From nobody Tue Apr  7 17:13:25 2026
Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com
 [209.85.216.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9E2DB325494
	for <linux-kernel@vger.kernel.org>; Fri, 27 Feb 2026 03:26:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.52
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772162785; cv=none;
 b=InGqiKhwqAyGuIzTMTHntM6TDK1ep62/j74hYaeNrru2xPNehOPiD1o4gnqXQ72xCGcVpccTllfQBUiD/AERk68sckYy4bgXSytoGBLIeRDZr6wLBiF2qO//FOMlHUBwsjNd4peJc3XHChLRLKO+ya6XmhjbvB3Jp6NJAoZBcqA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772162785; c=relaxed/simple;
	bh=b9b22Ozhvo19VJujzVT1horPbr1WA97i8oWgfeEATgg=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=u+ReMwej+2XyU+MZYVQFw5SCAmc0KrfyfYPX1rGiFoGVCjXvkhjKBUNtAHwOXUCMoJQnCGhMmnER05yjHXLNM2hYiHNetKSFdmbKZw4QRWbnKemxnscH/n8wQswz1r1JtOUY9uHW7Ml2Ga+8/RM33q36idxjhk6QA5FCCgKKWao=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=ajYGAz0I; arc=none smtp.client-ip=209.85.216.52
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="ajYGAz0I"
Received: by mail-pj1-f52.google.com with SMTP id
 98e67ed59e1d1-354c19bf64bso655882a91.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 26 Feb 2026 19:26:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1772162783; x=1772767583;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=kWzBer8K/lUNOlKz33ehPBmEnMKwxXodb/hUWZrwOGc=;
        b=ajYGAz0I3qhT2rhanUISCDGW/UeEO7QHfCqzjfJzi6o8WVSrI1I2fk3XyHEHZklCj2
         tjgFU5SBGVTIB1wiweG0XpdK6dTgd66RH8QietSfG8qsna+R4RaWrwL5fWnTdRRQc3wq
         0k5kLGYhw+KKY6xg1LaT0mvKuwjhLMn51xlpifxpHaO2yPr8cJHgOqlFmfdgkiCHPPlG
         BmdhE2TPIPZ0T8n/A44uIsjYoxqg/G+ADAiX37dlFY1U3i+Bq4vu15mYQKB/jzRF+i8g
         yRQeHCF3LzJL86hZiydqdz/LnNeTH8pne9lGv2fH6oN6jBuqfhVyGahKITyFodpP7iye
         jYeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772162783; x=1772767583;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=kWzBer8K/lUNOlKz33ehPBmEnMKwxXodb/hUWZrwOGc=;
        b=DQ5Cg9OYYIdS0IGa83TgRNbq/nyBrUM1scXdRSR+lo9aQ0MFhZZrYzfxLxYCIJMroh
         cPWUkeIPlLkCJgEJnzOT7arI2fF/DCzgHlgMjUqnnCkIMop7In42MVq4/ksONsLONlzy
         hgvhglnRx9YJkEA0Pm+Ezx/avEGIUiBPHTuLmLS993QqulmG3ZkUdW8WLFn3tfgu9jo2
         B/Jv+jKLel1kUOX6gQry9zMtziBCtV46cffd6HO/Zo66zsa1+8YJ66DgMIAPB83w2rB8
