From nobody Fri Oct 3 10:11:13 2025 Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 26C2327E1AC; Tue, 2 Sep 2025 11:21:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756812101; cv=none; b=QNtgaVRgziAdNkzI/OJrHCOf5MXrdBX3UZH3NLxjRSnVdySbUkuKPG1ZH6J88xDP0lwXt5ah6j/aTS2dW5gUYxvcAzC+kAdZ+xBxrCc1fSwsCtbKLd523jaoyQyL5+GXzwqieV8cuhsqtZsyxAThm6k4gjefcjlFR+Kogi7B9zY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756812101; c=relaxed/simple; bh=LFTtV6r3Kv8hlUjLpPyuwQgn0EJVqqRO2UBgklloSc0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ACm3b9yjkTm8eCb1gJQqO4xwcFgbI5/JHMHi3li1hySrvaRYSbJWlUXggBieNeE3pqfuZOv6onWKeSR0KnQmZg/VaUi/WJHO/PNYtDZ2nUzhX2J1nZMBGqRid/S2YaZ4rrOVrQsFEchuzYa1NdqJDibjquVcUzirWt5QJ8sWntA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=OhTwHqHq; arc=none smtp.client-ip=209.85.210.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="OhTwHqHq" Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-772679eb358so1019972b3a.1; Tue, 02 Sep 2025 04:21:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1756812099; x=1757416899; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=C1peIzucQT9u+8mHdz0lvrHZdBPLJn2LftndnROMFbg=; b=OhTwHqHqCq/Zf0YHLwUhlMWd9L1H8K687gzyCJQPKvhTr3imZXjI67gS7JiBRMv6uf YmYfCoNdqy3t6XrElOuox7fErF86H0sMkqgnVK8+65yZWqNgnC/lfhorCJQPLMFNTv/F Pg7f4vMgKA8HZMweguVZOYRFbJbO5dIibx1AO0+AS8Bx+sr0MoyLZ28W+yz5ycZ45Luo fGUiNSaKoEnzmZydVC0Gfzu06sEz/GXRSAArUCwdTkrkRQk2MT955gxVCXuzVP+V4fjq oZ9x1hzMLzGraoI6b3Unsbwqb1954x8N7dKqfcfXzzik9O6yESFom1AyZ8BVgx4gLcT6 6BgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756812099; x=1757416899; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=C1peIzucQT9u+8mHdz0lvrHZdBPLJn2LftndnROMFbg=; b=Y6ArhUCZhtrnCWUUYeiSpcHbmsiVPBjZUU+tKTKTx89ADsYhQwVK0uwh8HisP00oc5 TlOciRHvKVQQ2mJx4NXUJbmB3wJ7/A083FJlyz1YPmrH5l+BZtt06Ik/is8Fl/QLEj5C mepBqEWQD9Orq/v5E7XIe9nbDadK52+90P1DS6ISxT5iTvZ9p8DMB2Cz52zfjfjHvWPZ j7kgbGRK46/exxmnBk56ZJ5BizRuQN8oyMBGHEMFOVpyds3pkoY/6VG4wBFz7JhFhlAd KmFOES5qrDUuQYwg+MtnKrRWOgiorv9C24aOWWBQF5cH6ZBBUY52A1tQ6JsYCoEXvoZS JOGQ== X-Forwarded-Encrypted: i=1; AJvYcCVnNAoA92wY77+CUbH4m+Wpk6PRHLyEScMRKoAv4DIbtMFnh0LyVqDEkW5wsj/BUnR7Vw1CxmMtIbu3V5M=@vger.kernel.org, AJvYcCWR0MfZ4wNStArKHO1ve46EH7ugqPB4cJ4K4h6qnR3lerATAh5hGb0/kGktFLTSlTBXpsqlGuKi@vger.kernel.org, AJvYcCWcC/JKxnTUpVwGcb/wowqeH3ExTTbtve/LQMuqQW6Br5yoxxqpQ6TRNb+6Emt56PjGDpXfUoXGmZmx09lIP+qQdrE=@vger.kernel.org X-Gm-Message-State: AOJu0YxHZmnTKgDtFJRN3Ynj+gXOPtC3A5XEaM+TYTh01nUXUkOQ4c0S I4NMhcjq95yP35rECCL9R/l4rikJHFJVXy2BMoz+qDybN61mOr22ezJk X-Gm-Gg: ASbGncsqPOnWeO7Hv/xNfN44Ls2FY53MmlL1uXdx0aA8GB0mze8HHXYfyvnnegvUPGn qgLMGXE8Zqw438nTiB7cOT7p7hInaIMuilgWpupGdtA7EedziSfIGMtPlZRUboATAFe4WtHsWdQ 3Rt6wRoD/7Tf5G0TeGECjxZw7Tx2nX5uKO+hANYUGYhEroRXqwNwQ18wMimsGApvOmTN1uG7Akw jxfU6Fm25fZOTlGk6Dha9/O/zLcIAUDrXNgJQj6EV1zvPCx3uBXvfpsHKSTXZ61BuCxfOh9Xp5m Q6RQQO/ZqsSP6x2SDwWVW9tkMyjQET5k4dpahen0C2xO3NvlMjtu1Y1P50r67yEUiAiUpNmlbAa FH/Q0ozmonTGE/Prc1+Hy/60Vwp4azw+RuNaSsv/yE0B/CP6uV0GrxGfj3kpI X-Google-Smtp-Source: AGHT+IHYpnAEN97dhppR5gZj3bV2/ORfp7nw4JDDkTPmEAt+EIglpgn6hekUrxJELxqoV+MTc9dF5A== X-Received: by 2002:a05:6a00:14d6:b0:76b:c9b9:a11b with SMTP id d2e1a72fcca58-7723e21e594mr12353303b3a.3.1756812099412; Tue, 02 Sep 2025 04:21:39 -0700 (PDT) Received: from name2965-Precision-7820-Tower.. ([121.185.186.233]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7722a4e27d1sm13140645b3a.81.2025.09.02.04.21.