From nobody Tue Apr 7 18:46:41 2026 Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1DA90324B31 for ; Fri, 27 Feb 2026 03:26:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772162787; cv=none; b=hAtdF4VRrzu2aeZhimRBW67hw8HvAwJU1ea/HCuyYmdRVU3yJNyLpcNKV6VMwBn5UUh8o+zITV+AIoedMXcNMVUz8/2d2Okhe94PNXnZK8CSVN3X/rMM+8J+Elyi/LW/LyYHNFJmvHGjcdTGEREY62Q6iuM/SfXK/5e08PeMkb4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772162787; c=relaxed/simple; bh=14tp/ZbiHhc9fo6I3d3q5B/zYDGp7+QSAvy5xrmzM58=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=gsJmn5u0LL5K8WSC1dDn8j0lCG4SAu3bbE5dOO4lYl4vAlrSnhmovS63PR5Co8SzZaSYU70DX4BIg26tP96zKhd6NI01dIr1LcNpNpXIK/GvMxUkwxk/XWBmPdLtlR6Ka8gtxZQYgTAu6iGVYLkf951k5JFwW2k19jD2HW7QMTc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=DeIveTIS; arc=none smtp.client-ip=209.85.216.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="DeIveTIS" Received: by mail-pj1-f47.google.com with SMTP id 98e67ed59e1d1-354c825dc77so767858a91.0 for ; Thu, 26 Feb 2026 19:26:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772162785; x=1772767585; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=3SNYtFmJqSV95moRlaJ0QYmUhL+TICukmgmBhi3zA4c=; b=DeIveTIS7rZ75TqpGKczy5WPewUBeKiWGUGcO4gSFVW+e6ftPxQLTFrqvClSbtSzu0 3S0CuPNLLsKoXjsb/1nQ6V6o6ySEsCLWwZVPp2kjeuxXzz0HBdDNCdxtBpl6Wh2d1aMk AQFmSE/vtFqihP7Cg7sPrIFyB2sB4vM1rlG9zYUsi9q+FnUmrEbzBREq58sX372UrShE rAnjuyvQmOqEu7FyQ1B4ewq6Il9qYtemug5tBeFR3MObJrgNfqlLQ82yXdOSXHfUKY7X QbfiPRb37GiytDZ/jVyu91RzZYfpavuDPUdFDcFydh5YtLABlkH2APxilOoP7xiLRxyk LLUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772162785; x=1772767585; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=3SNYtFmJqSV95moRlaJ0QYmUhL+TICukmgmBhi3zA4c=; b=IIwWZCbsN7I7TmV6zrGGGHk+LShSGbdd7iLbw8NWvEbdrR9UpK9A4HJh+yo9u/vTwP qVT/p8B7wrk8fHHOF58zLNR12ZLcUXEZPPO813mkOcUCGjQ5XzdknZisxQv8hxxznpzG PxKtB6KvXdJUNA2sgywbyv32K5L1CT6b/At5hT20gjaYMbmvInJX9QpFT6zRJ0/hGnt6 U8JiY5YAw1Tzb5pbBpPut+CZXAFREHzZ41K7BHXYCaQu7maMXIiAdvlg63Ps5M4ezgl3 cXGEpLBoIPhbjou7OyA4tKSGyb2KhMRco3+XydpEgfzPXB4gc4yKIr9/LewO7YZrZrsQ ktNw== X-Forwarded-Encrypted: i=1; AJvYcCV9bpFeC8w7VajskTEPuuLxjOlmC2L0CVGM6wwxyktEJGk5Jb2FucJTQXPYpK6kyfppjPs52qUqQNkO+iA=@vger.kernel.org X-Gm-Message-State: AOJu0YzXXhVFfeS2BPWfpAH/osSc2CdxH22MhiIA0BCmGhAYozbE3yTA /C3yDl3yaxHrbFzCnUhGC7I7CVwhXX6VWI6uXXwnHXqb3aHB+NfOet7V X-Gm-Gg: ATEYQzzC1uRsmNXtSa0ndvdlScjO6t7VEHjoyVhNJGaXuz9z5wrJK2+unHCR20LMlG3 GYwzPXNsEmc/BRyDlL9xbh+vyRGeimYq3T329X2Cq+LFVkIfL3dxIJ8nghw0KcDX0aqWgDjNblU kHnfTD2mpFmLEQ3DRh1m/2VZz2tf8QH5eNts5Vbyddv1cAYq8/lPbZs6kn0zI+d8igxoeqXBb4W 7rT/0hpjui8vQ+LjwojSkMGqQjOTUdRWnnaOkgOfZMN+a4ABjlUpzdlbmHUIq+ABQ8jnRZZp2nq XVaZ2HYqzXpSL/JT76wv/S9mQKosFqesqouTf66wM3LVd4t5O7O62lVrJZaLtaZw9ZwmF4bruHU jmwtT0ULsr8qCrBTm2V/9xT2ZpAeqQuNiiPY7pDBU8sQ9obx/wlgHl4f1x2KKgd8yI/2xIksLDF VbjVYgwYtJbd/+yH/J6AejBenmu6Sx1wu8J/I7fg8TI7sF2Lk9xQ== X-Received: by 2002:a17:90b:3dc7:b0:359:28b9:5f64 with SMTP id 98e67ed59e1d1-35965c17095mr1275630a91.6.1772162785515; Thu, 26 Feb 2026 19:26:25 -0800 (PST) Received: from name2965-Precision-7820-Tower.. ([175.201.112.127]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35912fbc363sm4501887a91.2.2026.02.26.19.26.