         4oILUoCToTpoUG3IrieGgrlfsgF3YtvQfW5x9Oyo7CuPyqMy0GRPJMjQxZYYgf7rQqlj
         Moag==
X-Forwarded-Encrypted: i=1;
 AJvYcCXzylY2voTONX8JntV2bVgB/Wzsvv8Jutl9fjbS1MAXUIR3KHujJCTMX2W6XCB6io4Yx0hGkBKDLkh8Fw4=@vger.kernel.org
X-Gm-Message-State: AOJu0YzZ4l16R06qitqQxE7pgSAEk2MetkpTkasXUMNEa1sRYjo31/V2
	5RMiSyo/yqsWyQCjM9HNzeLzCyNVTFPSpM3R3HaO+A+Y3tRvUBysvjK+
X-Gm-Gg: ATEYQzylbZD4sJ25nPa66oomNIkx1LDLObCfsmHWH1kpL+h04W/Q6OnTbyPM7TyLzgd
	+Lf4sYGcuM03etBN931gOP8Ju/lqftdbCvj8eUkCBd8XBhot37BANeZBliZM6LHnJuPM75KOLNs
	ynmrxl53l8L+Lvp3C4Rfv3VSx/6nrKJhvuLPJrFBzT++0kW7l6CmBqzHNN0Y/bsSjxAjLoz6n5+
	Jb6eFsb9uGpmghJGFrd3FAmy3byUizqVHgepmGX4zj6xnE+SSDUuiMJ7qPYIY6eNa/+pU2ikCye
	dPgqw82EADNXMD8LynSMhFyoeju8gAT7Loig7abL7ZzQb4+r+3157OWcp9VxTt6KfHfZk52/rta
	URF7H8s20h2ww+2suv1Yr1sisrKQTuzllHJPr1bjKvYzfhYpiCaPUmfRXIsGVt+d3tT+4viq3da
	Gw+1RIMwmvNhsD0fcxQbbL4KwbY2eX1YtBa1aIUBUXilbQRyg9kA==
X-Received: by 2002:a17:90a:e7cf:b0:34f:6312:f225 with SMTP id
 98e67ed59e1d1-359388c4ea3mr4132576a91.14.1772162782843;
        Thu, 26 Feb 2026 19:26:22 -0800 (PST)
Received: from name2965-Precision-7820-Tower.. ([175.201.112.127])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-35912fbc363sm4501887a91.2.2026.02.26.19.26.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 26 Feb 2026 19:26:22 -0800 (PST)
From: Jeongjun Park <aha310510@gmail.com>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Inki Dae <inki.dae@samsung.com>,
	Seung-Woo Kim <sw0312.kim@samsung.com>,
	Kyungmin Park <kyungmin.park@samsung.com>,
	David Airlie <airlied@gmail.com>,
	Simona Vetter <simona@ffwll.ch>,
	Krzysztof Kozlowski <krzk@kernel.org>,
	Alim Akhtar <alim.akhtar@samsung.com>,
	dri-devel@lists.freedesktop.org,
	linux-arm-kernel@lists.infradead.org,
	linux-samsung-soc@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Jeongjun Park <aha310510@gmail.com>
Subject: [PATCH 6.12.y 1/3] drm/exynos: vidi: use priv->vidi_dev for ctx
 lookup in vidi_connection_ioctl()
Date: Fri, 27 Feb 2026 12:26:13 +0900
Message-Id: <20260227032615.108139-2-aha310510@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260227032615.108139-1-aha310510@gmail.com>
References: <20260227032615.108139-1-aha310510@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