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Sep 2025 04:21:39 -0700 (PDT) From: Jeongjun Park To: inki.dae@samsung.com, sw0312.kim@samsung.com, kyungmin.park@samsung.com, airlied@gmail.com, simona@ffwll.ch Cc: krzk@kernel.org, alim.akhtar@samsung.com, dri-devel@lists.freedesktop.org, linux-arm-kernel@lists.infradead.org, linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, aha310510@gmail.com Subject: [PATCH 1/3] drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl() Date: Tue, 2 Sep 2025 20:20:41 +0900 Message-Id: <20250902112043.3525123-2-aha310510@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250902112043.3525123-1-aha310510@gmail.com> References: <20250902112043.3525123-1-aha310510@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to obtain a struct vidi_context pointer. However, drm_dev->dev is the exynos-drm master device, and the driver_data contained therein is not the vidi component device, but a completely different device. This can lead to various bugs, ranging from null pointer dereferences and garbage value accesses to, in unlucky cases, out-of-bounds errors, use-after-free errors, and more. To resolve this issue, we need to store/delete the vidi device pointer in exynos_drm_private->vidi_dev during bind/unbind, and then read this exynos_drm_private->vidi_dev within ioctl() to obtain the correct struct vidi_context pointer. Cc: Signed-off-by: Jeongjun Park --- drivers/gpu/drm/exynos/exynos_drm_drv.h | 1 + drivers/gpu/drm/exynos/exynos_drm_vidi.c | 14 +++++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_drv.h b/drivers/gpu/drm/exyn= os/exynos_drm_drv.h index 23646e55f142..06c29ff2aac0 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_drv.h +++ b/drivers/gpu/drm/exynos/exynos_drm_drv.h @@ -199,6 +199,7 @@ struct drm_exynos_file_private { struct exynos_drm_private { struct device *g2d_dev; struct device *dma_dev; + struct device *vidi_dev; void *mapping; =20 /* for atomic commit */ diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy= nos/exynos_drm_vidi.c index e094b8bbc0f1..1fe297d512e7 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c +++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c @@ -223,9 +223,14 @@ ATTRIBUTE_GROUPS(vidi); int vidi_connection_ioctl(struct drm_device *drm_dev, void *data, struct drm_file *file_priv) { - struct vidi_context *ctx =3D dev_get_drvdata(drm_dev->dev); + struct exynos_drm_private *priv =3D drm_dev->dev_private; + struct device *dev =3D priv ? priv->vidi_dev : NULL; + struct vidi_context *ctx =3D dev ? dev_get_drvdata(dev) : NULL; struct drm_exynos_vidi_connection *vidi =3D data; =20 + if (!ctx) + return -ENODEV; + if (!vidi) { DRM_DEV_DEBUG_KMS(ctx->dev, "user data for vidi is null.