diff --git a/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c b/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c
index 02dba7a3234d5299192e0e862dea6cabde58d1ef..5a32f8cc620a55178dbdf64a6664ad4623a518bd 100644
--- a/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c
+++ b/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c
@@ -209,6 +209,22 @@ public:
   }
 };
 
+/* Implementation of "__check_object_size".  */
+  
+class known_function___check_object_size : public known_function
+{
+ public:
+  bool matches_call_types_p (const call_details &cd) const final override
+  {
+    return cd.num_args () == 2;
+  }
+
+  void impl_call_pre (const call_details &) const final override
+  {
+    /* No-op.  */
+  }
+};
+
 /* Callback handler for the PLUGIN_ANALYZER_INIT event.  */
 
 static void
@@ -224,6 +240,8 @@ kernel_analyzer_init_cb (void *gcc_data, void */*user_data*/)
      make_unique<known_function_copy_from_user> ());
   iface->register_known_function ("copy_to_user",
 				  make_unique<known_function_copy_to_user> ());
+  iface->register_known_function ("__check_object_size",
+				  make_unique<known_function___check_object_size> ());
 }
 
 } // namespace ana
diff --git a/gcc/testsuite/gcc.dg/plugin/plugin.exp b/gcc/testsuite/gcc.dg/plugin/plugin.exp
index b3782f9c5754e4bc6f97012baad89fafa417cda5..a5a72daac1a5db70845c0f862d6815627ef24e71 100644
--- a/gcc/testsuite/gcc.dg/plugin/plugin.exp
+++ b/gcc/testsuite/gcc.dg/plugin/plugin.exp
@@ -169,7 +169,8 @@ set plugin_test_list [list \
 	  taint-pr112850.c \
 	  taint-pr112850-precise.c \
 	  taint-pr112850-too-complex.c \
-	  taint-pr112850-unsanitized.c } \
+	  taint-pr112850-unsanitized.c \
+	  taint-pr112927.c } \
     { analyzer_cpython_plugin.c \
 	  cpython-plugin-test-no-Python-h.c \
 	  cpython-plugin-test-PyList_Append.c \
diff --git a/gcc/testsuite/gcc.dg/plugin/taint-pr112927.c b/gcc/testsuite/gcc.dg/plugin/taint-pr112927.c
new file mode 100644
index 0000000000000000000000000000000000000000..9c3f7ab670860aca6a2231bf680fd740d1c7c3bb
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/plugin/taint-pr112927.c
@@ -0,0 +1,49 @@
+/* Reduced from false positive in Linux kernel
+   in drivers/char/ipmi/ipmi_devintf.c.  */
+
+/* { dg-do compile } */
+/* { dg-options "-fanalyzer -O2 -Wno-attributes" } */
+/* { dg-require-effective-target analyzer } */
+
+typedef __SIZE_TYPE__ size_t;
+extern void
+__check_object_size(const void* ptr, unsigned long n);
+
+extern unsigned long
+copy_from_user(void*, const void*, unsigned long);
+
+__attribute__((__always_inline__)) unsigned long
+call_copy_from_user(void* to, const void* from, unsigned long n)
+{
+  __check_object_size(to, n);
+  n = copy_from_user(to, from, n); /* { dg-bogus "use of attacker-controlled value as size without upper-bounds checking" } */
+  return n;
+}
+struct ipmi_msg
+{
+  unsigned short data_len;
+  unsigned char* data;
+};
+
+static int
+handle_send_req(struct ipmi_msg* msg)
+{
+  char buf[273];
+  if (msg->data_len > 272) {
+    return -90;
+  }
+  if (call_copy_from_user(buf, msg->data, msg->data_len)) {
+    return -14;
+  }
+  return 0;
+}
+long
+ipmi_ioctl(void* arg)
+{
+  struct ipmi_msg msg;
+  if (call_copy_from_user(&msg, arg, sizeof(msg))) {
+    return -14;
+  }
+
+  return handle_send_req(&msg);
+}