From nobody Fri Apr  3 11:18:03 2026
Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com
 [209.85.214.172])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A77BA2C3749
	for <linux-kernel@vger.kernel.org>; Fri, 20 Feb 2026 03:35:59 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.172
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1771558560; cv=none;
 b=nPeun8udwaX4JO/SOt9L9qSO5DjueIUSwrsc97OM3L22nFifpf2YTRDpw60SoALK6iUg6LkHaZbZ4+GalQxS2o1rXWncGSYmKBbx+GGaV4iNpMikK4CC+qn9Wp68hxfwNH7XfMPriDqyLsF5wtKAkLLgDWPMtPkVs6X7dLzD8U4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1771558560; c=relaxed/simple;
	bh=QzO8lKBkDOc2XZfOK961CgRLNkgKWjz8O0lEWEyHBzw=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=tKlvzWXYuxaRP6KYFzeqQzCqd4t93oSNezy7oJvLogths4eqwQJNtlK/Ic4N77Vv+KVs9VAeuSMYu60cd2DMFv1wWX4vumVBYycZN8Skh7GPUedoU5jRtyktr2X4+HZhk+nP2OZhRINTKoWEwTC52XnwtEZdO5F8B7N4R8Ql86g=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=Fnq+F5yo; arc=none smtp.client-ip=209.85.214.172
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="Fnq+F5yo"
Received: by mail-pl1-f172.google.com with SMTP id
 d9443c01a7336-2ab232cc803so8186675ad.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 19 Feb 2026 19:35:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1771558559; x=1772163359;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Nt6vgi/ugK6ilulMXdoJ0iyfQKJZUeMQJfjUYZUE7BU=;
        b=Fnq+F5yoMOgLQloS4rRYni9ja+4w3cxeD+hUBRXQwKWHXVCyz1bvbLVXHJ8D/04vbo
         fP0KB8ImOGs9O1UUR1sRjPeHm1CHMHdcrnPHUBIvJ2fIsxyZdHQMlo4+zhtDzeySktrU
         pCUS1e0oI+RLPlDNmNX8Rfw7zmB8fc8amhAeTFxU5SR+t1Zb27N3UQZugonFPXNiBFsP
         uKiRYouL2QgPGoDYV9uzS9e+fDeZmKjYZOt5OsVh3iVRu/RS3qQTe+cal8DZd6hcLa+2
         B4XlU+gYMLwLrglM08ZbCDyWnGmXB56Peo01kumU/RevmsUPjiYRcU5fW3sbB6WWlcHa
         uo+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1771558559; x=1772163359;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=Nt6vgi/ugK6ilulMXdoJ0iyfQKJZUeMQJfjUYZUE7BU=;
        b=U6JqTQ9ZyY8U79ZHCEzslhpPix6FHEDF2gDfroWxvQv2MidS7rE/p/XZzQmHoQvc3i
         hj4daijkE4Ka85aQToZofp/tJ2AoxabjaJdEPcqjR/1hxnItSMiZ8p7Lhx5fK0FQkyFO
         EiOVuqsrErQUMijWUU4slUojsMacHCv34Pf+1X0YsaVGZ5vfe9sRQCUMFhStR3DdDchq
         eyWvgq+u9cWUHdaCV8KSPve6Q+wxWsmTyuMce2/flI+3+PYaDMa9nPiq5mhRSd7OEi1j
