This is a note to let you know that I've just added the patch titled drm/radeon: fix handling of variable sized arrays for router objects to the 3.11-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: drm-radeon-fix-handling-of-variable-sized-arrays-for-router-objects.patch and it can be found in the queue-3.11 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From fb93df1c2d8b3b1fb16d6ee9e32554e0c038815d Mon Sep 17 00:00:00 2001 From: Alex Deucher <alexander.deucher@xxxxxxx> Date: Tue, 27 Aug 2013 12:36:01 -0400 Subject: drm/radeon: fix handling of variable sized arrays for router objects From: Alex Deucher <alexander.deucher@xxxxxxx> commit fb93df1c2d8b3b1fb16d6ee9e32554e0c038815d upstream. The table has the following format: typedef struct _ATOM_SRC_DST_TABLE_FOR_ONE_OBJECT //usSrcDstTableOffset pointing to this structure { UCHAR ucNumberOfSrc; USHORT usSrcObjectID[1]; UCHAR ucNumberOfDst; USHORT usDstObjectID[1]; }ATOM_SRC_DST_TABLE_FOR_ONE_OBJECT; usSrcObjectID[] and usDstObjectID[] are variably sized, so we can't access them directly. Use pointers and update the offset appropriately when accessing the Dst members. Signed-off-by: Alex Deucher <alexander.deucher@xxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/gpu/drm/radeon/radeon_atombios.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) --- a/drivers/gpu/drm/radeon/radeon_atombios.c +++ b/drivers/gpu/drm/radeon/radeon_atombios.c @@ -711,13 +711,16 @@ bool radeon_get_atom_connector_info_from (ATOM_SRC_DST_TABLE_FOR_ONE_OBJECT *) (ctx->bios + data_offset + le16_to_cpu(router_obj->asObjects[k].usSrcDstTableOffset)); + u8 *num_dst_objs = (u8 *) + ((u8 *)router_src_dst_table + 1 + + (router_src_dst_table->ucNumberOfSrc * 2)); + u16 *dst_objs = (u16 *)(num_dst_objs + 1); int enum_id; router.router_id = router_obj_id; - for (enum_id = 0; enum_id < router_src_dst_table->ucNumberOfDst; - enum_id++) { + for (enum_id = 0; enum_id < (*num_dst_objs); enum_id++) { if (le16_to_cpu(path->usConnObjectId) == - le16_to_cpu(router_src_dst_table->usDstObjectID[enum_id])) + le16_to_cpu(dst_objs[enum_id])) break; } Patches currently in stable-queue which might be from alexander.deucher@xxxxxxx are queue-3.11/radeon-kms-fix-uninitialised-hotplug-work-usage-in-r100_irq_process.patch queue-3.11/drm-radeon-fix-init-ordering-for-r600.patch queue-3.11/drm-radeon-add-berlin-pci-ids.patch queue-3.11/drm-radeon-enable-uvd-interrupts-on-cik.patch queue-3.11/drm-radeon-fix-lcd-record-parsing.patch queue-3.11/drm-radeon-fix-resume-on-some-rs4xx-boards-v2.patch queue-3.11/drm-radeon-cik-update-gpu_init-for-an-additional-berlin-gpu.patch queue-3.11/drm-radeon-update-line-buffer-allocation-for-dce8.patch queue-3.11/drm-radeon-si-add-support-for-cp-dma-to-cs-checker-for-compute-v2.patch queue-3.11/drm-radeon-fix-endian-bugs-in-hw-i2c-atom-routines.patch queue-3.11/drm-radeon-dpm-add-reclocking-quirk-for-asus-k70af.patch queue-3.11/drm-radeon-update-line-buffer-allocation-for-dce6.patch queue-3.11/drm-radeon-update-line-buffer-allocation-for-dce4.1-5.patch queue-3.11/drm-radeon-dpm-make-sure-dc-performance-level-limits-are-valid-btc-si-v2.patch queue-3.11/drm-radeon-fix-handling-of-variable-sized-arrays-for-router-objects.patch queue-3.11/drm-radeon-fill-in-gpu_init-for-berlin-gpu-cores.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html