[ Upstream commit d3968a0d85b211e197f2f4f06268a7031079e0d0 ]

vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to
obtain a struct vidi_context pointer. However, drm_dev->dev is the
exynos-drm master device, and the driver_data contained therein is not
the vidi component device, but a completely different device.

This can lead to various bugs, ranging from null pointer dereferences and
garbage value accesses to, in unlucky cases, out-of-bounds errors,
use-after-free errors, and more.

To resolve this issue, we need to store/delete the vidi device pointer in
exynos_drm_private->vidi_dev during bind/unbind, and then read this
exynos_drm_private->vidi_dev within ioctl() to obtain the correct
struct vidi_context pointer.

Cc: <stable@vger.kernel.org>
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
---
 drivers/gpu/drm/exynos/exynos_drm_drv.h  |  1 +
 drivers/gpu/drm/exynos/exynos_drm_vidi.c | 14 +++++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/exynos/exynos_drm_drv.h b/drivers/gpu/drm/exyn=
os/exynos_drm_drv.h
index 23646e55f142..06c29ff2aac0 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_drv.h
+++ b/drivers/gpu/drm/exynos/exynos_drm_drv.h
@@ -199,6 +199,7 @@ struct drm_exynos_file_private {
 struct exynos_drm_private {
 	struct device *g2d_dev;
 	struct device *dma_dev;
+	struct device *vidi_dev;
 	void *mapping;
=20
 	/* for atomic commit */
diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy=
nos/exynos_drm_vidi.c
index 6de0cced6c9d..b31eefb3a8b1 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
@@ -223,9 +223,14 @@ ATTRIBUTE_GROUPS(vidi);
 int vidi_connection_ioctl(struct drm_device *drm_dev, void *data,
 				struct drm_file *file_priv)
 {
-	struct vidi_context *ctx =3D dev_get_drvdata(drm_dev->dev);
+	struct exynos_drm_private *priv =3D drm_dev->dev_private;
+	struct device *dev =3D priv ? priv->vidi_dev : NULL;
+	struct vidi_context *ctx =3D dev ? dev_get_drvdata(dev) : NULL;
 	struct drm_exynos_vidi_connection *vidi =3D data;
=20
+	if (!ctx)
+		return -ENODEV;
+
 	if (!vidi) {
 		DRM_DEV_DEBUG_KMS(ctx->dev,
 				  "user data for vidi is null.\n");
@@ -374,6 +379,7 @@ static int vidi_bind(struct device *dev, struct device =
*master, void *data)
 {
 	struct vidi_context *ctx =3D dev_get_drvdata(dev);
 	struct drm_device *drm_dev =3D data;
+	struct exynos_drm_private *priv =3D drm_dev->dev_private;
 	struct drm_encoder *encoder =3D &ctx->encoder;
 	struct exynos_drm_plane *exynos_plane;
 	struct exynos_drm_plane_config plane_config =3D { 0 };
@@ -381,6 +387,8 @@ static int vidi_bind(struct device *dev, struct device =