         2gbj9MML/T2c+kwLvozcRZ8XkwKfzbN+LLeO4jH60RBUlwyCWBdng7h3P+2KMCglroQr
         dQ1w==
X-Forwarded-Encrypted: i=1;
 AJvYcCWk1/PL+lmjqABGbQqdP39rgc/um42rqr9cJgKi4yzga9nEJqa71C8bcfrGipo9PWCb12RLQujkuMHFxT0=@vger.kernel.org
X-Gm-Message-State: AOJu0YyGacutLARMM3RP9baF0du7IRHTmHlktLf0yD+r4/o9RJ3YaMCA
	ycFLbUDcG0BuF7+3RxFIHQX257ihissKTIuBC//j9YTrbIGaymcbj9Xc
X-Gm-Gg: AZuq6aIQSYhF2bAQq38dCHfOsKInC0q3OpN0PQvCaW/5uY1VC1eq2R2Am+xoObT+PAg
	BXXTNj1wjO6gW27q6bw+ATBz7op46vgy6HGG01vLF50+eswmBB7egSqQxEo7Zj2QYmOobkse0Kv
	pxuNrpRBPQ9iRTlrMJggdd80/0yIUJ/ylmSQqWMBBKrbzw+nGpCizyIbDpV/b+DhKpFKBDpHKmu
	CSYlSVyloJ39WOdmweKe9f+Y01pV/4zCUsFVUeoppj9fqL+rWEZGzIIehribXX+yXjZfR+rn5bG
	hScHbMjNtKbBqZPF7rJ5/1TK0KBZDG1DJpWVvlsg0id/zOPq3/18e3EtSZz/N9GzFsW2gGKhDdM
	o4W5T9Di5tybKHcpNsUGy31qeaEM/igTGWrR2tH7xh3ZJaT1d84LkHXTNauJjLOdtj/a5HFy3ix
	0dwc/DNTjnnOLlMNMZk96RYMEAlwqWzKRp0jnwnLprsp0EQS7N+g==
X-Received: by 2002:a17:903:1aa7:b0:2aa:e23c:2697 with SMTP id
 d9443c01a7336-2ad175b1491mr182585685ad.57.1771558558897;
        Thu, 19 Feb 2026 19:35:58 -0800 (PST)
Received: from name2965-Precision-7820-Tower.. ([121.185.236.165])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2ad1a9d5cf8sm177143675ad.52.2026.02.19.19.35.56
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 19 Feb 2026 19:35:58 -0800 (PST)
From: Jeongjun Park <aha310510@gmail.com>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Inki Dae <inki.dae@samsung.com>,
	Seung-Woo Kim <sw0312.kim@samsung.com>,
	Kyungmin Park <kyungmin.park@samsung.com>,
	David Airlie <airlied@gmail.com>,
	Simona Vetter <simona@ffwll.ch>,
	Krzysztof Kozlowski <krzk@kernel.org>,
	Alim Akhtar <alim.akhtar@samsung.com>,
	dri-devel@lists.freedesktop.org,
	linux-arm-kernel@lists.infradead.org,
	linux-samsung-soc@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Jeongjun Park <aha310510@gmail.com>
Subject: [PATCH 6.19.y 6.18.y 1/2] drm/exynos: vidi: use priv->vidi_dev for
 ctx lookup in vidi_connection_ioctl()
Date: Fri, 20 Feb 2026 12:35:49 +0900
Message-Id: <20260220033550.124346-2-aha310510@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260220033550.124346-1-aha310510@gmail.com>
References: <20260220033550.124346-1-aha310510@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

