1 files changed, 37 insertions, 0 deletions

diff --git a/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.19.8/2088-drm-amdgpu-Fix-bounds-checking-in-amdgpu_ras_is_supp.patch b/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.19.8/2088-drm-amdgpu-Fix-bounds-checking-in-amdgpu_ras_is_supp.patch
new file mode 100644
index 00000000..21f42390
--- /dev/null
+++ b/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.19.8/2088-drm-amdgpu-Fix-bounds-checking-in-amdgpu_ras_is_supp.patch
@@ -0,0 +1,37 @@
+From 2f82e5c04bc61946df83cd50fe3794b21570e8e1 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sat, 8 Jun 2019 12:23:57 +0300
+Subject: [PATCH 2088/2940] drm/amdgpu: Fix bounds checking in
+ amdgpu_ras_is_supported()
+
+The "block" variable can be set by the user through debugfs, so it can
+be quite large which leads to shift wrapping here.  This means we report
+a "block" as supported when it's not, and that leads to array overflows
+later on.
+
+This bug is not really a security issue in real life, because debugfs is
+generally root only.
+
+Fixes: 36ea1bd2d084 ("drm/amdgpu: add debugfs ctrl node")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h
+index c6b34fbd695f..94c652f5265a 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h
+@@ -173,6 +173,8 @@ static inline int amdgpu_ras_is_supported(struct amdgpu_device *adev,
+ {
+ 	struct amdgpu_ras *ras = amdgpu_ras_get_context(adev);
+ 
++	if (block >= AMDGPU_RAS_BLOCK_COUNT)
++		return 0;
+ 	return ras && (ras->supported & (1 << block));
+ }
+ 
+-- 
+2.17.1
+