\n"); @@ -371,6 +376,7 @@ static int vidi_bind(struct device *dev, struct device = *master, void *data) { struct vidi_context *ctx =3D dev_get_drvdata(dev); struct drm_device *drm_dev =3D data; + struct exynos_drm_private *priv =3D drm_dev->dev_private; struct drm_encoder *encoder =3D &ctx->encoder; struct exynos_drm_plane *exynos_plane; struct exynos_drm_plane_config plane_config =3D { 0 }; @@ -378,6 +384,8 @@ static int vidi_bind(struct device *dev, struct device = *master, void *data) int ret; =20 ctx->drm_dev =3D drm_dev; + if (priv) + priv->vidi_dev =3D dev; =20 plane_config.pixel_formats =3D formats; plane_config.num_pixel_formats =3D ARRAY_SIZE(formats); @@ -423,8 +431,12 @@ static int vidi_bind(struct device *dev, struct device= *master, void *data) static void vidi_unbind(struct device *dev, struct device *master, void *d= ata) { struct vidi_context *ctx =3D dev_get_drvdata(dev); + struct drm_device *drm_dev =3D data; + struct exynos_drm_private *priv =3D drm_dev->dev_private; =20 timer_delete_sync(&ctx->timer); + if (priv) + priv->vidi_dev =3D NULL; } =20 static const struct component_ops vidi_component_ops =3D { -- From nobody Fri Oct 3 10:11:13 2025 Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D83422F744C; Tue, 2 Sep 2025 11:21:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756812114; cv=none; b=uSCKrMgZkFLqvi035JIjmVsqDOfQQ6mjAG2AYNwQMiwRnfxCpDrab/ljYnyUb9sgHRGj4rrz1UN72WTftkAtJScI50i+SfX7UTZcUpGNwhiVEfIEd8of0L0PDY3wobgG4RYyaueCAcQLA5zIcAO00NBNdpr9mi1MEWXS47gmuZM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756812114; c=relaxed/simple; bh=r90VB4kVBN2xFkL5AxvLxiyYXhfIfvCQV5FTD6ekEMU=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Wgm1FaAOq7Vn9Vgg6dCvPn4WomfExg77MCoZDBIfqCu2ArzNYmAdoar4iPATgQ5wbHtvsD4CXCCnc05ga2WFF4exEUfg0bA/ASNZvP+spbVTenYbCZRgCg26AWFw4KQtVPYZQ5CoqLS3zv1/ImssJSM8dz6hsLbP8Qmf9a2HgkM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ULDhcxTT; arc=none smtp.client-ip=209.85.216.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ULDhcxTT" Received: by mail-pj1-f48.google.com with SMTP id 98e67ed59e1d1-327771edfbbso5293019a91.0; Tue, 02 Sep 2025 04:21:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1756812111; x=1757416911; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=b4A5fkthP3KXEpRu6BAtoU0UoZrqtT9TFK5zNXIFO6I=; b=ULDhcxTT1Y/I/r76X1yFwZtbMdklz/diwnudlatgqW2xPfOcaaj8tYuGca8AdI/U4U 7T5aOKhmLCWjJ9YCWMDuzK33i22XxGq8o3H4VJBns2pVvdlAt0Rx9PPKM26vA+y3grOk +SN0GB5cZPZgW7uTLOzG2bWnCFJAfY46FD9E5L/vRi2J3d3ed9PyoofwuVO76EcqkBp8 XzkNPS2hQhaITQ+glZ+VJYQeRhSniD5A4IZfJfkRZ6kXKP95UdbIU+jWoU0cIoprDoLA VtsphQmWFzBP/2M6Z+NBx808kWo+b8rMabmYyX3opypED22m5UOEpSuiTXxxkdTGKBg2 urcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756812111; x=1757416911; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=b4A5fkthP3KXEpRu6BAtoU0UoZrqtT9TFK5zNXIFO6I=; b=dFOYpCMlXqbRaYPqYAv0ati4ddjwZwP9gQbHYPLz40CsO38umK2a+GO36dRMLR8Qxw CreHvts6sjiQO0yA7Ioc7WIlD06QutMu8tTlBPN9IgvNi1tnxudMusx6lhWFSwBQpo/p