[ Upstream commit d3968a0d85b211e197f2f4f06268a7031079e0d0 ]

vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to
obtain a struct vidi_context pointer. However, drm_dev->dev is the
exynos-drm master device, and the driver_data contained therein is not
the vidi component device, but a completely different device.

This can lead to various bugs, ranging from null pointer dereferences and
garbage value accesses to, in unlucky cases, out-of-bounds errors,
use-after-free errors, and more.

To resolve this issue, we need to store/delete the vidi device pointer in
exynos_drm_private->vidi_dev during bind/unbind, and then read this
exynos_drm_private->vidi_dev within ioctl() to obtain the correct
struct vidi_context pointer.

Cc: <stable@vger.kernel.org>
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
---
 drivers/gpu/drm/exynos/exynos_drm_drv.h  |  1 +
 drivers/gpu/drm/exynos/exynos_drm_vidi.c | 14 +++++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/exynos/exynos_drm_drv.h b/drivers/gpu/drm/exyn=
os/exynos_drm_drv.h
index 23646e55f142..06c29ff2aac0 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_drv.h
+++ b/drivers/gpu/drm/exynos/exynos_drm_drv.h
@@ -199,6 +199,7 @@ struct drm_exynos_file_private {
 struct exynos_drm_private {
 	struct device *g2d_dev;
 	struct device *dma_dev;
+	struct device *vidi_dev;
 	void *mapping;
=20
 	/* for atomic commit */
diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy=
nos/exynos_drm_vidi.c
index e094b8bbc0f1..1fe297d512e7 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
@@ -223,9 +223,14 @@ ATTRIBUTE_GROUPS(vidi);
 int vidi_connection_ioctl(struct drm_device *drm_dev, void *data,
 				struct drm_file *file_priv)
 {
-	struct vidi_context *ctx =3D dev_get_drvdata(drm_dev->dev);
+	struct exynos_drm_private *priv =3D drm_dev->dev_private;
+	struct device *dev =3D priv ? priv->vidi_dev : NULL;
+	struct vidi_context *ctx =3D dev ? dev_get_drvdata(dev) : NULL;
 	struct drm_exynos_vidi_connection *vidi =3D data;
=20
+	if (!ctx)
+		return -ENODEV;
+
 	if (!vidi) {
 		DRM_DEV_DEBUG_KMS(ctx->dev,
 				  "user data for vidi is null.\n");
@@ -371,6 +376,7 @@ static int vidi_bind(struct device *dev, struct device =
*master, void *data)
 {
 	struct vidi_context *ctx =3D dev_get_drvdata(dev);
 	struct drm_device *drm_dev =3D data;
+	struct exynos_drm_private *priv =3D drm_dev->dev_private;
 	struct drm_encoder *encoder =3D &ctx->encoder;
 	struct exynos_drm_plane *exynos_plane;
 	struct exynos_drm_plane_config plane_config =3D { 0 };
@@ -378,6 +384,8 @@ static int vidi_bind(struct device *dev, struct device =
*master, void *data)
 	int ret;
=20
 	ctx->drm_dev =3D drm_dev;
+	if (priv)
+		priv->vidi_dev =3D dev;
=20
 	plane_config.pixel_formats =3D formats;
 	plane_config.num_pixel_formats =3D ARRAY_SIZE(formats);
@@ -423,8 +431,12 @@ static int vidi_bind(struct device *dev, struct device=
 *master, void *data)
 static void vidi_unbind(struct device *dev, struct device *master, void *d=
ata)
 {
 	struct vidi_context *ctx =3D dev_get_drvdata(dev);
+	struct drm_device *drm_dev =3D data;
+	struct exynos_drm_private *priv =3D drm_dev->dev_private;
=20
 	timer_delete_sync(&ctx->timer);
+	if (priv)
+		priv->vidi_dev =3D NULL;
 }
=20
 static const struct component_ops vidi_component_ops =3D {
--
From nobody Fri Apr  3 11:18:03 2026
Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com
 [209.85.215.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3C0F12DECDE
	for <linux-kernel@vger.kernel.org>; Fri, 20 Feb 2026 03:36:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1771558563; cv=none;
 b=SWYrufcKQEmDq6daeNGsZdZOm/J14rGMpHQQ3t95iZklL0NAqKM4B9muqWTlR/x63uQoZ5ZbgUx/BkvMHNOcvhKLKAbKGxmz2KjQ0pKXTZ9VEiqjxIFK35eV98O2ifKTzyq+lIxmxZVj5xBgrDhKFc+99UWRjP3Xevi3ptIc6W4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1771558563; c=relaxed/simple;
