From nobody Sun Feb  8 12:37:11 2026
Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com
 [209.85.214.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D8EA33385B5
	for <linux-kernel@vger.kernel.org>; Mon, 19 Jan 2026 08:26:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1768811171; cv=none;
 b=XeIa8A8bmtFXtEIeywEJ8xLdgCji3Ox7z8MpLz2RWtauM7MIS5VVafQ4G/QmYP3nIdT3iWvDl9ytKKRPIgG7dIgPcO2UGSeruJQ9S9c3t+jf15Wu2jjk78OwQD1chmR2MqJ4qxksuQGhGSEWurkvSGvaWSMcng0b1TebNrRRo2s=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1768811171; c=relaxed/simple;
	bh=r90VB4kVBN2xFkL5AxvLxiyYXhfIfvCQV5FTD6ekEMU=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=AODGMAylvGbIR+I1knFpxd3AOu4AAxqXG20lmpS3Tbe3jT9NRS2IvyNcNEZaFYME1lpjaZVi1vvtbWoG3pMBPQxzvTTfZRa+hoCi/p4QDwpSeYUu5e/K8SDtJhVnPfIxgJwEpQnzWNdT5uP8z37WY30iQGpXCkIoZvIyUyJK+H0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=TtrVACOT; arc=none smtp.client-ip=209.85.214.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="TtrVACOT"
Received: by mail-pl1-f178.google.com with SMTP id
 d9443c01a7336-2a743050256so3227665ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 19 Jan 2026 00:26:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1768811169; x=1769415969;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=b4A5fkthP3KXEpRu6BAtoU0UoZrqtT9TFK5zNXIFO6I=;
        b=TtrVACOTquiPmnd3bq+zMDfbACTlbD/5sqrlQMHm12O6jGKkMhbK4W2hVu5G0f38aY
         pVTouLUGEIQ0yTh/MJWIHYXy/3s0gc7+Rvn4RljzqQTAY5sSvKnJYH1T8vkxEQVvMuDs
         fgeEeH//JpOuatZzSfSy6BEk6ieYJGFVBioO5jLb4PaKUf2j3UEwbageGvixQSX0NKA5
         79/BQZ47AnFCOcpN965SY07ZzdpM2lVa7sbbiK8qVS7BFNimp+z6w7aqTVxiYnyWuTno
         OS7PfATwo1hD9oecIAc8ZW3mx8appZjQcDECsjBosDLZ9hugxpFbcl0CEd/J/5zac+bu
         gFIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768811169; x=1769415969;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=b4A5fkthP3KXEpRu6BAtoU0UoZrqtT9TFK5zNXIFO6I=;
        b=D68p4MC/8mRF1EkaSvLEm6OLOASowS8XSyGAxYQoa4h0FVE1izQR4yWmUm6hs6XXeL
         7170i4De4TH52HvAoAcwGX0izbm2AprE5idByS/Rch8uEfOYKdcA6pzMyUKPkHLqjzwu
         ppb0MH2rgZQvwETGm1RdBAn65jOwGSmc7zoy7vnLs00KXoNdblRlOg6/QjL8/u0Y8bLU
         h1YVopEgIu9b0o7wmrure2WHjrtuETmrqv6KXE8JRk7M5SIX1hnbL9IOZhL9fgcWtSZu
         iSJhllD8HRWj0yfyHbacTVnN9avnpee/gXBQskshAUKHaKFB7q3TT3arB3pn6M7722qL
         Qz2Q==
X-Forwarded-Encrypted: i=1;
 AJvYcCVHiZfghfl6cp8Zy3OgFFkItqU3B6QxvYTQ9Tf0B4UV38gRaL/Z18XPsI6nb4HMte8bi+LDwaR6ax5Oazw=@vger.kernel.org
X-Gm-Message-State: AOJu0YxOG7PSwzJwk7abdqkUAGyM1VrV6bspbrVaJWPiVT9iNiD39LOX
	twrTJenfvbjd4jS8cKk3hX/p7KwI4uCW6RdGPG1Mk4im1V+rzWykuTO1
X-Gm-Gg: AZuq6aJLmZ82tEEAhboGmLRsGe1BTO9eTrvgnechO/5UUWnDUuQXda0FAIOA91TVjNz
	fB359MlDDD4F7LwvOwrSkCdeRbHHDlRmy/1AdO4CS7dL9chVFeuXjLTTfziWLi8EvJ7nroG1T1V
	treENrGXjf1k1y7maAbv3iKyGCsxE/6ta2+dCFsl7TrhdADNSgUly+rX0jb8PfpkSsR03YyiSFU
	07sOkKiE/AC1ixeGqCUqYcW3pgJW9fPT7tWBbqFjIe/HK2dXyJ3zH6TF30kj+qWwzAhzAWSQAnT
	CpdYIHzlLGSZjwbkVY/70e2v2Nb2+BLusy6t0Ql8lIMpeS7Rwm91AeuTua3PMvWulsdhtI4MNzd