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Feb 2026 19:26:25 -0800 (PST) From: Jeongjun Park To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , Inki Dae , Seung-Woo Kim , Kyungmin Park , David Airlie , Simona Vetter , Krzysztof Kozlowski , Alim Akhtar , dri-devel@lists.freedesktop.org, linux-arm-kernel@lists.infradead.org, linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org, Jeongjun Park Subject: [PATCH 6.12.y 2/3] drm/exynos: vidi: fix to avoid directly dereferencing user pointer Date: Fri, 27 Feb 2026 12:26:14 +0900 Message-Id: <20260227032615.108139-3-aha310510@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260227032615.108139-1-aha310510@gmail.com> References: <20260227032615.108139-1-aha310510@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" [ Upstream commit d4c98c077c7fb2dfdece7d605e694b5ea2665085 ] In vidi_connection_ioctl(), vidi->edid(user pointer) is directly dereferenced in the kernel. This allows arbitrary kernel memory access from the user space, so instead of directly accessing the user pointer in the kernel, we should modify it to copy edid to kernel memory using copy_from_user() and use it. Cc: Signed-off-by: Jeongjun Park Signed-off-by: Inki Dae --- drivers/gpu/drm/exynos/exynos_drm_vidi.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy= nos/exynos_drm_vidi.c index 1fe297d512e7..601406b640c7 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c +++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c @@ -251,13 +251,27 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,= void *data, =20 if (vidi->connection) { const struct drm_edid *drm_edid; - const struct edid *raw_edid; + const void __user *edid_userptr =3D u64_to_user_ptr(vidi->edid); + void *edid_buf; + struct edid hdr; size_t size; =20 - raw_edid =3D (const struct edid *)(unsigned long)vidi->edid; - size =3D (raw_edid->extensions + 1) * EDID_LENGTH; + if (copy_from_user(&hdr, edid_userptr, sizeof(hdr))) + return -EFAULT; =20 - drm_edid =3D drm_edid_alloc(raw_edid, size); + size =3D (hdr.extensions + 1) * EDID_LENGTH; + + edid_buf =3D kmalloc(size, GFP_KERNEL); + if (!edid_buf) + return -ENOMEM; + + if (copy_from_user(edid_buf, edid_userptr, size)) { + kfree(edid_buf); + return -EFAULT; + } + + drm_edid =3D drm_edid_alloc(edid_buf, size); + kfree(edid_buf); if (!drm_edid) return -ENOMEM; =20 --