	bh=14tp/ZbiHhc9fo6I3d3q5B/zYDGp7+QSAvy5xrmzM58=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=HMHEjC18z73Q7sG75Wmc/6xxjm8aRfin8P2fLTJA0Rn+3jQBSfQN0fIZ8LtHW0CThPdRJa1UWVA9mRxuaWbndA6EATtIWDy+Iy6lmgdO2E/F1BZfvyrHsr2yrpi1tMi8W1OvX78MrXeRVqxImyN9s8A4SPue7DWlJEBmaEMmDgw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=kg0gSW/M; arc=none smtp.client-ip=209.85.215.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="kg0gSW/M"
Received: by mail-pg1-f182.google.com with SMTP id
 41be03b00d2f7-c6f306faaffso647872a12.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 19 Feb 2026 19:36:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1771558561; x=1772163361;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=3SNYtFmJqSV95moRlaJ0QYmUhL+TICukmgmBhi3zA4c=;
        b=kg0gSW/MXrjrrzq9iQGnNOuOjnn29PekJPPoWL1aoMTMyzkREyf8YthxbKs6phcxHx
         DBNiXnmIaNuAhr1z+9Ui4sKwHQWeePTgPfU6RdEVp+nPL0K0AZ8+ll9lLOcjDDLFMGnf
         n9dcA0XqdICkJ/gH0XVKE9G779SwyJBcai8UiWa51z041IfXKhlAgFvTtK5lG6Bzoq8L
         y7lHU1kMWBg/joEkYn+vLOu8xPEyNvppe+p+WSDVvqmjkODxKTM69ybb8gO541vKYzqL
         PgB2JrS+UnVFCzs8K3oMT0+IUbKsLECJIZVN9AA3+sZfSaBl+DEA5rONAX9FfbULqoU0
         eg3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1771558561; x=1772163361;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=3SNYtFmJqSV95moRlaJ0QYmUhL+TICukmgmBhi3zA4c=;
        b=HbKD/zZQ7PjtJXXc4jKR02qKlv1BvDDhC4PFovcU/77QGA4JlfYkBRpfGIsqqX9WLH
         Abqxth/sJqVgOR/1f+GVai2fWgCoSrj2/soTs6h/bfhvwsjFxlTa61HdV/wPTvsEiLUv
         3BADTFnfDoWliSK/8R4W7Vxn+eXCzUjc2n6JgQWBcZg9LTcc48eleR10jeOPRYV8wBms
         n+rZyEy0lY/+io2o+LMg9zZFI3H1ZC7uzjfGmdDq+gX4D7wEP472SJR/Z8uNEiEEc5o0
         6zSHQ1lUaOXv9EBzk2YTNv0U/G4B8lqBuorT55oCJcgEkVtRE/3Tsxt+GCN6kWAYUVO6
         nDMQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCW5RxUGtR27tzaUIVnkCTLJ2nGm5sK6vvBe+7qWI/yroAHstwyySmPIxe14ttSH6ayL1nCq4eTVyoYTpjU=@vger.kernel.org
X-Gm-Message-State: AOJu0YzkUWPY9vB+gyv3XQ3ioNTqqAIJ8Qc+iP8HjIyevpXJLla9b9GE
	hQHIGsPwmA8AF6fF4L7lL2iCcM8B9W9mPpdwz60sf96cO8NUu+E0iAgv
X-Gm-Gg: AZuq6aJ8g8PG6Mkvv7bSiyE515iVVj1AR/qfG5/FtZxDuszfyat0hwynHcRSNG16FP0
	hFr4RovNxjFUI5yhKCw8Q7VfSGAxIMe9Pr5tOTYxcvq3QM5TFFpJux9hWENcUJkyOKlY1HcczNW
	VUY34GNJgX2XHPxp7qHJQ9x1URVFs1DLpI8lAIBeb+4OdoBUHa2tF567N0Tw+lfPsNHuNkj3idn
	peKuI7+pLqc4Oqkj0/rglm4niSeQwRSN1vwKvOP7LD3Yfosrf6F1XVfxH/veWfafRP8Na6iPnJw
	kFCQel5/NSB0wunCp9EyAlOWMc2TBY7Ebp68g3yAPKQFufqTzKw+ialGbsP4ZfK6pumxh5s59xK
	S4fhW9QHB6zj1Q8ZUDxoESH9UKp7ElmRldMTGdN6L06bvxmJ5Gm1jmeyxEdeqrdHeBZXGJrma9w
	Mir45WbT3Qm6vgHzn5KKFWw2amretL18cZS0UJhmbM1iQOyh8jb5oBvlTPhAoY
X-Received: by 2002:a17:902:da8d:b0:2a7:80ac:85b0 with SMTP id
 d9443c01a7336-2ad17431c2bmr182977825ad.2.1771558561498;
        Thu, 19 Feb 2026 19:36:01 -0800 (PST)
Received: from name2965-Precision-7820-Tower.. ([121.185.236.165])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2ad1a9d5cf8sm177143675ad.52.2026.02.19.19.35.59
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 19 Feb 2026 19:36:01 -0800 (PST)
From: Jeongjun Park <aha310510@gmail.com>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Inki Dae <inki.dae@samsung.com>,
	Seung-Woo Kim <sw0312.kim@samsung.com>,
	Kyungmin Park <kyungmin.park@samsung.com>,
	David Airlie <airlied@gmail.com>,
	Simona Vetter <simona@ffwll.ch>,
	Krzysztof Kozlowski <krzk@kernel.org>,
	Alim Akhtar <alim.akhtar@samsung.com>,
	dri-devel@lists.freedesktop.org,
	linux-arm-kernel@lists.infradead.org,
	linux-samsung-soc@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Jeongjun Park <aha310510@gmail.com>
Subject: [PATCH 6.19.y 6.18.y 2/2] drm/exynos: vidi: fix to avoid directly
 dereferencing user pointer
Date: Fri, 20 Feb 2026 12:35:50 +0900
Message-Id: <20260220033550.124346-3-aha310510@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260220033550.124346-1-aha310510@gmail.com>
References: <20260220033550.124346-1-aha310510@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

