From nobody Sat Feb 7 19:41:38 2026 Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A1FA3624BE for ; Mon, 2 Feb 2026 11:32:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770031965; cv=none; b=n8LRt3JklwR/D+HQwrmrdqGMfhwxHFUljAE1j1nASiXNke6ux7J1oysSdZOOaUdf76fMSiQeBG53Rt/LbA1c3k8rl5p/FPS2WngysxLrIv80gtStO3IlOL8K4kSNE+Zg6KhOYZdFRgj53TcPCNXhlwOP200Q/FyvW5SA9lsC938= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770031965; c=relaxed/simple; bh=mXXZ/E8iu1icugw56rUDGM02NHGVORn+CKASFjCuOLY=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=REsxkLPbvsg83x/HGJvjKZqBswMick6mo0AlVZL5xX1fHMo4BQgOGggaeRkd4CKmRrDH8fMeynX1l1ItgAtm0cMBRrTn95nerkK4G2qYqI1x38AG4gb1vs0gWkt+l5Y/VRFR8t07XwNlzyQaw54GvKetTqaraNlN2Det1r+uC0g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=IPStKWyw; arc=none smtp.client-ip=209.85.210.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="IPStKWyw" Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-81c72659e6bso3834664b3a.0 for ; Mon, 02 Feb 2026 03:32:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770031963; x=1770636763; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=l+souS7YaNTH8HrRQ+fNkEhlVU7efydlW/fF0+nylSc=; b=IPStKWywAd6GT7botAZvDrXyxJCBVghn0tlVaWymWaC635+BE6dDjH23Xbedw9QZS1 Dh71ebqcBQ7FypNOvHyUqWsXK88qRcoR58U6uy04Gj+VXDApviCTnK1tj2tAOJNYpSLn Y4aWinaL5TXxc16XGeS+MOixpdH4J/TOakjFYYfNRaiOwfebjEwFkSct9m8J+FhgnGsK TeTFljB7FpqMA2MLuZK1kR5DsUv/Sxrmzhp/mV95EYt8Cprv3wIcIxERhlEyu3KGC5wU V+Dctyr+w349wsX5KUGJQyj2XZlZjpb0wM+oopwIAdB/NO+59IozAh3OHvsRvSD9u7yZ R0Pg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770031963; x=1770636763; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=l+souS7YaNTH8HrRQ+fNkEhlVU7efydlW/fF0+nylSc=; b=ERlVlE/t5rHKrb8JTGSIUrgbC6WeT81LO3uPRJh7HSrTQjKBtjDeJLdO9UXfGwMS40 PrEeeuWFLYQfqKaP0oF1+JIjFp3G0L4gaw1EqL9gZOX2bm7X0ZmlSQ/FcRgkenIsWrXY j7atIoANen+8QLhhZxX+GmLO11WdJ/9YvOjmWI+2lHDsJo6RDM/H7CVf4jTNLypzefh1 y/XPzHEzlDCqqwubJYgQ0qGpVKsSfWZpXnoQtKbqzNsDHtNFIEaLUFak2GXH4N4Z7Asd M/5h6in3muQcuo/WABlkDJMxCttGd1kSmML4yheuqyDZvacwpp5fwK9ztudYZTizToBL ThBw== X-Forwarded-Encrypted: i=1; AJvYcCXcbtmvpkK7vrNTVdOMJWu3fQNHTpE7OAQTNpJ7LvBs1oUnw0X5LBb3jRU9c8tSTEx/mdg9JAheFOjnw9M=@vger.kernel.org X-Gm-Message-State: AOJu0YyZAsAqng3ZvfX7QbckHUIm14oQUWIFeeq7/rprV3vizbs8KHxm 8AzuScDhvDpU1vyQHGNBb2yigTD0E7yRWzMW0hYR6DIZ3yYbliuNegnZo6qXJw== X-Gm-Gg: AZuq6aJXeXKH4HACOqvIpLijPLUp7rx3MnzhbrjzubIjs0Bz/8o7dXU0E+YtJnnNzml 26Wcv8tZq1b/zsFsSXD4TR4Q+IyuzaBedKEGN8B3Tv1gC2czkQbKw/yXCKQahKe7akjPC7/pIJE ofjtkTHNA/rxEI27wUNJwEKDFOxWjXSi7mNVCxhgbK8eN8uTtJeg8oxxKy02cq4E2dvcFKrcItL DbMycglmEWW1XP8la/3rGiBABx0uEqQVLbWToQWDpzqegHBGolXkSgKCMZwLcx0SFbyLYQM3tqX FpHP9YUY8SDNNo8WoliYETU6BUFtX17kx2MwfkhG+yRRfh7xFSWE57oEQibc3NAvK3AczaPYsl5 ubluFmpDz38Br7BNAeKYcWlHD9Xac4CVuId7T4VwYDmsh9iOVid+xbPrO05qSQD5nhmCdbzxh68 FmdEqOZEye2u/lI/Hmuz1mcl/Y4S3qKld/yU0Phg== X-Received: by 2002:a05:6a21:7804:b0:393:8fc:5284 with SMTP id adf61e73a8af0-39308fc8453mr4806502637.70.1770031963552; Mon, 02 Feb 2026 03:32:43 -0800 (PST) Received: from name2965-Precision-7820-Tower.. ([121.185.186.233]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c642a9f539dsm13743190a12.26.2026.02.02.03.32.