*master, void *data)
 	int ret;
=20
 	ctx->drm_dev =3D drm_dev;
+	if (priv)
+		priv->vidi_dev =3D dev;
=20
 	plane_config.pixel_formats =3D formats;
 	plane_config.num_pixel_formats =3D ARRAY_SIZE(formats);
@@ -426,8 +434,12 @@ static int vidi_bind(struct device *dev, struct device=
 *master, void *data)
 static void vidi_unbind(struct device *dev, struct device *master, void *d=
ata)
 {
 	struct vidi_context *ctx =3D dev_get_drvdata(dev);
+	struct drm_device *drm_dev =3D data;
+	struct exynos_drm_private *priv =3D drm_dev->dev_private;
=20
 	del_timer_sync(&ctx->timer);
+	if (priv)
+		priv->vidi_dev =3D NULL;
 }
=20
 static const struct component_ops vidi_component_ops =3D {
--
From nobody Tue Apr  7 17:13:25 2026
Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com
 [209.85.216.47])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1DA90324B31
	for <linux-kernel@vger.kernel.org>; Fri, 27 Feb 2026 03:26:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.47
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772162787; cv=none;
 b=hAtdF4VRrzu2aeZhimRBW67hw8HvAwJU1ea/HCuyYmdRVU3yJNyLpcNKV6VMwBn5UUh8o+zITV+AIoedMXcNMVUz8/2d2Okhe94PNXnZK8CSVN3X/rMM+8J+Elyi/LW/LyYHNFJmvHGjcdTGEREY62Q6iuM/SfXK/5e08PeMkb4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772162787; c=relaxed/simple;
	bh=14tp/ZbiHhc9fo6I3d3q5B/zYDGp7+QSAvy5xrmzM58=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=gsJmn5u0LL5K8WSC1dDn8j0lCG4SAu3bbE5dOO4lYl4vAlrSnhmovS63PR5Co8SzZaSYU70DX4BIg26tP96zKhd6NI01dIr1LcNpNpXIK/GvMxUkwxk/XWBmPdLtlR6Ka8gtxZQYgTAu6iGVYLkf951k5JFwW2k19jD2HW7QMTc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=DeIveTIS; arc=none smtp.client-ip=209.85.216.47
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="DeIveTIS"
Received: by mail-pj1-f47.google.com with SMTP id
 98e67ed59e1d1-354c825dc77so767858a91.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 26 Feb 2026 19:26:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1772162785; x=1772767585;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=3SNYtFmJqSV95moRlaJ0QYmUhL+TICukmgmBhi3zA4c=;
        b=DeIveTIS7rZ75TqpGKczy5WPewUBeKiWGUGcO4gSFVW+e6ftPxQLTFrqvClSbtSzu0
         3S0CuPNLLsKoXjsb/1nQ6V6o6ySEsCLWwZVPp2kjeuxXzz0HBdDNCdxtBpl6Wh2d1aMk
         AQFmSE/vtFqihP7Cg7sPrIFyB2sB4vM1rlG9zYUsi9q+FnUmrEbzBREq58sX372UrShE
         rAnjuyvQmOqEu7FyQ1B4ewq6Il9qYtemug5tBeFR3MObJrgNfqlLQ82yXdOSXHfUKY7X
         QbfiPRb37GiytDZ/jVyu91RzZYfpavuDPUdFDcFydh5YtLABlkH2APxilOoP7xiLRxyk
         LLUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772162785; x=1772767585;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=3SNYtFmJqSV95moRlaJ0QYmUhL+TICukmgmBhi3zA4c=;
