From nobody Sat Feb 7 19:08:27 2026 Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C7E2D33D4FD for ; Mon, 19 Jan 2026 08:26:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768811167; cv=none; b=rG0xxve5LfDzwWYvQPilUoBbamTBs2FRqn+XO7mRhVnqPrrbNabFq+JFF66XPc5htXzmgh/1E6Ez1ZKny6YzQ+avWspuN7q+l/jcVi+gYR82V30hO6o5vbI6sslv7aUJIx6mO4tvNckCM5XMfvFZIdIkkYOeNPIZ4g4cIP/Ulpo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768811167; c=relaxed/simple; bh=LFTtV6r3Kv8hlUjLpPyuwQgn0EJVqqRO2UBgklloSc0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=AW79JaZHlh2UhxjzaKYOZQJzIFw0SM+b7pTSHxFfW+nCUfpe43wnJ8Tt0J6oqWTqTncY+fERtkKgOUiJubKmc4gG+LoVs9oW3t1K6URcTsMl4ubhetzUb+B4K7PKfFhL/oY5c8tcUMPCgxkoz4wGLpv5Sid6cdDmi89i7DydCOM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=UbNAL+h+; arc=none smtp.client-ip=209.85.214.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="UbNAL+h+" Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-29f1bc40b35so41522175ad.2 for ; Mon, 19 Jan 2026 00:26:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768811165; x=1769415965; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=C1peIzucQT9u+8mHdz0lvrHZdBPLJn2LftndnROMFbg=; b=UbNAL+h+UFXueXYCGrZIrrzmJZ8fz6iPkt23ighCLd19xqfGWOKIQb3JmNMAB3MjI1 Ckd417D1WStI4SCrES0/ytGatRoI2OwlnehixGKAMHah11rFDtBtmpVxJ+8b6W0aYvTZ Dj2aEi6oDw+mGR838m8X7eyKOzvtks0pln3VH2tjLehZQhLpCpeyVIby48WTM8TbZYwE ZO+KHnCCgeCFpDz1QmXPrwETdGX1wW9+4BhF+SaZ/R/01oA/WDn587YKImnBhY1SAGk9 mO4NLPxLU/+NI5Y3DZx98Ave7zaKGJZRRU8/bPnmzq/xOroQCTb3KP/AeVjQbtv2ITAn zpkg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768811165; x=1769415965; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=C1peIzucQT9u+8mHdz0lvrHZdBPLJn2LftndnROMFbg=; b=X2uZCqWTaUM/uSoQzEu+Fef5L+dknlQ/ZZCNyqja4tnfr0ZXd4b0WzEqozKD0W+saq Iw18cIth30FaFMazMreFgXgHnE2qgqYRgqZmo1bEZx27SN0M6+0S+V5I4DEzl/SxAxJe mm5XKvGZ91A4vrqZH6eAaB9DGfV8e3VsWjp5DjmGQILCCuQtoTqVUhPLtWiwC6iP49ka 8nubznKbQ4tWF9jBUdenaUB7t1BRiiEpeqqTJsGQdADZ97TmwSCSiTzBwwdN9QFagTZm 6odZp6ye7FafIx/sYvg2j4tcxuxmq5V03I51AFPXuGJtFoZqlAOK2N3N/ZaysmNxDdXK lcSw== X-Forwarded-Encrypted: i=1; AJvYcCVII5QXtrbiGt0rUwFRwNAH4U3Eugkhe/bzp4BFhkqw01H/frbLa5Fq6jdpiOettYdaJ6XPUHjerIRjFwA=@vger.kernel.org X-Gm-Message-State: AOJu0YyegE+kB0M28+HBeRdaOamHVWHAj7AG4GxXJHrl2hfu6jHZgPdg xAffSMMRB0cPnkle6G24ecHrxNZRpzWkt4wZ9CAu/1YNKVMQWUm0piY0 X-Gm-Gg: AZuq6aJNaem4QDTSM3OxNyArUk/s+SWzaN5gxAQsKd2dIBj6wmS2ElAx1gjpeNR0avK msOwB4pDhJrp+EJkxaOvCaeIjTJ1x4TdhgG6fz5nhzNqAm2T80tWEE1hoov5OwsEX/AdQSo9Wuj 043UuY1BKVKN2JAkZmvmHtbvnyqYd/I3j5KNDyVGAhNiDshtnJV8rebt1gR/gylWd2rdDya20gA d8SUltP1Sq6I87Fh+EcfqMvP2yxJ93l/TC6zuMHDQS1qBqYHo+jEJ3xNzcbShaE7vnsmYyVRc15 hLrvNSS10n21OGpMMYRTAP3Hz14d+nC5xp0SYKQOmMKuYErGj3BMvailUm6D9AGC9/wU+omyV9r d/hzINdgAsWoRo09qY1tw4KX3FKA3Dsxm7zgjo2r7XESsT3Kh9OqQ9ZAxAalJUNFOdLK7Mdnrw6 q3uuPCYs75/zjDrvFyS3vG+F/5R8iaodI54GCQ/g== X-Received: by 2002:a17:903:1ae4:b0:2a0:f828:24a3 with SMTP id d9443c01a7336-2a7175cc0f1mr100262275ad.28.1768811165155; Mon, 19 Jan 2026 00:26:05 -0800 (PST) Received: from name2965-Precision-7820-Tower.. ([121.185.186.233]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a7190ce534sm85699645ad.27.2026.01.19.00.26.