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Feb 2026 03:32:43 -0800 (PST) From: Jeongjun Park To: Inki Dae , Seung-Woo Kim , Kyungmin Park Cc: David Airlie , Simona Vetter , Krzysztof Kozlowski , Alim Akhtar , dri-devel@lists.freedesktop.org, linux-arm-kernel@lists.infradead.org, linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jeongjun Park Subject: [PATCH 1/3 v2] drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl() Date: Mon, 2 Feb 2026 20:32:32 +0900 Message-Id: <20260202113234.183393-2-aha310510@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260202113234.183393-1-aha310510@gmail.com> References: <20260202113234.183393-1-aha310510@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to obtain a struct vidi_context pointer. However, drm_dev->dev is the exynos-drm master device, and the driver_data contained therein is not the vidi component device, but a completely different device. This can lead to various bugs, ranging from null pointer dereferences and garbage value accesses to, in unlucky cases, out-of-bounds errors, use-after-free errors, and more. To resolve this issue, we need to store/delete the vidi device pointer in exynos_drm_private->vidi_dev during bind/unbind, and then read this exynos_drm_private->vidi_dev within ioctl() to obtain the correct struct vidi_context pointer. Cc: Fixes: cf67cc9a29ac ("drm/exynos: remove struct exynos_drm_display") Signed-off-by: Jeongjun Park --- drivers/gpu/drm/exynos/exynos_drm_drv.h | 1 + drivers/gpu/drm/exynos/exynos_drm_vidi.c | 14 +++++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_drv.h b/drivers/gpu/drm/exyn= os/exynos_drm_drv.h index 23646e55f142..06c29ff2aac0 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_drv.h +++ b/drivers/gpu/drm/exynos/exynos_drm_drv.h @@ -199,6 +199,7 @@ struct drm_exynos_file_private { struct exynos_drm_private { struct device *g2d_dev; struct device *dma_dev; + struct device *vidi_dev; void *mapping; =20 /* for atomic commit */ diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy= nos/exynos_drm_vidi.c index e094b8bbc0f1..1fe297d512e7 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c +++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c @@ -223,9 +223,14 @@ ATTRIBUTE_GROUPS(vidi); int vidi_connection_ioctl(struct drm_device *drm_dev, void *data, struct drm_file *file_priv) { - struct vidi_context *ctx =3D dev_get_drvdata(drm_dev->dev); + struct exynos_drm_private *priv =3D drm_dev->dev_private; + struct device *dev =3D priv ? priv->vidi_dev : NULL; + struct vidi_context *ctx =3D dev ? dev_get_drvdata(dev) : NULL; struct drm_exynos_vidi_connection *vidi =3D data; =20 + if (!ctx) + return -ENODEV; + if (!vidi) { DRM_DEV_DEBUG_KMS(ctx->dev, "user data for vidi is null.