        b=IIwWZCbsN7I7TmV6zrGGGHk+LShSGbdd7iLbw8NWvEbdrR9UpK9A4HJh+yo9u/vTwP
         qVT/p8B7wrk8fHHOF58zLNR12ZLcUXEZPPO813mkOcUCGjQ5XzdknZisxQv8hxxznpzG
         PxKtB6KvXdJUNA2sgywbyv32K5L1CT6b/At5hT20gjaYMbmvInJX9QpFT6zRJ0/hGnt6
         U8JiY5YAw1Tzb5pbBpPut+CZXAFREHzZ41K7BHXYCaQu7maMXIiAdvlg63Ps5M4ezgl3
         cXGEpLBoIPhbjou7OyA4tKSGyb2KhMRco3+XydpEgfzPXB4gc4yKIr9/LewO7YZrZrsQ
         ktNw==
X-Forwarded-Encrypted: i=1;
 AJvYcCV9bpFeC8w7VajskTEPuuLxjOlmC2L0CVGM6wwxyktEJGk5Jb2FucJTQXPYpK6kyfppjPs52qUqQNkO+iA=@vger.kernel.org
X-Gm-Message-State: AOJu0YzXXhVFfeS2BPWfpAH/osSc2CdxH22MhiIA0BCmGhAYozbE3yTA
	/C3yDl3yaxHrbFzCnUhGC7I7CVwhXX6VWI6uXXwnHXqb3aHB+NfOet7V
X-Gm-Gg: ATEYQzzC1uRsmNXtSa0ndvdlScjO6t7VEHjoyVhNJGaXuz9z5wrJK2+unHCR20LMlG3
	GYwzPXNsEmc/BRyDlL9xbh+vyRGeimYq3T329X2Cq+LFVkIfL3dxIJ8nghw0KcDX0aqWgDjNblU
	kHnfTD2mpFmLEQ3DRh1m/2VZz2tf8QH5eNts5Vbyddv1cAYq8/lPbZs6kn0zI+d8igxoeqXBb4W
	7rT/0hpjui8vQ+LjwojSkMGqQjOTUdRWnnaOkgOfZMN+a4ABjlUpzdlbmHUIq+ABQ8jnRZZp2nq
	XVaZ2HYqzXpSL/JT76wv/S9mQKosFqesqouTf66wM3LVd4t5O7O62lVrJZaLtaZw9ZwmF4bruHU
	jmwtT0ULsr8qCrBTm2V/9xT2ZpAeqQuNiiPY7pDBU8sQ9obx/wlgHl4f1x2KKgd8yI/2xIksLDF
	VbjVYgwYtJbd/+yH/J6AejBenmu6Sx1wu8J/I7fg8TI7sF2Lk9xQ==
X-Received: by 2002:a17:90b:3dc7:b0:359:28b9:5f64 with SMTP id
 98e67ed59e1d1-35965c17095mr1275630a91.6.1772162785515;
        Thu, 26 Feb 2026 19:26:25 -0800 (PST)
Received: from name2965-Precision-7820-Tower.. ([175.201.112.127])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-35912fbc363sm4501887a91.2.2026.02.26.19.26.23
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 26 Feb 2026 19:26:25 -0800 (PST)
From: Jeongjun Park <aha310510@gmail.com>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Inki Dae <inki.dae@samsung.com>,
	Seung-Woo Kim <sw0312.kim@samsung.com>,
	Kyungmin Park <kyungmin.park@samsung.com>,
	David Airlie <airlied@gmail.com>,
	Simona Vetter <simona@ffwll.ch>,
	Krzysztof Kozlowski <krzk@kernel.org>,
	Alim Akhtar <alim.akhtar@samsung.com>,
	dri-devel@lists.freedesktop.org,
	linux-arm-kernel@lists.infradead.org,
	linux-samsung-soc@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Jeongjun Park <aha310510@gmail.com>
Subject: [PATCH 6.12.y 2/3] drm/exynos: vidi: fix to avoid directly
 dereferencing user pointer
Date: Fri, 27 Feb 2026 12:26:14 +0900
Message-Id: <20260227032615.108139-3-aha310510@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260227032615.108139-1-aha310510@gmail.com>
References: <20260227032615.108139-1-aha310510@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