HDNnh+kJwsxQf3PsUlHypUOozId26/0J9aveIds/JUQmeVDydNlkAVVvJ8bpYmFf4/+N zBr2BSFvTgz93tNfDZPkPuV3oROKywQHQtCXUssu8MJuaMleW213+irr9voDXa6zuOsp N2xTMgfKVRpXc3yMPUUDmcqZDi7FIMGlaS22t36IQAn6Ji7BKGv7ENKI+Qaky0HRDAA3 iqow== X-Forwarded-Encrypted: i=1; AJvYcCW6K61AGhmKCKEnTOW74Ws3rxQIJarvIY/WmGx2G13px179bGAJV69NBZVP3GRC2+keOSynw26yKnGDBYp18cD5NgU=@vger.kernel.org, AJvYcCWuJMAiLz8q30PWx8hgPbY2fyEhuiqNsx91En8onahk9Ib/7w/qS4655Oug3Zg1QyjrIeKpuICOFAplXs0=@vger.kernel.org, AJvYcCXCjqbOD+ZqO6ekPmAlWDNQ/Vh8O7VrZk/UTq4dFI8yccBQjsGTH4rmGnPGYh9LmS0ysDIAbZGE@vger.kernel.org X-Gm-Message-State: AOJu0YwnRssX2nkso8YoIObd144jKv0eSuqIosYTVmVlbLz2Fg5jgTie ILJM/LtTT2tzsOu5hNMGv9OWlkgoepdsYCCdvSevMm3jMPogUeKyfvCN X-Gm-Gg: ASbGncv8TlpnSSb5pGKNhIqvvWTit9e3VphpIDSDqMGWTwDsbymR8RSQdZUWzaz7eZK hA75YpbfKPhUT2P9VGYOHppC9J2Zjk44ZN9SC5DfRt7YQJEvFQauCIFHttPrW9QZzZ8AeNBeVcr LjuuYrnMf5FZkmQcZqlGkjcqx54L34sMoUp+abAioEaRfSNhnwAipTrbPr+F+QEGcDnG2jBKXDM i/oTFl+Y1a8TMTJVpTAauZa7QQk8hyFlQhoVbvOlybQkisqGtZG+Ds4SQEB4YLwhbqLNzbt2PW8 oMGWI5NG43ewWUFLXdcoI+CAyvyBnEXdi/9eWQaiVMGMokXianoEQGlXeQkCOsj8XeKra1LWFxo 06pPsQvqDI/rFaTNVNhJBYM6FfBIf48sWkjY5c5YhCKdEM28LIGoPNgNi6EeH X-Google-Smtp-Source: AGHT+IH1KF6DJ5OOOOe1l7ldEAlzXJxUIBb9mE6VlKXMsVGCI5lGE0+ieIjUzywYE4Fa9tCwx8K4LQ== X-Received: by 2002:a17:90b:5587:b0:32b:4c71:f40a with SMTP id 98e67ed59e1d1-32b4c71f85amr241852a91.24.1756812110843; Tue, 02 Sep 2025 04:21:50 -0700 (PDT) Received: from name2965-Precision-7820-Tower.. ([121.185.186.233]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7722a4e27d1sm13140645b3a.81.2025.09.02.04.21.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Sep 2025 04:21:50 -0700 (PDT) From: Jeongjun Park To: inki.dae@samsung.com, sw0312.kim@samsung.com, kyungmin.park@samsung.com, airlied@gmail.com, simona@ffwll.ch Cc: krzk@kernel.org, alim.akhtar@samsung.com, dri-devel@lists.freedesktop.org, linux-arm-kernel@lists.infradead.org, linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, aha310510@gmail.com Subject: [PATCH 2/3] drm/exynos: vidi: fix to avoid directly dereferencing user pointer Date: Tue, 2 Sep 2025 20:20:42 +0900 Message-Id: <20250902112043.3525123-3-aha310510@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250902112043.3525123-1-aha310510@gmail.com> References: <20250902112043.3525123-1-aha310510@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In vidi_connection_ioctl(), vidi->edid(user pointer) is directly dereferenced in the kernel. This allows arbitrary kernel memory access from the user space, so instead of directly accessing the user pointer in the kernel, we should modify it to copy edid to kernel memory using copy_from_user() and use it. Cc: Signed-off-by: Jeongjun Park --- drivers/gpu/drm/exynos/exynos_drm_vidi.