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Jan 2026 00:26:04 -0800 (PST) From: Jeongjun Park To: Inki Dae , Seung-Woo Kim , Kyungmin Park Cc: David Airlie , Simona Vetter , Krzysztof Kozlowski , Alim Akhtar , dri-devel@lists.freedesktop.org, linux-arm-kernel@lists.infradead.org, linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jeongjun Park Subject: [PATCH 1/3 RESEND] drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl() Date: Mon, 19 Jan 2026 17:25:51 +0900 Message-Id: <20260119082553.195181-2-aha310510@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260119082553.195181-1-aha310510@gmail.com> References: <20260119082553.195181-1-aha310510@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to obtain a struct vidi_context pointer. However, drm_dev->dev is the exynos-drm master device, and the driver_data contained therein is not the vidi component device, but a completely different device. This can lead to various bugs, ranging from null pointer dereferences and garbage value accesses to, in unlucky cases, out-of-bounds errors, use-after-free errors, and more. To resolve this issue, we need to store/delete the vidi device pointer in exynos_drm_private->vidi_dev during bind/unbind, and then read this exynos_drm_private->vidi_dev within ioctl() to obtain the correct struct vidi_context pointer. Cc: Signed-off-by: Jeongjun Park --- drivers/gpu/drm/exynos/exynos_drm_drv.h | 1 + drivers/gpu/drm/exynos/exynos_drm_vidi.c | 14 +++++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_drv.h b/drivers/gpu/drm/exyn= os/exynos_drm_drv.h index 23646e55f142..06c29ff2aac0 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_drv.h +++ b/drivers/gpu/drm/exynos/exynos_drm_drv.h @@ -199,6 +199,7 @@ struct drm_exynos_file_private { struct exynos_drm_private { struct device *g2d_dev; struct device *dma_dev; + struct device *vidi_dev; void *mapping; =20 /* for atomic commit */ diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy= nos/exynos_drm_vidi.c index e094b8bbc0f1..1fe297d512e7 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c +++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c @@ -223,9 +223,14 @@ ATTRIBUTE_GROUPS(vidi); int vidi_connection_ioctl(struct drm_device *drm_dev, void *data, struct drm_file *file_priv) { - struct vidi_context *ctx =3D dev_get_drvdata(drm_dev->dev); + struct exynos_drm_private *priv =3D drm_dev->dev_private; + struct device *dev =3D priv ? priv->vidi_dev : NULL; + struct vidi_context *ctx =3D dev ? dev_get_drvdata(dev) : NULL; struct drm_exynos_vidi_connection *vidi =3D data; =20 + if (!ctx) + return -ENODEV; + if (!vidi) { DRM_DEV_DEBUG_KMS(ctx->dev, "user data for vidi is null.