From nobody Fri Apr  3 11:10:25 2026
Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com
 [209.85.215.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3C0F12DECDE
	for <linux-kernel@vger.kernel.org>; Fri, 20 Feb 2026 03:36:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1771558563; cv=none;
 b=SWYrufcKQEmDq6daeNGsZdZOm/J14rGMpHQQ3t95iZklL0NAqKM4B9muqWTlR/x63uQoZ5ZbgUx/BkvMHNOcvhKLKAbKGxmz2KjQ0pKXTZ9VEiqjxIFK35eV98O2ifKTzyq+lIxmxZVj5xBgrDhKFc+99UWRjP3Xevi3ptIc6W4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1771558563; c=relaxed/simple;
	bh=14tp/ZbiHhc9fo6I3d3q5B/zYDGp7+QSAvy5xrmzM58=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=HMHEjC18z73Q7sG75Wmc/6xxjm8aRfin8P2fLTJA0Rn+3jQBSfQN0fIZ8LtHW0CThPdRJa1UWVA9mRxuaWbndA6EATtIWDy+Iy6lmgdO2E/F1BZfvyrHsr2yrpi1tMi8W1OvX78MrXeRVqxImyN9s8A4SPue7DWlJEBmaEMmDgw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=kg0gSW/M; arc=none smtp.client-ip=209.85.215.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="kg0gSW/M"
Received: by mail-pg1-f182.google.com with SMTP id
 41be03b00d2f7-c6f306faaffso647872a12.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 19 Feb 2026 19:36:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1771558561; x=1772163361;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=3SNYtFmJqSV95moRlaJ0QYmUhL+TICukmgmBhi3zA4c=;
        b=kg0gSW/MXrjrrzq9iQGnNOuOjnn29PekJPPoWL1aoMTMyzkREyf8YthxbKs6phcxHx
         DBNiXnmIaNuAhr1z+9Ui4sKwHQWeePTgPfU6RdEVp+nPL0K0AZ8+ll9lLOcjDDLFMGnf
         n9dcA0XqdICkJ/gH0XVKE9G779SwyJBcai8UiWa51z041IfXKhlAgFvTtK5lG6Bzoq8L
         y7lHU1kMWBg/joEkYn+vLOu8xPEyNvppe+p+WSDVvqmjkODxKTM69ybb8gO541vKYzqL
         PgB2JrS+UnVFCzs8K3oMT0+IUbKsLECJIZVN9AA3+sZfSaBl+DEA5rONAX9FfbULqoU0
         eg3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1771558561; x=1772163361;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=3SNYtFmJqSV95moRlaJ0QYmUhL+TICukmgmBhi3zA4c=;
        b=HbKD/zZQ7PjtJXXc4jKR02qKlv1BvDDhC4PFovcU/77QGA4JlfYkBRpfGIsqqX9WLH
         Abqxth/sJqVgOR/1f+GVai2fWgCoSrj2/soTs6h/bfhvwsjFxlTa61HdV/wPTvsEiLUv
         3BADTFnfDoWliSK/8R4W7Vxn+eXCzUjc2n6JgQWBcZg9LTcc48eleR10jeOPRYV8wBms
         n+rZyEy0lY/+io2o+LMg9zZFI3H1ZC7uzjfGmdDq+gX4D7wEP472SJR/Z8uNEiEEc5o0
         6zSHQ1lUaOXv9EBzk2YTNv0U/G4B8lqBuorT55oCJcgEkVtRE/3Tsxt+GCN6kWAYUVO6
         nDMQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCW5RxUGtR27tzaUIVnkCTLJ2nGm5sK6vvBe+7qWI/yroAHstwyySmPIxe14ttSH6ayL1nCq4eTVyoYTpjU=@vger.kernel.org
X-Gm-Message-State: AOJu0YzkUWPY9vB+gyv3XQ3ioNTqqAIJ8Qc+iP8HjIyevpXJLla9b9GE
	hQHIGsPwmA8AF6fF4L7lL2iCcM8B9W9mPpdwz60sf96cO8NUu+E0iAgv
X-Gm-Gg: AZuq6aJ8g8PG6Mkvv7bSiyE515iVVj1AR/qfG5/FtZxDuszfyat0hwynHcRSNG16FP0
	hFr4RovNxjFUI5yhKCw8Q7VfSGAxIMe9Pr5tOTYxcvq3QM5TFFpJux9hWENcUJkyOKlY1HcczNW
	VUY34GNJgX2XHPxp7qHJQ9x1URVFs1DLpI8lAIBeb+4OdoBUHa2tF567N0Tw+lfPsNHuNkj3idn
	peKuI7+pLqc4Oqkj0/rglm4niSeQwRSN1vwKvOP7LD3Yfosrf6F1XVfxH/veWfafRP8Na6iPnJw
	kFCQel5/NSB0wunCp9EyAlOWMc2TBY7Ebp68g3yAPKQFufqTzKw+ialGbsP4ZfK6pumxh5s59xK
	S4fhW9QHB6zj1Q8ZUDxoESH9UKp7ElmRldMTGdN6L06bvxmJ5Gm1jmeyxEdeqrdHeBZXGJrma9w
	Mir45WbT3Qm6vgHzn5KKFWw2amretL18cZS0UJhmbM1iQOyh8jb5oBvlTPhAoY
X-Received: by 2002:a17:902:da8d:b0:2a7:80ac:85b0 with SMTP id
 d9443c01a7336-2ad17431c2bmr182977825ad.2.1771558561498;
        Thu, 19 Feb 2026 19:36:01 -0800 (PST)
Received: from name2965-Precision-7820-Tower.. ([121.185.236.165])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2ad1a9d5cf8sm177143675ad.52.2026.02.19.19.35.59
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 19 Feb 2026 19:36:01 -0800 (PST)
From: Jeongjun Park <aha310510@gmail.com>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Inki Dae <inki.dae@samsung.com>,
	Seung-Woo Kim <sw0312.kim@samsung.com>,
	Kyungmin Park <kyungmin.park@samsung.com>,
	David Airlie <airlied@gmail.com>,
	Simona Vetter <simona@ffwll.ch>,
	Krzysztof Kozlowski <krzk@kernel.org>,
	Alim Akhtar <alim.akhtar@samsung.com>,
	dri-devel@lists.freedesktop.org,
	linux-arm-kernel@lists.infradead.org,
	linux-samsung-soc@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Jeongjun Park <aha310510@gmail.com>
Subject: [PATCH 6.19.y 6.18.y 2/2] drm/exynos: vidi: fix to avoid directly
 dereferencing user pointer
Date: Fri, 20 Feb 2026 12:35:50 +0900
Message-Id: <20260220033550.124346-3-aha310510@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260220033550.124346-1-aha310510@gmail.com>
References: <20260220033550.124346-1-aha310510@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

