From 34e7f3da18c8968450b821d384d234808697fbe1 Mon Sep 17 00:00:00 2001
From: David Sterba <dsterba@suse.com>
Date: May 28 2025 08:14:58 +0000
Subject: udmabuf: fix a buf size overflow issue during udmabuf creation (CVE-2025-37803 bsc#1242852)


---

diff --git a/patches.suse/udmabuf-fix-a-buf-size-overflow-issue-during-udmabuf.patch b/patches.suse/udmabuf-fix-a-buf-size-overflow-issue-during-udmabuf.patch
new file mode 100644
index 0000000..dcf2b56
--- /dev/null
+++ b/patches.suse/udmabuf-fix-a-buf-size-overflow-issue-during-udmabuf.patch
@@ -0,0 +1,32 @@
+From: Xiaogang Chen <xiaogang.chen@amd.com>
+Date: Fri, 21 Mar 2025 11:41:26 -0500
+Subject: [PATCH] udmabuf: fix a buf size overflow issue during udmabuf
+ creation
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 021ba7f1babd029e714d13a6bf2571b08af96d0f
+Patch-mainline: v6.15-rc2
+References: CVE-2025-37803 bsc#1242852
+
+by casting size_limit_mb to u64  when calculate pglimit.
+
+Signed-off-by: Xiaogang Chen<Xiaogang.Chen@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250321164126.329638-1-xiaogang.chen@amd.com
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ drivers/dma-buf/udmabuf.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma-buf/udmabuf.c
++++ b/drivers/dma-buf/udmabuf.c
+@@ -212,7 +212,7 @@ static long udmabuf_create(struct miscde
+ 	if (!ubuf)
+ 		return -ENOMEM;
+ 
+-	pglimit = (size_limit_mb * 1024 * 1024) >> PAGE_SHIFT;
++	pglimit = ((u64)size_limit_mb * 1024 * 1024) >> PAGE_SHIFT;
+ 	for (i = 0; i < head->count; i++) {
+ 		if (!IS_ALIGNED(list[i].offset, PAGE_SIZE))
+ 			goto err;
diff --git a/series.conf b/series.conf
index 13610c6..39c824f 100644
--- a/series.conf
+++ b/series.conf
@@ -31526,6 +31526,7 @@
 	patches.suse/drm-i915-huc-Fix-fence-not-released-on-early-probe-e.patch
 	patches.suse/drm-amdgpu-dma_buf-fix-page_link-check.patch
 	patches.suse/drm-amd-pm-smu11-Prevent-division-by-zero.patch
+	patches.suse/udmabuf-fix-a-buf-size-overflow-issue-during-udmabuf.patch
 	patches.suse/drm-nouveau-prime-fix-ttm_bo_delayed_delete-oops.patch
 	patches.suse/drm-sti-remove-duplicate-object-names.patch
 	patches.suse/drm-tests-helpers-Create-kunit-helper-to-destroy-a-d.patch