\n"); @@ -371,6 +376,7 @@ static int vidi_bind(struct device *dev, struct device = *master, void *data) { struct vidi_context *ctx =3D dev_get_drvdata(dev); struct drm_device *drm_dev =3D data; + struct exynos_drm_private *priv =3D drm_dev->dev_private; struct drm_encoder *encoder =3D &ctx->encoder; struct exynos_drm_plane *exynos_plane; struct exynos_drm_plane_config plane_config =3D { 0 }; @@ -378,6 +384,8 @@ static int vidi_bind(struct device *dev, struct device = *master, void *data) int ret; =20 ctx->drm_dev =3D drm_dev; + if (priv) + priv->vidi_dev =3D dev; =20 plane_config.pixel_formats =3D formats; plane_config.num_pixel_formats =3D ARRAY_SIZE(formats); @@ -423,8 +431,12 @@ static int vidi_bind(struct device *dev, struct device= *master, void *data) static void vidi_unbind(struct device *dev, struct device *master, void *d= ata) { struct vidi_context *ctx =3D dev_get_drvdata(dev); + struct drm_device *drm_dev =3D data; + struct exynos_drm_private *priv =3D drm_dev->dev_private; =20 timer_delete_sync(&ctx->timer); + if (priv) + priv->vidi_dev =3D NULL; } =20 static const struct component_ops vidi_component_ops =3D { -- From nobody Sat Feb 7 19:08:27 2026 Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D8EA33385B5 for ; Mon, 19 Jan 2026 08:26:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768811171; cv=none; b=XeIa8A8bmtFXtEIeywEJ8xLdgCji3Ox7z8MpLz2RWtauM7MIS5VVafQ4G/QmYP3nIdT3iWvDl9ytKKRPIgG7dIgPcO2UGSeruJQ9S9c3t+jf15Wu2jjk78OwQD1chmR2MqJ4qxksuQGhGSEWurkvSGvaWSMcng0b1TebNrRRo2s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768811171; c=relaxed/simple; bh=r90VB4kVBN2xFkL5AxvLxiyYXhfIfvCQV5FTD6ekEMU=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=AODGMAylvGbIR+I1knFpxd3AOu4AAxqXG20lmpS3Tbe3jT9NRS2IvyNcNEZaFYME1lpjaZVi1vvtbWoG3pMBPQxzvTTfZRa+hoCi/p4QDwpSeYUu5e/K8SDtJhVnPfIxgJwEpQnzWNdT5uP8z37WY30iQGpXCkIoZvIyUyJK+H0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=TtrVACOT; arc=none smtp.client-ip=209.85.214.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="TtrVACOT" Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-2a743050256so3227665ad.3 for ; Mon, 19 Jan 2026 00:26:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768811169; x=1769415969; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=b4A5fkthP3KXEpRu6BAtoU0UoZrqtT9TFK5zNXIFO6I=; b=TtrVACOTquiPmnd3bq+zMDfbACTlbD/5sqrlQMHm12O6jGKkMhbK4W2hVu5G0f38aY pVTouLUGEIQ0yTh/MJWIHYXy/3s0gc7+Rvn4RljzqQTAY5sSvKnJYH1T8vkxEQVvMuDs fgeEeH//JpOuatZzSfSy6BEk6ieYJGFVBioO5jLb4PaKUf2j3UEwbageGvixQSX0NKA5 79/BQZ47AnFCOcpN965SY07ZzdpM2lVa7sbbiK8qVS7BFNimp+z6w7aqTVxiYnyWuTno OS7PfATwo1hD9oecIAc8ZW3mx8appZjQcDECsjBosDLZ9hugxpFbcl0CEd/J/5zac+bu gFIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768811169; x=1769415969; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=b4A5fkthP3KXEpRu6BAtoU0UoZrqtT9TFK5zNXIFO6I=; b=D68p4MC/8mRF1EkaSvLEm6OLOASowS8XSyGAxYQoa4h0FVE1izQR4yWmUm6hs6XXeL 