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy= nos/exynos_drm_vidi.c index 1fe297d512e7..601406b640c7 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c +++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c @@ -251,13 +251,27 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,= void *data, =20 if (vidi->connection) { const struct drm_edid *drm_edid; - const struct edid *raw_edid; + const void __user *edid_userptr =3D u64_to_user_ptr(vidi->edid); + void *edid_buf; + struct edid hdr; size_t size; =20 - raw_edid =3D (const struct edid *)(unsigned long)vidi->edid; - size =3D (raw_edid->extensions + 1) * EDID_LENGTH; + if (copy_from_user(&hdr, edid_userptr, sizeof(hdr))) + return -EFAULT; =20 - drm_edid =3D drm_edid_alloc(raw_edid, size); + size =3D (hdr.extensions + 1) * EDID_LENGTH; + + edid_buf =3D kmalloc(size, GFP_KERNEL); + if (!edid_buf) + return -ENOMEM; + + if (copy_from_user(edid_buf, edid_userptr, size)) { + kfree(edid_buf); + return -EFAULT; + } + + drm_edid =3D drm_edid_alloc(edid_buf, size); + kfree(edid_buf); if (!drm_edid) return -ENOMEM; =20 -- From nobody Fri Oct 3 10:11:13 2025 Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E90252F83D0; Tue, 2 Sep 2025 11:21:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756812117; cv=none; b=hnGzJAl3WnSBZHREXjlR4B+BLaZKR36E0DHmQK8ENvRLFrAgmImjyXwQq0bDeBWwvZW+XmdSAB/hWLjH8NyQpjKtZEU0XxxqCe3ImeDy88F0NgOiObAMzySNhc5aIOBcq++2pgGGdBiyWamKxhmV3xDAvlXc7MozsA+dQBhGuBE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756812117; c=relaxed/simple; bh=3hh7/4HKJe6OeXFl1JCaf+f5VfZb6PdHargCvfMgQao=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=cAjgmGoH+HqSVBqWw0sDEAuTOPPt2TRetJU2AOjx3jBAmow9bNp1XhN/V7Od09VURfmOygc5yWhF7zYTaeu+ji7UQS0my8AexwLRTemLNrzQxpTkBa0BlOtLLx8GF3ygLiJUCeDbZ7EC0YHURFtArY93hiy1abCYj+YRD4KP+q4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=GNEe5W6v; arc=none smtp.client-ip=209.85.210.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="GNEe5W6v" Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-771fa8e4190so3441771b3a.1; Tue, 02 Sep 2025 04:21:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1756812115; x=1757416915; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OmBFxHhYRsHxUFb6yKl311GgplCtiII3+UFgBt4dL+A=; b=GNEe5W6vnXrO6WrQX/WRMFNRGtRv8JeRFTYryJz9l+JP6S0f6uQpyfiioTR4JHpZdi j0TUwRVrbD1duCizPi7TBMgpLB2dG+kvt++R/XXm7/AR5e3PwWsmPYuhVip9PT9Pj6S0 r1sqAxs63/VC1I6svQQJu+xl2xwb9mkZhvs0vLqlN2iHcnOO5zyonMHUCTUqYWJ3huk5 0iN4dTAh41XWcdjb6DWBRWTSFwQwo9RR5oGS0l3QXYDzKQYFEqqutoVMcB2L9EBdYcZW 7pIyX5fJxWHratbMaquB8seYNwIEaZlsh5awLGBHLIXzjnaFSpTco+FUkC9qUWhtjw/h vRtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756812115; x=1757416915; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OmBFxHhYRsHxUFb6yKl311GgplCtiII3+UFgBt4dL+A=; b=hdVAUh3lT39DrX6zw9R3NHSWsy6LgbjfUDxksX0uHfJFwfN9axB1R1mvh/93837vD/ 2+SPqOnv+ymTf8BDcMWtJ+G2lYHK7SkE/qXJLHxHXNFWxQznvdW83Ys9pnahdj1AiKE5 +N/zcbKFQDFStfvweFuSfP+aTWHDk+rvrbcvdWJc2ps9qUy2d+tF8bSqnQ0WUY6QukLu Saq023dZUCLx3hLUqrwGg9AQfVgIVfuz20gEppe26Njpia9j2usvD+MNC0gOyJMgRyJi CO1fZiDAkIAYlFEVAgyOwC5Dxiq+waKEIEjaqtsP1H5RADY5iCSfBUcZfygzxMGnQ+0X q8QQ== X-Forwarded-Encrypted: i=1; AJvYcCUAXXXd9DjNX8QgHeBKi2y+9X+fWVGOJw0KMKBzs4Rb4AhxswALmukgs9NNq/cC0kzMLh2E39KkVLD/L/tBmTRnzqI=@vger.kernel.org, AJvYcCUu598c6ejGeF1/V+Lp5p+jCOSVWPDi3RS03RmnTkAiSlFp+n0U3qWHcJTZlRSylA2MdUeyI1n5@vger.kernel.org, AJvYcCXP5z4UXd2Hiend0YnjNRm3vBEM7/Kdgp2/dzjT1hMu04AamCh1pHo+BFmGFh14itFwb+5afJ9APf9b4ew=@vger.kernel.org X-Gm-Message-State: AOJu0YwaPnLas2Bf2QaywWv0bfSVv85yaTTNGoVgrrh/V2cEolqtbAkg ICzrcDhsnBjbcfM85HoNrQE+HAnIQE7KoziDqQ4osH2o4hW1ZtFjPBxq X-Gm-Gg: ASbGnctyPfKHrJ+mmSPf3yvdlfSa94Z5AoXD3f21R6t1mZNdidWowSAWTd2KfunAwpX yQKqfW+mjHKtVouO0irdl44SV+G7TJwrhtF/IxGgKGx+R9s+toxK0szhXtcdAKV08n++2rrV5TD U3XOq2JNMSq9RzB3UhYZANpXHWtTBedfZGYWcGn8s7S07t69WDz5/j+wpp4CL0X5ew+3MjjY06G dUAJ9rPgoSpH+GVnxP5XX6aiAQ7Sud8RW6qcDNEqR1m0zDKgg9D+LNoylAUiA94JgYhjHCeOwHo bbttt0Wxpv+DaRJ6X4DYGv3763nYm67JUwBdgekdMrtGbxXvRFX2iY1xwFoC4EzuMdeABfAjdDx Gv2/lAYCTb2aLoOSOsWnxtacg8bsDLNU0bKxZKRFQ1Z7Bi3ZkfjsbPoAXcR/h X-Google-Smtp-Source: AGHT+IHagalNzYPov+qToIRn5726tUcNigXXQLmuwNeQCyxqjqgOyE8ZJPIjKB/R2FuzA1JH42ZaHA== X-Received: by 2002:a05:6a20:42a3:b0:243:c38c:7b3d with SMTP id adf61e73a8af0-243d6e10746mr16673032637.24.1756812115058; Tue, 02 Sep 2025 04:21:55 -0700 (PDT) Received: from name2965-Precision-7820-Tower.. ([121.185.186.233]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7722a4e27d1sm13140645b3a.81.2025.09.02.04.21.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Sep 2025 04:21:54 -0700 (PDT) From: Jeongjun Park To: inki.dae@samsung.com, sw0312.kim@samsung.com, kyungmin.park@samsung.com, airlied@gmail.com, simona@ffwll.ch Cc: krzk@kernel.org, alim.akhtar@samsung.com, dri-devel@lists.freedesktop.org, linux-arm-kernel@lists.infradead.org, linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, aha310510@gmail.com Subject: [PATCH 3/3] drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free Date: Tue, 2 Sep 2025 20:20:43 +0900 Message-Id: <20250902112043.3525123-4-aha310510@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250902112043.3525123-1-aha310510@gmail.com> References: <20250902112043.3525123-1-aha310510@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Exynos Virtual Display driver performs memory allocation/free operations without lock protection, which easily causes concurrency problem. For example, use-after-free can occur in race scenario like this: ``` CPU0 CPU1 CPU2 ---- ---- ---- vidi_connection_ioctl() if (vidi->connection) // true drm_edid =3D drm_edid_alloc(); // alloc drm_edid ... ctx->raw_edid =3D drm_edid; ... drm_mode_getconnector() drm_helper_probe_single_connector_modes() vidi_get_modes() if (ctx->raw_edid) // true drm_edid_dup(ctx->raw_edid); if (!drm_edid) // false ... vidi_connection_ioctl() if (vidi->connection) // false drm_edid_free(ctx->raw_edid); // free drm_edid ... drm_edid_alloc(drm_edid->edid) kmemdup(edid); // UAF!! ... ``` To prevent these vulns, at least in vidi_context, member variables related to memory alloc/free should be protected with ctx->lock. Cc: Signed-off-by: Jeongjun Park --- drivers/gpu/drm/exynos/exynos_drm_vidi.c | 38 ++++++++++++++++++++---- 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy= nos/exynos_drm_vidi.c index 601406b640c7..37733f2ac0e7 