[ Upstream commit d4c98c077c7fb2dfdece7d605e694b5ea2665085 ]

In vidi_connection_ioctl(), vidi->edid(user pointer) is directly
dereferenced in the kernel.

This allows arbitrary kernel memory access from the user space, so instead
of directly accessing the user pointer in the kernel, we should modify it
to copy edid to kernel memory using copy_from_user() and use it.

Cc: <stable@vger.kernel.org>
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
---
 drivers/gpu/drm/exynos/exynos_drm_vidi.c | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy=
nos/exynos_drm_vidi.c
index 1fe297d512e7..601406b640c7 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
@@ -251,13 +251,27 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,=
 void *data,
=20
 	if (vidi->connection) {
 		const struct drm_edid *drm_edid;
-		const struct edid *raw_edid;
+		const void __user *edid_userptr =3D u64_to_user_ptr(vidi->edid);
+		void *edid_buf;
+		struct edid hdr;
 		size_t size;
=20
-		raw_edid =3D (const struct edid *)(unsigned long)vidi->edid;
-		size =3D (raw_edid->extensions + 1) * EDID_LENGTH;
+		if (copy_from_user(&hdr, edid_userptr, sizeof(hdr)))
+			return -EFAULT;
=20
-		drm_edid =3D drm_edid_alloc(raw_edid, size);
+		size =3D (hdr.extensions + 1) * EDID_LENGTH;
+
+		edid_buf =3D kmalloc(size, GFP_KERNEL);
+		if (!edid_buf)
+			return -ENOMEM;
+
+		if (copy_from_user(edid_buf, edid_userptr, size)) {
+			kfree(edid_buf);
+			return -EFAULT;
+		}
+
+		drm_edid =3D drm_edid_alloc(edid_buf, size);
+		kfree(edid_buf);
 		if (!drm_edid)
 			return -ENOMEM;
=20
--
From nobody Tue Apr  7 17:13:25 2026
Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com
 [209.85.216.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA36B32548A
	for <linux-kernel@vger.kernel.org>; Fri, 27 Feb 2026 03:26:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.54
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772162790; cv=none;
 b=Tl+c+rxlm7abPvEvAldfAuBVNllolcEWRS2QPMibx0jUVLTa2g3h05N6qGJMjNavxenxIaLY3NNVpfD3d6/m9t04GMdtoqfnDtjWUaYs3jTu+J68Amz19QTVsRiYiJGGbJ9Shxls8BMKR+01ohtA12CvQs1ElXbvlKEqB8CO2IA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772162790; c=relaxed/simple;
	bh=Iqc2katXCByBtCVWsNCwBPkX2kF7j6RU8WUtDwRLKnE=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=RH7e2EaCsPe5o4yhoPT5FPc8wLticUcNCyzSkd6cjFy1vl4Vc9gRAi45uGZ7MT+IGCsbZADXlpX5+Vx84BimMlmvGaVB07a8NXuraL16sOHRrGN3xZpj4yYWp+EKiPbBS3KpAQLatPxHdkdbGF6/u97iwmFeWJFkBzrVd0AK7NI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=P4Xe63mp; arc=none smtp.client-ip=209.85.216.54
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="P4Xe63mp"
Received: by mail-pj1-f54.google.com with SMTP id
 98e67ed59e1d1-3567e2b4159so805877a91.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 26 Feb 2026 19:26:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1772162788; x=1772767588;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=4l127qV+2+PHMxahmGck2ATeIukpig7iHOGTiow3YX0=;
        b=P4Xe63mpzxy6RzlSZI3Qn+K48uP37iLNhBz/vOPgwIFKEQid+KC+tGY3q69ZCE+Ljd