[ Upstream commit d4c98c077c7fb2dfdece7d605e694b5ea2665085 ]

In vidi_connection_ioctl(), vidi->edid(user pointer) is directly
dereferenced in the kernel.

This allows arbitrary kernel memory access from the user space, so instead
of directly accessing the user pointer in the kernel, we should modify it
to copy edid to kernel memory using copy_from_user() and use it.

Cc: <stable@vger.kernel.org>
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
---
 drivers/gpu/drm/exynos/exynos_drm_vidi.c | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy=
nos/exynos_drm_vidi.c
index 1fe297d512e7..601406b640c7 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
@@ -251,13 +251,27 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,=
 void *data,
=20
 	if (vidi->connection) {
 		const struct drm_edid *drm_edid;
-		const struct edid *raw_edid;
+		const void __user *edid_userptr =3D u64_to_user_ptr(vidi->edid);
+		void *edid_buf;
+		struct edid hdr;
 		size_t size;
=20
-		raw_edid =3D (const struct edid *)(unsigned long)vidi->edid;
-		size =3D (raw_edid->extensions + 1) * EDID_LENGTH;
+		if (copy_from_user(&hdr, edid_userptr, sizeof(hdr)))
+			return -EFAULT;
=20
-		drm_edid =3D drm_edid_alloc(raw_edid, size);
+		size =3D (hdr.extensions + 1) * EDID_LENGTH;
+
+		edid_buf =3D kmalloc(size, GFP_KERNEL);
+		if (!edid_buf)
+			return -ENOMEM;
+
+		if (copy_from_user(edid_buf, edid_userptr, size)) {
+			kfree(edid_buf);
+			return -EFAULT;
+		}
+
+		drm_edid =3D drm_edid_alloc(edid_buf, size);
+		kfree(edid_buf);
 		if (!drm_edid)
 			return -ENOMEM;
=20
--