.c

@@ -33,7 +33,7 @@ nvbios_boostTe(struct nvkm_bios *bios,
 	u32 boost = 0;
 
 	if (!bit_entry(bios, 'P', &bit_P)) {
-		if (bit_P.version == 2)
+		if (bit_P.version == 2 && bit_P.length >= 0x34)
 			boost = nvbios_rd32(bios, bit_P.offset + 0x30);
 
 		if (boost) {

drivers/gpu/drm/nouveau/nvkm/subdev/bios/cstep.c

@@ -33,7 +33,7 @@ nvbios_cstepTe(struct nvkm_bios *bios,
 	u32 cstep = 0;
 
 	if (!bit_entry(bios, 'P', &bit_P)) {
-		if (bit_P.version == 2)
+		if (bit_P.version == 2 && bit_P.length >= 0x38)
 			cstep = nvbios_rd32(bios, bit_P.offset + 0x34);
 
 		if (cstep) {

drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c

@@ -32,7 +32,7 @@ nvbios_fan_table(struct nvkm_bios *bios, u8 *ver, u8 *hdr, u8 *cnt, u8 *len)
 	u32 fan = 0;
 
 	if (!bit_entry(bios, 'P', &bit_P)) {
-		if (bit_P.version == 2 && bit_P.length >= 0x5a)
+		if (bit_P.version == 2 && bit_P.length >= 0x5c)
 			fan = nvbios_rd32(bios, bit_P.offset + 0x58);
 
 		if (fan) {

drivers/gpu/drm/nouveau/nvkm/subdev/bios/power_budget.c

@@ -33,7 +33,7 @@ nvbios_power_budget_table(struct nvkm_bios *bios, u8 *ver, u8 *hdr, u8 *cnt,
 	u32 power_budget;
 
 	if (bit_entry(bios, 'P', &bit_P) || bit_P.version != 2 ||
-	    bit_P.length < 0x2c)
+	    bit_P.length < 0x30)
 		return 0;
 
 	power_budget = nvbios_rd32(bios, bit_P.offset + 0x2c);

drivers/gpu/drm/nouveau/nvkm/subdev/bios/vpstate.c

@@ -31,7 +31,7 @@ nvbios_vpstate_offset(struct nvkm_bios *b)
 	struct bit_entry bit_P;
 
 	if (!bit_entry(b, 'P', &bit_P)) {
-		if (bit_P.version == 2)
+		if (bit_P.version == 2 && bit_P.length >= 0x3c)
 			return nvbios_rd32(b, bit_P.offset + 0x38);
 	}