\n"); @@ -371,6 +376,7 @@ static int vidi_bind(struct device *dev, struct device = *master, void *data) { struct vidi_context *ctx =3D dev_get_drvdata(dev); struct drm_device *drm_dev =3D data; + struct exynos_drm_private *priv =3D drm_dev->dev_private; struct drm_encoder *encoder =3D &ctx->encoder; struct exynos_drm_plane *exynos_plane; struct exynos_drm_plane_config plane_config =3D { 0 }; @@ -378,6 +384,8 @@ static int vidi_bind(struct device *dev, struct device = *master, void *data) int ret; =20 ctx->drm_dev =3D drm_dev; + if (priv) + priv->vidi_dev =3D dev; =20 plane_config.pixel_formats =3D formats; plane_config.num_pixel_formats =3D ARRAY_SIZE(formats); @@ -423,8 +431,12 @@ static int vidi_bind(struct device *dev, struct device= *master, void *data) static void vidi_unbind(struct device *dev, struct device *master, void *d= ata) { struct vidi_context *ctx =3D dev_get_drvdata(dev); + struct drm_device *drm_dev =3D data; + struct exynos_drm_private *priv =3D drm_dev->dev_private; =20 timer_delete_sync(&ctx->timer); + if (priv) + priv->vidi_dev =3D NULL; } =20 static const struct component_ops vidi_component_ops =3D { -- From nobody Sat Feb 7 19:41:38 2026 Received: from mail-pg1-f169.google.com (mail-pg1-f169.google.com [209.85.215.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8C5D730BBAC for ; Mon, 2 Feb 2026 11:32:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770031968; cv=none; b=PeFaZYIyqjcSiW1BqA1Sw/20SIWdrHvogzQFYDPitpYsADUt4mBtV+KZokmhB/WV5IMad4BSLWdOneJS8ktdViUBbkxLjGESWEO8PAaG+mOptwkpETojC2VEzLnbT+63eP5jVTQe+pnX/wbXBtrA+L3YSfQtcu4LczlKTqd5ccs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770031968; c=relaxed/simple; bh=NR6eDPn5SFX41KdRMAwfZgHQYuJFBYzjsakfWJLLEsQ=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ZOt815rwO4XzuVWxbwmELi+Ri9CVqPligXZ+I9gxPI2CzD4wMCFnpzsI7EDrMShh9rYjUo6FqxBjqHOdScuWa8yGt+alZ45BXe6xq895vY5kIhwws6Jjcp2ReFF+J9tSSZsxl2jDBFBzn/Yc1sTITuKnwb2q+B+th+4fHadT2TE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=VlTxjbn4; arc=none smtp.client-ip=209.85.215.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="VlTxjbn4" Received: by mail-pg1-f169.google.com with SMTP id 41be03b00d2f7-c227206e6dcso2678278a12.2 for ; Mon, 02 Feb 2026 03:32:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770031967; x=1770636767; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=iIhY4QZTPPdLq2TRpxo21LNBMq6aPIcLWQcnhCbf1Bo=; b=VlTxjbn413Wcg/5t9WaxzuKc807qJT2yfGDZ7aJZeaiwbxHX4kLgjhRW9tRBLLdsPp 7GK6ssVzPuXE/TecoIjj/i/ZGrHAEk2yS1WUqFHnsSsKgpSLcI3O1CWdR+HyOW9edlDb SEDMZqj5E/X0JWNs/kPgLwPLiH3MocrwJCCsOiMxpofwPVzO0pS0AXPiqvWGaFfVGska 4HPKjBBxzjdZg/P+9HCYoE0nsL9PSUPfeHs1pBGmGQ2F/4P2E8bfD4KhJrv73KEAJ0tz 5QYZRbcudcR698ATxaVg+aJt/70hQZ9xWgfH13ppJEdZ7WBj7B4p8jzEq/Yf3UJuekmF Zj9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770031967; x=1770636767; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=iIhY4QZTPPdLq2TRpxo21LNBMq6aPIcLWQcnhCbf1Bo=; b=sARlMXU70Nu5Zhy0gLQytJuuE1KxYxAk8UhPF0ftGsP5KieKa8cPHjUJFHewztpbEF