         0QjG9oILps4kH98Guaszx4u+1VBYYBQh0NMWE8W16H2sER9oIZYRxbNk7VpjYRDNKrBF
         pH1sRQyPmJKdpUi316cBg9SMLgrpxT5ZY7+mWIw2Hua0P1AMmlu4sShR52cKv0Zj/mvx
         GzSZXaMP4R9WI3ELpCP9rTj9MOf8zmM3qXUXuqOAo6ivMzeWxkiE4A1BQkuR3FowHLFw
         8u9YDJPeTAEz8MH0tnv6cCg9nQ8IRyZi62nryasYoL/LScBFY1uvFwe7yy9BS89C86O8
         vVWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772162788; x=1772767588;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=4l127qV+2+PHMxahmGck2ATeIukpig7iHOGTiow3YX0=;
        b=v22yvKtrcnnEOF+AO5pCf2Na2WUHo5ip67gVnvY9It41Tj8Os+5BEEyQdVWCsDwlnb
         KX9AIXRpc5l0wI1nfaA8VKAOrZzN7i61lb2aD7FmBdxe0JLArWdR0nkicfeLvfUJT+UF
         X5qLGFPF9Iou7zdilm2G7rQrJRumwd36CT32PYxab0Gf4KtFHUh8UnimAX7z+Eu4wixD
         GPubeZlSL2HOOHvoW8lTDLM9mBVNKp61/gyxiogRfUTY1UOvnjHb1vuiZbjenOoN8Bwi
         R8W1tSV57BfDhgqNuDig0R0Nvrd1rnbslIAKX3FEQJKRBrrpnDuIv2+xKYMRBz2dBQ0a
         U1Nw==
X-Forwarded-Encrypted: i=1;
 AJvYcCVPgUhlbkVv6Kaayd03xOBvvisBFy0oCtbT/NG89emi91D0/QElJik8iE6JWI/0Cb451N75FdcCfcVSED4=@vger.kernel.org
X-Gm-Message-State: AOJu0Ywv1HK73A3jVHKSjV82aizBHj8aCfHcgjhnr9uIZJA4mGj61nWH
	XBZWNzuhCGdrDzbJbXqq8vlNsBMYelDOut5K8VqBwWy3NDA+IHjs+ZTB
X-Gm-Gg: ATEYQzxSxZuD2xYUxlTfGaXotRejf6MAF23yRb62KboHXl6FBnyHsWkZHVTtM/o2Zxt
	11IsvW164iGwsH9hmC2J3ZIcnRZqVXDRIK2v+MkK57q+ASWRxNBIrhp7Jtcyf5qYz0ZzZWoWN3H
	7zylIItCUbfC3e9ZJjs0bsGofBoMTNut3cAUNe8wiZtXQB3nz6bu9hlNdkw6vYL6msayjUc3RAO
	+JZriYyqzFOfNpCSBALZIWMQvtECKBsZJ7HHlVxOgmOAaPLQ+YBYJwZ49esxQeH/yBJjrdjuglD
	2eQr7tG91nTFnBtWCF38cHXyTgpcmo9x6KNf+DRENJcuowTn1d8LVxDv39RobEmZFulDotphIlr
	CR59xRmBFkYsDzV8DAapW+xM4jJPjcGWDzDmc0zhhu6IFdPg5XzTKCeggG1/aKzK4mxdpKPPHZi
	KSy61aeOUJ7gIwUlnjT3RprKM2ImZtFtcgns2Tp8QvcYz/E7JxSw==
X-Received: by 2002:a17:90b:1ccc:b0:340:be44:dd11 with SMTP id
 98e67ed59e1d1-35965cec522mr1364382a91.27.1772162788098;
        Thu, 26 Feb 2026 19:26:28 -0800 (PST)
Received: from name2965-Precision-7820-Tower.. ([175.201.112.127])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-35912fbc363sm4501887a91.2.2026.02.26.19.26.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 26 Feb 2026 19:26:27 -0800 (PST)
From: Jeongjun Park <aha310510@gmail.com>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Inki Dae <inki.dae@samsung.com>,
	Seung-Woo Kim <sw0312.kim@samsung.com>,
	Kyungmin Park <kyungmin.park@samsung.com>,
	David Airlie <airlied@gmail.com>,
	Simona Vetter <simona@ffwll.ch>,
	Krzysztof Kozlowski <krzk@kernel.org>,
	Alim Akhtar <alim.akhtar@samsung.com>,
	dri-devel@lists.freedesktop.org,
	linux-arm-kernel@lists.infradead.org,
	linux-samsung-soc@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Jeongjun Park <aha310510@gmail.com>
Subject: [PATCH 6.12.y 3/3] drm/exynos: vidi: use ctx->lock to protect struct
 vidi_context member variables related to memory alloc/free
Date: Fri, 27 Feb 2026 12:26:15 +0900
Message-Id: <20260227032615.108139-4-aha310510@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260227032615.108139-1-aha310510@gmail.com>
References: <20260227032615.108139-1-aha310510@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