7170i4De4TH52HvAoAcwGX0izbm2AprE5idByS/Rch8uEfOYKdcA6pzMyUKPkHLqjzwu ppb0MH2rgZQvwETGm1RdBAn65jOwGSmc7zoy7vnLs00KXoNdblRlOg6/QjL8/u0Y8bLU h1YVopEgIu9b0o7wmrure2WHjrtuETmrqv6KXE8JRk7M5SIX1hnbL9IOZhL9fgcWtSZu iSJhllD8HRWj0yfyHbacTVnN9avnpee/gXBQskshAUKHaKFB7q3TT3arB3pn6M7722qL Qz2Q== X-Forwarded-Encrypted: i=1; AJvYcCVHiZfghfl6cp8Zy3OgFFkItqU3B6QxvYTQ9Tf0B4UV38gRaL/Z18XPsI6nb4HMte8bi+LDwaR6ax5Oazw=@vger.kernel.org X-Gm-Message-State: AOJu0YxOG7PSwzJwk7abdqkUAGyM1VrV6bspbrVaJWPiVT9iNiD39LOX twrTJenfvbjd4jS8cKk3hX/p7KwI4uCW6RdGPG1Mk4im1V+rzWykuTO1 X-Gm-Gg: AZuq6aJLmZ82tEEAhboGmLRsGe1BTO9eTrvgnechO/5UUWnDUuQXda0FAIOA91TVjNz fB359MlDDD4F7LwvOwrSkCdeRbHHDlRmy/1AdO4CS7dL9chVFeuXjLTTfziWLi8EvJ7nroG1T1V treENrGXjf1k1y7maAbv3iKyGCsxE/6ta2+dCFsl7TrhdADNSgUly+rX0jb8PfpkSsR03YyiSFU 07sOkKiE/AC1ixeGqCUqYcW3pgJW9fPT7tWBbqFjIe/HK2dXyJ3zH6TF30kj+qWwzAhzAWSQAnT CpdYIHzlLGSZjwbkVY/70e2v2Nb2+BLusy6t0Ql8lIMpeS7Rwm91AeuTua3PMvWulsdhtI4MNzd y6jnV+Hsjc4rTUJ8cChEouslxqC6rrOQEIGdQJA0YgThHQIrWHJR5hZ3zG8vmFT+1VDkj2JdP6F oaQ6XAlApjOAexoEwGeukQ+iydGgkroYLrGIiGAw== X-Received: by 2002:a17:903:124f:b0:2a0:c84f:4124 with SMTP id d9443c01a7336-2a7177e2b6fmr92683575ad.52.1768811169196; Mon, 19 Jan 2026 00:26:09 -0800 (PST) Received: from name2965-Precision-7820-Tower.. ([121.185.186.233]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a7190ce534sm85699645ad.27.2026.01.19.00.26.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Jan 2026 00:26:08 -0800 (PST) From: Jeongjun Park To: Inki Dae , Seung-Woo Kim , Kyungmin Park Cc: David Airlie , Simona Vetter , Krzysztof Kozlowski , Alim Akhtar , dri-devel@lists.freedesktop.org, linux-arm-kernel@lists.infradead.org, linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jeongjun Park Subject: [PATCH 2/3 RESEND] drm/exynos: vidi: fix to avoid directly dereferencing user pointer Date: Mon, 19 Jan 2026 17:25:52 +0900 Message-Id: <20260119082553.195181-3-aha310510@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260119082553.195181-1-aha310510@gmail.com> References: <20260119082553.195181-1-aha310510@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In vidi_connection_ioctl(), vidi->edid(user pointer) is directly dereferenced in the kernel. This allows arbitrary kernel memory access from the user space, so instead of directly accessing the user pointer in the kernel, we should modify it to copy edid to kernel memory using copy_from_user() and use it. Cc: Signed-off-by: Jeongjun Park --- drivers/gpu/drm/exynos/exynos_drm_vidi.