[ Upstream commit d4c98c077c7fb2dfdece7d605e694b5ea2665085 ]

In vidi_connection_ioctl(), vidi->edid(user pointer) is directly
dereferenced in the kernel.

This allows arbitrary kernel memory access from the user space, so instead
of directly accessing the user pointer in the kernel, we should modify it
to copy edid to kernel memory using copy_from_user() and use it.

Cc: <stable@vger.kernel.org>
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
---
 drivers/gpu/drm/exynos/exynos_drm_vidi.c | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy=
nos/exynos_drm_vidi.c
index 1fe297d512e7..601406b640c7 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
@@ -251,13 +251,27 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,=
 void *data,
=20
 	if (vidi->connection) {
 		const struct drm_edid *drm_edid;
-		const struct edid *raw_edid;
+		const void __user *edid_userptr =3D u64_to_user_ptr(vidi->edid);
+		void *edid_buf;
+		struct edid hdr;
 		size_t size;
=20
-		raw_edid =3D (const struct edid *)(unsigned long)vidi->edid;
-		size =3D (raw_edid->extensions + 1) * EDID_LENGTH;
+		if (copy_from_user(&hdr, edid_userptr, sizeof(hdr)))
+			return -EFAULT;
=20
-		drm_edid =3D drm_edid_alloc(raw_edid, size);
+		size =3D (hdr.extensions + 1) * EDID_LENGTH;
+
+		edid_buf =3D kmalloc(size, GFP_KERNEL);
+		if (!edid_buf)
+			return -ENOMEM;
+
+		if (copy_from_user(edid_buf, edid_userptr, size)) {
+			kfree(edid_buf);
+			return -EFAULT;
+		}
+
+		drm_edid =3D drm_edid_alloc(edid_buf, size);
+		kfree(edid_buf);
 		if (!drm_edid)
 			return -ENOMEM;
=20
--