oHzocFDGWHEBXsm4Cb8V5u/IBW0rd2go4NzrgW15dPlASXE4bYaHIAxW8aFwoJLoaCV5 lD5A6X+PJzmYhojH0ZKYzkixCDXu8Vx0Ia9gMEmBbxVNt84GVD2wU8N5zYMfTn/KYxmK wdw1VsXhQGiofrMu44M1qQvfOeSNInMW+ePAn5s9ZoxIAoDMyUQHjCdOYwAa/b8Xzf0I yEUU/qa9/IJGhD5nAv/TRUFCaV20bn2704LwXPHTA/x8ZtQfeG0tYRuiZ8HwQh5V9Clm 9cvA== X-Forwarded-Encrypted: i=1; AJvYcCXZyEj4Iw36lZpisOJr+PhEF+n9IUH/chA8v5hC0n9h71PbduKCR64sZUuIe2WNe6cvOgx0lfKWOtPzzAY=@vger.kernel.org X-Gm-Message-State: AOJu0Yx22R4H+CO1HVVIgyv5wTpg5RVNgMubJ6y7L3sfa1OGEQFp3wMq QYxrk80G56xcVqSvWAH4GF5kPlOSi4Tj8aEG6U2jrtGRtCEi7SFMc0TOJZK+iw== X-Gm-Gg: AZuq6aKHSFdOG4mq0LTbk3q/zoLtEa9Tg6xYlB7dJorHv5ao0pYbA9V1+KqsRSUuEzL /7Y0mfwPu6STNf/SbFZzbqTzYBu9IQF82G6C45K5oMJVIFTDNFgvKyUyX3oxC29Df93UJGWvWUq Pz5Fb3Z6hNdInQZWedY4yOc6jJj+UsBrM06Su1gEHEHp0wA7tgmQd61g8ynJ6bSqkxj7Nrrr5+B w8V2+HINqSPHJIVgLcYdwCj1x+d7rRJml3IRluy20XSEwCPYDx0wH6P3wYarREnbmLX5OjA5Tq4 UJod/b1uJEuGBUKfJe4nMwCBeeLW5DD5LyVycGKbxayISTP6VJDzcRs6nC8jASWBgCdlU2zY9Yn GA5WGLkXP2/nHzsxsGClGaf+suVfecDRCTd7KPucNdVs/v2w8pHfYk+jwYij3hwiiB4suirK5Hk BdM1p6TxFr0Y/xe+2ZmqGeB1cJHG8r30AVvc8wHyAu9INewixm X-Received: by 2002:a17:90b:2e10:b0:32d:a0f7:fa19 with SMTP id 98e67ed59e1d1-3543b39c961mr12734825a91.17.1770031967103; Mon, 02 Feb 2026 03:32:47 -0800 (PST) Received: from name2965-Precision-7820-Tower.. ([121.185.186.233]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c642a9f539dsm13743190a12.26.2026.02.02.03.32.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Feb 2026 03:32:46 -0800 (PST) From: Jeongjun Park To: Inki Dae , Seung-Woo Kim , Kyungmin Park Cc: David Airlie , Simona Vetter , Krzysztof Kozlowski , Alim Akhtar , dri-devel@lists.freedesktop.org, linux-arm-kernel@lists.infradead.org, linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jeongjun Park Subject: [PATCH 2/3 v2] drm/exynos: vidi: fix to avoid directly dereferencing user pointer Date: Mon, 2 Feb 2026 20:32:33 +0900 Message-Id: <20260202113234.183393-3-aha310510@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260202113234.183393-1-aha310510@gmail.com> References: <20260202113234.183393-1-aha310510@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In vidi_connection_ioctl(), vidi->edid(user pointer) is directly dereferenced in the kernel. This allows arbitrary kernel memory access from the user space, so instead of directly accessing the user pointer in the kernel, we should modify it to copy edid to kernel memory using copy_from_user() and use it. Cc: Fixes: 221009347844 ("drm/exynos/vidi: convert to struct drm_edid") Signed-off-by: Jeongjun Park --- drivers/gpu/drm/exynos/exynos_drm_vidi.