This is a note to let you know that I've just added the patch titled drm/amdgpu: fix out of bounds write to the 5.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: drm-amdgpu-fix-out-of-bounds-write.patch and it can be found in the queue-5.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 5afa7898ab7a0ec9c28556a91df714bf3c2f725e Mon Sep 17 00:00:00 2001 From: Thelford Williams <tdwilliamsiv@xxxxxxxxx> Date: Wed, 13 Oct 2021 16:04:13 -0400 Subject: drm/amdgpu: fix out of bounds write From: Thelford Williams <tdwilliamsiv@xxxxxxxxx> commit 5afa7898ab7a0ec9c28556a91df714bf3c2f725e upstream. Size can be any value and is user controlled resulting in overwriting the 40 byte array wr_buf with an arbitrary length of data from buf. Signed-off-by: Thelford Williams <tdwilliamsiv@xxxxxxxxx> Signed-off-by: Alex Deucher <alexander.deucher@xxxxxxx> Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(st if (!wr_buf) return -ENOSPC; - if (parse_write_buffer_into_params(wr_buf, size, + if (parse_write_buffer_into_params(wr_buf, wr_buf_size, (long *)param, buf, max_param_num, ¶m_nums)) { Patches currently in stable-queue which might be from tdwilliamsiv@xxxxxxxxx are queue-5.14/drm-amdgpu-fix-out-of-bounds-write.patch queue-5.14/drm-amdgpu-fix-even-more-out-of-bound-writes-from-debugfs.patch