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c +++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c @@ -186,29 +186,37 @@ static ssize_t vidi_store_connection(struct device *d= ev, const char *buf, size_t len) { struct vidi_context *ctx =3D dev_get_drvdata(dev); - int ret; + int ret, new_connected; =20 - ret =3D kstrtoint(buf, 0, &ctx->connected); + ret =3D kstrtoint(buf, 0, &new_connected); if (ret) return ret; - - if (ctx->connected > 1) + if (new_connected > 1) return -EINVAL; =20 + mutex_lock(&ctx->lock); + /* * Use fake edid data for test. If raw_edid is set then it can't be * tested. */ if (ctx->raw_edid) { DRM_DEV_DEBUG_KMS(dev, "edid data is not fake data.\n"); - return -EINVAL; + ret =3D -EINVAL; + goto fail; } =20 + ctx->connected =3D new_connected; + mutex_unlock(&ctx->lock); + DRM_DEV_DEBUG_KMS(dev, "requested connection.\n"); =20 drm_helper_hpd_irq_event(ctx->drm_dev); =20 return len; +fail: + mutex_unlock(&ctx->lock); + return ret; } =20 static DEVICE_ATTR(connection, 0644, vidi_show_connection, @@ -243,11 +251,14 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,= void *data, return -EINVAL; } =20 + mutex_lock(&ctx->lock); if (ctx->connected =3D=3D vidi->connection) { + mutex_unlock(&ctx->lock); DRM_DEV_DEBUG_KMS(ctx->dev, "same connection request.\n"); return -EINVAL; } + mutex_unlock(&ctx->lock); =20 if (vidi->connection) { const struct drm_edid *drm_edid; @@ -281,14 +292,21 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,= void *data, "edid data is invalid.\n"); return -EINVAL; } + mutex_lock(&ctx->lock); ctx->raw_edid =3D drm_edid; + mutex_unlock(&ctx->lock); } else { /* with connection =3D 0, free raw_edid */ + mutex_lock(&ctx->lock); drm_edid_free(ctx->raw_edid); ctx->raw_edid =3D NULL; + mutex_unlock(&ctx->lock); } =20 + mutex_lock(&ctx->lock); ctx->connected =3D vidi->connection; + mutex_unlock(&ctx->lock); + drm_helper_hpd_irq_event(ctx->drm_dev); =20 return 0; @@ -303,7 +321,7 @@ static enum drm_connector_status vidi_detect(struct drm= _connector *connector, * connection request would come from user side * to do hotplug through specific ioctl. */ - return ctx->connected ? connector_status_connected : + return READ_ONCE(ctx->connected) ? connector_status_connected : connector_status_disconnected; } =20 @@ -326,11 +344,15 @@ static int vidi_get_modes(struct drm_connector *conne= ctor) const struct drm_edid *drm_edid; int count; =20 + mutex_lock(&ctx->lock); + if (ctx->raw_edid) drm_edid =3D drm_edid_dup(ctx->raw_edid); else drm_edid =3D drm_edid_alloc(fake_edid_info, sizeof(fake_edid_info)); =20 + mutex_unlock(&ctx->lock); + drm_edid_connector_update(connector, drm_edid); =20 count =3D drm_edid_connector_add_modes(connector); @@ -482,9 +504,13 @@ static void vidi_remove(struct platform_device *pdev) { struct vidi_context *ctx =3D platform_get_drvdata(pdev); =20 + mutex_lock(&ctx->lock); + drm_edid_free(ctx->raw_edid); ctx->raw_edid =3D NULL; =20 + mutex_unlock(&ctx->lock); + component_del(&pdev->dev, &vidi_component_ops); } =20 --