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy= nos/exynos_drm_vidi.c index 1fe297d512e7..601406b640c7 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c +++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c @@ -251,13 +251,27 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,= void *data, =20 if (vidi->connection) { const struct drm_edid *drm_edid; - const struct edid *raw_edid; + const void __user *edid_userptr =3D u64_to_user_ptr(vidi->edid); + void *edid_buf; + struct edid hdr; size_t size; =20 - raw_edid =3D (const struct edid *)(unsigned long)vidi->edid; - size =3D (raw_edid->extensions + 1) * EDID_LENGTH; + if (copy_from_user(&hdr, edid_userptr, sizeof(hdr))) + return -EFAULT; =20 - drm_edid =3D drm_edid_alloc(raw_edid, size); + size =3D (hdr.extensions + 1) * EDID_LENGTH; + + edid_buf =3D kmalloc(size, GFP_KERNEL); + if (!edid_buf) + return -ENOMEM; + + if (copy_from_user(edid_buf, edid_userptr, size)) { + kfree(edid_buf); + return -EFAULT; + } + + drm_edid =3D drm_edid_alloc(edid_buf, size); + kfree(edid_buf); if (!drm_edid) return -ENOMEM; =20 -- From nobody Sat Feb 7 19:41:38 2026 Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 409F13624D3 for ; Mon, 2 Feb 2026 11:32:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770031972; cv=none; b=J5SnkUmTIHJq2P9DPz21X8MhOymBRn6KEd7icw3hQ/FS8vrk42gzdcT0sc4FQGOT9sH89OEala/5qLU9QDuFEIXQyX0ZoQ1V77wA6ZPFE09PAg3RGESnoYnDWqVs/9ZnY2DMscfI2IzpwpgT35gQADOTVUOMEe64vPrzAfIIw9o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770031972; c=relaxed/simple; bh=bnB73CudNO/ibm5Iqjxo8bfSR2hjaY2bLMkBRovZU7E=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=dj6ka6rvQ1uGUl/pHoBbD3LQdSyZ7jNUjFFORd+JwjZ6KF8UcltsDkecHcEzpyMDxLd8adth5HeP4qJDyAvAx2tj4scCLaonT+fyhJK8pF1QCKVwN36Uk5kX/r/Jh8uTvLUBScvDgHK8IfBCvnA3xE7AkqBja39s5jZxowx0JCw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ePycUsjR; arc=none smtp.client-ip=209.85.210.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ePycUsjR" Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-82307c6902eso2190311b3a.3 for ; Mon, 02 Feb 2026 03:32:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770031970; x=1770636770; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NiX6sc+bte0/E+dFVuNXwgpx22zYYyWdASCMsSYGK9c=; b=ePycUsjR/pFvvLPWnrRlkEcsf4C79k5532Op1A733jWgYOBfXEkiVZaWyAXUTwWzuu LNfdmVCLaNPcIYAZrQVEAjSPLDGE2TGsAI/P8P7GnOlXb/QM7tSYIZ90tHrDkS5NCsrH OnjJAQS1tx6ym8djw6inHLNJDkrcw/13fHWGW9dRKgSPZ9/a3FhE4mgU6dNBKRGzEv4z lzBGgWlqpRIlM0bAO8onOlN3Lzzn0IB7NJgL8zUJNu5Jm5J406LUe8NeP7pv0+gc2QOq 3SZ8RTijf+k9LJEPa0h1IlA27QNdQ/f7T4bYdytbg4rWuA12Hrl7+uNj09wbpkg/Es/W EqSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770031970; x=1770636770; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=NiX6sc+bte0/E+dFVuNXwgpx22zYYyWdASCMsSYGK9c=; b=pnNIZyPe04YE6rXCKZjrvI/CENeBi6BgEyht6V66LUunj4pjt7yQU3MsKH4xG56oJz D8p0VGdKI3aug2EscZm7gh9tPVMGxhP4sIqkVk6l8D9xdnHLpVje9lwmUTKUNKP3n70E 0O6Gx1COFN1hRKcsC84u7iwlGjvC04j2sb2wULFUVyMR4nSmziFrCSetwBGELYpMz2sc nSLsCYMDIxs5EIJvET5z3XxO6NOfn/npTMxfGirAmYDIvdCTn9ubwijUkhRYnRo8aMaK /vfbIWo1tMMhxBwa3YXM2GBWNF5HvEutyfS7rI0d+g8UiBcde/As/Jmi95qMijt3SvHd JhJA== X-Forwarded-Encrypted: i=1; AJvYcCXCsXu3J3dHWwPXF3Q6NU+C00ZKh89iSqzD3WBru/zaHza5N5Ixm3W4NSmILyNl/fgfya+3GevstRwYHQw=@vger.kernel.org