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy= nos/exynos_drm_vidi.c index 1fe297d512e7..601406b640c7 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c +++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c @@ -251,13 +251,27 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,= void *data, =20 if (vidi->connection) { const struct drm_edid *drm_edid; - const struct edid *raw_edid; + const void __user *edid_userptr =3D u64_to_user_ptr(vidi->edid); + void *edid_buf; + struct edid hdr; size_t size; =20 - raw_edid =3D (const struct edid *)(unsigned long)vidi->edid; - size =3D (raw_edid->extensions + 1) * EDID_LENGTH; + if (copy_from_user(&hdr, edid_userptr, sizeof(hdr))) + return -EFAULT; =20 - drm_edid =3D drm_edid_alloc(raw_edid, size); + size =3D (hdr.extensions + 1) * EDID_LENGTH; + + edid_buf =3D kmalloc(size, GFP_KERNEL); + if (!edid_buf) + return -ENOMEM; + + if (copy_from_user(edid_buf, edid_userptr, size)) { + kfree(edid_buf); + return -EFAULT; + } + + drm_edid =3D drm_edid_alloc(edid_buf, size); + kfree(edid_buf); if (!drm_edid) return -ENOMEM; =20 -- From nobody Sat Feb 7 19:08:27 2026 Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 14D7333D4E3 for ; Mon, 19 Jan 2026 08:26:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768811175; cv=none; b=OYnEmE95pKWv8PxcYcAE5U2i201N0AUWple7unrVmsRtnryjTb6mMhs67g6Ez1b0XqbSDwTY4PYmR8EVpFbbw2rnVA9CHn8Ps0jKlB94tdnuetaqDP8ACj2V6FUVejZWDPqspyLurgRGJvQb3zL5ii2rDg1ps06OvFNLTuoIwMg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768811175; c=relaxed/simple; bh=FDragOxsAkoXm09TI3NdTH/HdW3OX83nwP68tiK4R/8=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=m/DhEJ7zm/9gTR0u7U6ozKxMdtWznxUhw4YiHa05gkd4GXysXikrgmJ2/9nXrCYja+huVCezyKoAYotnAQ/IqsRYeG2+HI5ZzrtAtzg6p/LkhUdHQJixOjlXmAaHse1iygozL5NXnJpqk6M/EckFmVIcwFRcjH5u/Ikgs2/CUHs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=naRYZJa2; arc=none smtp.client-ip=209.85.214.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="naRYZJa2" Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-2a12ed4d205so24051635ad.0 for ; Mon, 19 Jan 2026 00:26:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768811173; x=1769415973; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=PbmEw0xI5GEkCsxaHsMMe7LmACI8y/oSXqbnzXdllII=; b=naRYZJa2t5bGzLnaHZDTOAmNmnGy7NaK25fvjOTFzA3knSSfVXYmiMDAYucwfEZZG+ vF7ioV5pE9BavUEUTHJFGHQd74iEMgjupsWrTCrC5IYYXkVjba9bdOSig5oWqZPQfBIw zZe9FgeNP4nkG818UrOraEODKQr3Q9r1VfzKEeOq4FQ72Q8KITf5ijPXEDvwxb6Hn7jk NZNb2OOX1T1ZZAyj+Us03Kwl7EAkzoz1FIGKzNXcIy/KvISKjBzH9kvAx/3jfWg9kMT/ ItN/ROjgB4fo8Vup+m+WKetKkyLD0TYA6MRKVSDG+dnfJOfbC+39jnbfDuNs3yBpCHJz HUkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768811173; x=1769415973; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=PbmEw0xI5GEkCsxaHsMMe7LmACI8y/oSXqbnzXdllII=; b=fDFsFWt36XUEetqKsS92Ud5cc4BA2xLUq0ZxmLcDI/YVb30FY19V+ycj6g1d4BPqT4 numlpX9y4Qow8QLYMbgHWPIqpPOHvHgt6jbAQZO7zhA/viLGUdcdvdfyFw+JKWhNnH+S ria7HCIPiVSAqMdSf5pMmZ2eid0tD9uF+VjJdNsEboAYE2RvF0hiCyTeZe/R2tPOk+Ag u01n2BeMy/JL77SovkFvvSS2TUQ2iHGRW6y2LQr+36fLbf5qxT/JO9Rsjl1YoLV+pg8i Z1+uwQ6dcCKxrmGd8GHexAdLpd7xWNz9pSU2ciKc/4ic8HfEtoW6bkaHlNBeLIxVrk6i HWJw== X-Forwarded-Encrypted: i=1; AJvYcCV9EdInpBHKcWjFHOGqXyPceYWltBpgdqjtDNUdAnCPwvY+qpzOrwEkR+Sn9qVsarvC9H6xKmLtNQF/2pI=@vger.kernel.org