	y6jnV+Hsjc4rTUJ8cChEouslxqC6rrOQEIGdQJA0YgThHQIrWHJR5hZ3zG8vmFT+1VDkj2JdP6F
	oaQ6XAlApjOAexoEwGeukQ+iydGgkroYLrGIiGAw==
X-Received: by 2002:a17:903:124f:b0:2a0:c84f:4124 with SMTP id
 d9443c01a7336-2a7177e2b6fmr92683575ad.52.1768811169196;
        Mon, 19 Jan 2026 00:26:09 -0800 (PST)
Received: from name2965-Precision-7820-Tower.. ([121.185.186.233])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2a7190ce534sm85699645ad.27.2026.01.19.00.26.06
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Jan 2026 00:26:08 -0800 (PST)
From: Jeongjun Park <aha310510@gmail.com>
To: Inki Dae <inki.dae@samsung.com>,
	Seung-Woo Kim <sw0312.kim@samsung.com>,
	Kyungmin Park <kyungmin.park@samsung.com>
Cc: David Airlie <airlied@gmail.com>,
	Simona Vetter <simona@ffwll.ch>,
	Krzysztof Kozlowski <krzk@kernel.org>,
	Alim Akhtar <alim.akhtar@samsung.com>,
	dri-devel@lists.freedesktop.org,
	linux-arm-kernel@lists.infradead.org,
	linux-samsung-soc@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Jeongjun Park <aha310510@gmail.com>
Subject: [PATCH 2/3 RESEND] drm/exynos: vidi: fix to avoid directly
 dereferencing user pointer
Date: Mon, 19 Jan 2026 17:25:52 +0900
Message-Id: <20260119082553.195181-3-aha310510@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260119082553.195181-1-aha310510@gmail.com>
References: <20260119082553.195181-1-aha310510@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In vidi_connection_ioctl(), vidi->edid(user pointer) is directly
dereferenced in the kernel.

This allows arbitrary kernel memory access from the user space, so instead
of directly accessing the user pointer in the kernel, we should modify it
to copy edid to kernel memory using copy_from_user() and use it.

Cc: <stable@vger.kernel.org>
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
---
 drivers/gpu/drm/exynos/exynos_drm_vidi.c | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy=
nos/exynos_drm_vidi.c
index 1fe297d512e7..601406b640c7 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
@@ -251,13 +251,27 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,=
 void *data,
=20
 	if (vidi->connection) {
 		const struct drm_edid *drm_edid;
-		const struct edid *raw_edid;
+		const void __user *edid_userptr =3D u64_to_user_ptr(vidi->edid);
+		void *edid_buf;
+		struct edid hdr;
 		size_t size;
=20
-		raw_edid =3D (const struct edid *)(unsigned long)vidi->edid;
-		size =3D (raw_edid->extensions + 1) * EDID_LENGTH;
+		if (copy_from_user(&hdr, edid_userptr, sizeof(hdr)))
+			return -EFAULT;
=20
-		drm_edid =3D drm_edid_alloc(raw_edid, size);
+		size =3D (hdr.extensions + 1) * EDID_LENGTH;
+
+		edid_buf =3D kmalloc(size, GFP_KERNEL);
+		if (!edid_buf)
+			return -ENOMEM;
+
+		if (copy_from_user(edid_buf, edid_userptr, size)) {
+			kfree(edid_buf);
+			return -EFAULT;
+		}
+
+		drm_edid =3D drm_edid_alloc(edid_buf, size);
+		kfree(edid_buf);
 		if (!drm_edid)
 			return -ENOMEM;
=20
--