X-Gm-Message-State: AOJu0YyqfdTKU+0sgcD7mF/TB8Clikq95R9NHig7CYI0RWvCfzS3ECD5 1HoBgESX48B7N5LbovvXF5J+OdSTCWUNugb/UdG4sQjkX4TwbOjOoOxB X-Gm-Gg: AZuq6aLmmsifr0kN5ArJjd0sSQ1v4pFSwB/pakKOWlL2v3XlAgQBC3b6pGK2FhsOA9E fA+0aUvrtuJl3sjdDteaXZAn1KYA3zzmDLVvschJjmsz3pZBj93QeDxMMih5+ASwi82Pb6c72T/ nBDu+mR/Cp8js/QZREMtMnxSQ7+7qwXgzyqJV0m0+yQk3QqcLRz6WfyrP4Je0GsA1yzs20rSr9k 3iUvMZvdwB21G4fQpRMFwBNtqa8Iq5cuMP1LnQiepCWxdT31xyKuvqnawuxX72h5U6S58vYPVr0 WE3VXAaDNZj8gunqLpAVxLDCuOEkzOooON1Fd9ZuhSO0si1A99TdkA/pYvDa5GfqcYrEEKWfDue SoLnQ97CNfYaNJj8y99q2AzBAKAt/blLEVFlrVGn+7PZ2/gsXmrQ68NkA3Hoqpi3ef+bQ92TXYU sMh2MtNyj301tF0RWu0g/KSNBGxdg/rBbnocX8SQ== X-Received: by 2002:a05:6a21:483:b0:366:19c9:b6b6 with SMTP id adf61e73a8af0-392e0000539mr10085643637.11.1770031970541; Mon, 02 Feb 2026 03:32:50 -0800 (PST) Received: from name2965-Precision-7820-Tower.. ([121.185.186.233]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c642a9f539dsm13743190a12.26.2026.02.02.03.32.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Feb 2026 03:32:50 -0800 (PST) From: Jeongjun Park To: Inki Dae , Seung-Woo Kim , Kyungmin Park Cc: David Airlie , Simona Vetter , Krzysztof Kozlowski , Alim Akhtar , dri-devel@lists.freedesktop.org, linux-arm-kernel@lists.infradead.org, linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jeongjun Park Subject: [PATCH 3/3 v2] drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free Date: Mon, 2 Feb 2026 20:32:34 +0900 Message-Id: <20260202113234.183393-4-aha310510@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260202113234.183393-1-aha310510@gmail.com> References: <20260202113234.183393-1-aha310510@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Exynos Virtual Display driver performs memory alloc/free operations without lock protection, which easily causes concurrency problem. For example, use-after-free can occur in race scenario like this: ``` CPU0 CPU1 CPU2 ---- ---- ---- vidi_connection_ioctl() if (vidi->connection) // true drm_edid =3D drm_edid_alloc(); // alloc drm_edid ... ctx->raw_edid =3D drm_edid; ... drm_mode_getconnector() drm_helper_probe_single_connector_modes() vidi_get_modes() if (ctx->raw_edid) // true drm_edid_dup(ctx->raw_edid); if (!drm_edid) // false ... vidi_connection_ioctl() if (vidi->connection) // false drm_edid_free(ctx->raw_edid); // free drm_edid ... drm_edid_alloc(drm_edid->edid) kmemdup(edid); // UAF!! ... ``` To prevent these vulns, at least in vidi_context, member variables related to memory alloc/free should be protected with ctx->lock. Cc: Fixes: b73d12303ecf ("drm/exynos: added virtual display driver.") Signed-off-by: Jeongjun Park --- drivers/gpu/drm/exynos/exynos_drm_vidi.c | 38 ++++++++++++++++++++---- 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy= nos/exynos_drm_vidi.c index 601406b640c7..37733f2ac0e7 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c +++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c @@ -186,29 +186,37 @@ static ssize_t vidi_store_connection(struct device *d= ev, const char *buf, size_t len) { struct vidi_context *ctx =3D dev_get_drvdata(dev); - int ret; + int ret, new_connected; =20 - ret =3D kstrtoint(buf, 0, &ctx->connected); + ret =3D kstrtoint(buf, 0, &new_connected); if (ret) return ret; - - if (ctx->connected > 1) + if (new_connected > 1) return -EINVAL; =20 + mutex_lock(&ctx->lock); + /* * Use fake edid data for test. If raw_edid is set then it can't be * tested. */ if (ctx->raw_edid) { DRM_DEV_DEBUG_KMS(dev, "edid data is not fake data.\n"); - return -EINVAL; + ret =3D -EINVAL; + goto fail; } =20 + ctx->connected =3D new_connected; + mutex_unlock(&ctx->lock); + DRM_DEV_DEBUG_KMS(dev, "requested connection.\n"); =20 drm_helper_hpd_irq_event(ctx->drm_dev); =20 return len; +fail: + mutex_unlock(&ctx->lock); + return ret; } =20 static DEVICE_ATTR(connection, 0644, vidi_show_connection, @@ -243,11 +251,14 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,= void *data, return -EINVAL; } =20 + mutex_lock(&ctx->lock); if (ctx->connected =3D=3D vidi->connection) { + mutex_unlock(&ctx->lock); DRM_DEV_DEBUG_KMS(ctx->dev, "same connection request.\n"); return -EINVAL; } + mutex_unlock(&ctx->lock); =20 if (vidi->connection) { const struct drm_edid *drm_edid; @@ -281,14 +292,21 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,= void *data, "edid data is invalid.\n"); return -EINVAL; } + mutex_lock(&ctx->lock); ctx->raw_edid =3D drm_edid; + mutex_unlock(&ctx->lock); } else { /* with connection =3D 0, free raw_edid */ + mutex_lock(&ctx->lock); drm_edid_free(ctx->raw_edid); ctx->raw_edid =3D NULL; + mutex_unlock(&ctx->lock); } =20 + mutex_lock(&ctx->lock); ctx->connected =3D vidi->connection; + mutex_unlock(&ctx->lock); + drm_helper_hpd_irq_event(ctx->drm_dev); =20 return 0; @@ -303,7 +321,7 @@ static enum drm_connector_status vidi_detect(struct drm= _connector *connector, * connection request would come from user side * to do hotplug through specific ioctl. */ - return ctx->connected ? connector_status_connected : + return READ_ONCE(ctx->connected) ? connector_status_connected : connector_status_disconnected; } =20 @@ -326,11 +344,15 @@ static int vidi_get_modes(struct drm_connector *conne= ctor) const struct drm_edid *drm_edid; int count; =20 + mutex_lock(&ctx->lock); + if (ctx->raw_edid) drm_edid =3D drm_edid_dup(ctx->raw_edid); else drm_edid =3D drm_edid_alloc(fake_edid_info, sizeof(fake_edid_info)); =20 + mutex_unlock(&ctx->lock); + drm_edid_connector_update(connector, drm_edid); =20 count =3D drm_edid_connector_add_modes(connector); @@ -482,9 +504,13 @@ static void vidi_remove(struct platform_device *pdev) { struct vidi_context *ctx =3D platform_get_drvdata(pdev); =20 + mutex_lock(&ctx->lock); + drm_edid_free(ctx->raw_edid); ctx->raw_edid =3D NULL; =20 + mutex_unlock(&ctx->lock); + component_del(&pdev->dev, &vidi_component_ops); } =20 --