[ Upstream commit 52b330799e2d6f825ae2bb74662ec1b10eb954bb ]

Exynos Virtual Display driver performs memory alloc/free operations
without lock protection, which easily causes concurrency problem.

For example, use-after-free can occur in race scenario like this:
```
	CPU0				CPU1				CPU2
	----				----				----
  vidi_connection_ioctl()
    if (vidi->connection) // true
      drm_edid =3D drm_edid_alloc(); // alloc drm_edid
      ...
      ctx->raw_edid =3D drm_edid;
      ...
								drm_mode_getconnector()
								  drm_helper_probe_single_connector_modes()
								    vidi_get_modes()
								      if (ctx->raw_edid) // true
								        drm_edid_dup(ctx->raw_edid);
								          if (!drm_edid) // false
								          ...
				vidi_connection_ioctl()
				  if (vidi->connection) // false
				    drm_edid_free(ctx->raw_edid); // free drm_edid
				    ...
								          drm_edid_alloc(drm_edid->edid)
								            kmemdup(edid); // UAF!!
								            ...
```

To prevent these vulns, at least in vidi_context, member variables related
to memory alloc/free should be protected with ctx->lock.

Cc: <stable@vger.kernel.org>
Fixes: b73d12303ecf ("drm/exynos: added virtual display driver.")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
---
 drivers/gpu/drm/exynos/exynos_drm_vidi.c | 38 ++++++++++++++++++++----
 1 file changed, 32 insertions(+), 6 deletions(-)

diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy=
nos/exynos_drm_vidi.c
index 1f9d8873a63a..151a1b43c20c 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
@@ -186,29 +186,37 @@ static ssize_t vidi_store_connection(struct device *d=
ev,
 				const char *buf, size_t len)
 {
 	struct vidi_context *ctx =3D dev_get_drvdata(dev);
-	int ret;
+	int ret, new_connected;
=20
-	ret =3D kstrtoint(buf, 0, &ctx->connected);
+	ret =3D kstrtoint(buf, 0, &new_connected);
 	if (ret)
 		return ret;
-
-	if (ctx->connected > 1)
+	if (new_connected > 1)
 		return -EINVAL;
=20
+	mutex_lock(&ctx->lock);
+
 	/*
 	 * Use fake edid data for test. If raw_edid is set then it can't be
 	 * tested.
 	 */
 	if (ctx->raw_edid) {
 		DRM_DEV_DEBUG_KMS(dev, "edid data is not fake data.\n");
-		return -EINVAL;
+		ret =3D -EINVAL;
+		goto fail;
 	}
=20
+	ctx->connected =3D new_connected;
+	mutex_unlock(&ctx->lock);
+
 	DRM_DEV_DEBUG_KMS(dev, "requested connection.\n");
=20
 	drm_helper_hpd_irq_event(ctx->drm_dev);
=20
 	return len;
+fail:
+	mutex_unlock(&ctx->lock);
+	return ret;
 }
=20
 static DEVICE_ATTR(connection, 0644, vidi_show_connection,
@@ -243,11 +251,14 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,=
 void *data,
 		return -EINVAL;
 	}
=20
+	mutex_lock(&ctx->lock);
 	if (ctx->connected =3D=3D vidi->connection) {
+		mutex_unlock(&ctx->lock);
 		DRM_DEV_DEBUG_KMS(ctx->dev,
 				  "same connection request.\n");
 		return -EINVAL;
 	}
+	mutex_unlock(&ctx->lock);
=20
 	if (vidi->connection) {
 		const struct drm_edid *drm_edid;
@@ -281,14 +292,21 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,=
 void *data,
 					  "edid data is invalid.\n");
 			return -EINVAL;
 		}
+		mutex_lock(&ctx->lock);
 		ctx->raw_edid =3D drm_edid;
+		mutex_unlock(&ctx->lock);
 	} else {
 		/* with connection =3D 0, free raw_edid */
+		mutex_lock(&ctx->lock);
 		drm_edid_free(ctx->raw_edid);
 		ctx->raw_edid =3D NULL;
+		mutex_unlock(&ctx->lock);
 	}
=20
+	mutex_lock(&ctx->lock);
 	ctx->connected =3D vidi->connection;
+	mutex_unlock(&ctx->lock);
+
 	drm_helper_hpd_irq_event(ctx->drm_dev);
=20
 	return 0;
@@ -303,7 +321,7 @@ static enum drm_connector_status vidi_detect(struct drm=
_connector *connector,
 	 * connection request would come from user side
 	 * to do hotplug through specific ioctl.
 	 */
-	return ctx->connected ? connector_status_connected :
+	return READ_ONCE(ctx->connected) ? connector_status_connected :
 			connector_status_disconnected;
 }
=20
@@ -326,11 +344,15 @@ static int vidi_get_modes(struct drm_connector *conne=
ctor)
 	const struct drm_edid *drm_edid;
 	int count;
=20
+	mutex_lock(&ctx->lock);
+
 	if (ctx->raw_edid)
 		drm_edid =3D drm_edid_dup(ctx->raw_edid);
 	else
 		drm_edid =3D drm_edid_alloc(fake_edid_info, sizeof(fake_edid_info));
=20
+	mutex_unlock(&ctx->lock);
+
 	if (!drm_edid)
 		return 0;
=20
@@ -485,9 +507,13 @@ static void vidi_remove(struct platform_device *pdev)
 {
 	struct vidi_context *ctx =3D platform_get_drvdata(pdev);
=20
+	mutex_lock(&ctx->lock);
+
 	drm_edid_free(ctx->raw_edid);
 	ctx->raw_edid =3D NULL;
=20
+	mutex_unlock(&ctx->lock);
+
 	component_del(&pdev->dev, &vidi_component_ops);
 }
=20
--