X-Gm-Message-State: AOJu0YzJ+GUnK0+gKZrMkZHoQWibQhsRlfUtghBOtLsL10QFoOWd2DZx C7pwms8V0r9MwE29W5mjosFgJoWEEP1t50suWkNmCJ5N9VwDB6ZosjSx X-Gm-Gg: AZuq6aJMmNVaok2rkpawLnw9mjsB2DduEw49UtIfnf8GhAWRmS3WoEhfpO+QaFBhaap P0rG8RJJsBfjjSQk0r1jCERCDQ1D6bAf8wwkJiFxGT7dcrjcmHYzZkrwkoWzqk8vSJIsp3+7kEH 3o4vSUvarimVVIzErfbVHRza9xoTl1ad8o0gtOSWtzlz8jy9hJaFVBJlOnoUIRO8x15BtbaFqbx 14Jc71m/RxPbI6bN6EwUmkysRmaG7hq0DLGGnfjBzIrRanjS4XlLx6KLEZuZ2ZbzIOzEJUsJfG9 fkNtxjbO9UjJADWXDCmtBDoYKxOZA0fy0+5zyfmprAa/GlHI54WBFRIYQHRMpaPNYUUGEbsiV/j uHAKRLWBgL1cXfnwr2uQ/yq4DJK1ilcvXOI4X0WRf/vj9TjHcMVD3Flom/5PxgK5azhSY8UtX+q x/EyurpfnTRXwXZvFEpvc1GpoeR7CrLpSQnEVc3Q== X-Received: by 2002:a17:903:138a:b0:2a1:3769:1cf8 with SMTP id d9443c01a7336-2a7188fd789mr97024985ad.33.1768811173364; Mon, 19 Jan 2026 00:26:13 -0800 (PST) Received: from name2965-Precision-7820-Tower.. ([121.185.186.233]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a7190ce534sm85699645ad.27.2026.01.19.00.26.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Jan 2026 00:26:12 -0800 (PST) From: Jeongjun Park To: Inki Dae , Seung-Woo Kim , Kyungmin Park Cc: David Airlie , Simona Vetter , Krzysztof Kozlowski , Alim Akhtar , dri-devel@lists.freedesktop.org, linux-arm-kernel@lists.infradead.org, linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jeongjun Park Subject: [PATCH 3/3 RESEND] drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free Date: Mon, 19 Jan 2026 17:25:53 +0900 Message-Id: <20260119082553.195181-4-aha310510@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260119082553.195181-1-aha310510@gmail.com> References: <20260119082553.195181-1-aha310510@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Exynos Virtual Display driver performs memory alloc/free operations without lock protection, which easily causes concurrency problem. For example, use-after-free can occur in race scenario like this: ``` CPU0 CPU1 CPU2 ---- ---- ---- vidi_connection_ioctl() if (vidi->connection) // true drm_edid =3D drm_edid_alloc(); // alloc drm_edid ... ctx->raw_edid =3D drm_edid; ... drm_mode_getconnector() drm_helper_probe_single_connector_modes() vidi_get_modes() if (ctx->raw_edid) // true drm_edid_dup(ctx->raw_edid); if (!drm_edid) // false ... vidi_connection_ioctl() if (vidi->connection) // false drm_edid_free(ctx->raw_edid); // free drm_edid ... drm_edid_alloc(drm_edid->edid) kmemdup(edid); // UAF!! ... ``` To prevent these vulns, at least in vidi_context, member variables related to memory alloc/free should be protected with ctx->lock. Cc: Signed-off-by: Jeongjun Park --- drivers/gpu/drm/exynos/exynos_drm_vidi.c | 38 ++++++++++++++++++++---- 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy= nos/exynos_drm_vidi.c index 601406b640c7..37733f2ac0e7 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c +++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c @@ -186,29 +186,37 @@ static ssize_t vidi_store_connection(struct device *d= ev, const char *buf, size_t len) { struct vidi_context *ctx =3D dev_get_drvdata(dev); - int ret; + int ret, new_connected; =20 - ret =3D kstrtoint(buf, 0, &ctx->connected); + ret =3D kstrtoint(buf, 0, &new_connected); if (ret) return ret; - - if (ctx->connected > 1) + if (new_connected > 1) return -EINVAL; =20 + mutex_lock(&ctx->lock); + /* * Use fake edid data for test. If raw_edid is set then it can't be * tested. */ if (ctx->raw_edid) { DRM_DEV_DEBUG_KMS(dev, "edid data is not fake data.\n"); - return -EINVAL; + ret =3D -EINVAL; + goto fail; } =20 + ctx->connected =3D new_connected; + mutex_unlock(&ctx->lock); + DRM_DEV_DEBUG_KMS(dev, "requested connection.\n"); =20 drm_helper_hpd_irq_event(ctx->drm_dev); =20 return len; +fail: + mutex_unlock(&ctx->lock); + return ret; } =20 static DEVICE_ATTR(connection, 0644, vidi_show_connection, @@ -243,11 +251,14 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,= void *data, return -EINVAL; } =20 + mutex_lock(&ctx->lock); if (ctx->connected =3D=3D vidi->connection) { + mutex_unlock(&ctx->lock); DRM_DEV_DEBUG_KMS(ctx->dev, "same connection request.\n"); return -EINVAL; } + mutex_unlock(&ctx->lock); =20 if (vidi->connection) { const struct drm_edid *drm_edid; @@ -281,14 +292,21 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,= void *data, "edid data is invalid.\n"); return -EINVAL; } + mutex_lock(&ctx->lock); ctx->raw_edid =3D drm_edid; + mutex_unlock(&ctx->lock); } else { /* with connection =3D 0, free raw_edid */ + mutex_lock(&ctx->lock); drm_edid_free(ctx->raw_edid); ctx->raw_edid =3D NULL; + mutex_unlock(&ctx->lock); } =20 + mutex_lock(&ctx->lock); ctx->connected =3D vidi->connection; + mutex_unlock(&ctx->lock); + drm_helper_hpd_irq_event(ctx->drm_dev); =20 return 0; @@ -303,7 +321,7 @@ static enum drm_connector_status vidi_detect(struct drm= _connector *connector, * connection request would come from user side * to do hotplug through specific ioctl. */ - return ctx->connected ? connector_status_connected : + return READ_ONCE(ctx->connected) ? connector_status_connected : connector_status_disconnected; } =20 @@ -326,11 +344,15 @@ static int vidi_get_modes(struct drm_connector *conne= ctor) const struct drm_edid *drm_edid; int count; =20 + mutex_lock(&ctx->lock); + if (ctx->raw_edid) drm_edid =3D drm_edid_dup(ctx->raw_edid); else drm_edid =3D drm_edid_alloc(fake_edid_info, sizeof(fake_edid_info)); =20 + mutex_unlock(&ctx->lock); + drm_edid_connector_update(connector, drm_edid); =20 count =3D drm_edid_connector_add_modes(connector); @@ -482,9 +504,13 @@ static void vidi_remove(struct platform_device *pdev) { struct vidi_context *ctx =3D platform_get_drvdata(pdev); =20 + mutex_lock(&ctx->lock); + drm_edid_free(ctx->raw_edid); ctx->raw_edid =3D NULL; =20 + mutex_unlock(&ctx->lock); + component_del(&pdev->dev, &vidi_component_ops); } =20 --