From nobody Tue Apr  7 17:12:33 2026
Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com
 [209.85.210.169])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A2A5C36213E
	for <linux-kernel@vger.kernel.org>; Fri, 27 Feb 2026 05:00:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.169
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772168403; cv=none;
 b=ev3Lbl2VXlHwKSfBVFWmaRwXlFz7dVBETXY49SyUA7LK7GwwQ8MiiFRjz6nQK0Vs0o9lOlNu7rbhW9demmp/Dk/AaDWZf5i6wwwv0LY3fxQdvRBo376dk9gHBdYsqZyRVoR1f5XZ7xNvihGcs3ILHLkU+JAF0GiD3ZkFoZWetsk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772168403; c=relaxed/simple;
	bh=b9b22Ozhvo19VJujzVT1horPbr1WA97i8oWgfeEATgg=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=Na8sXaMAyxAl299DulTKJsfo22sf5cWlBy2Oj1IS7wP1AH+7sX6mh35olz3IQzKEG24RCRLLiGNLg9OWchVdIBAOVxYdDqk9sCKchjxHpDAWo/FNR0gf0Basecz/YlVOGehZ0KJkMPeNsTsuohhB/EsZMurmQ+Ic2NKX4TfXpvw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=bdz/Dk03; arc=none smtp.client-ip=209.85.210.169
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="bdz/Dk03"
Received: by mail-pf1-f169.google.com with SMTP id
 d2e1a72fcca58-823c56765fdso930192b3a.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 26 Feb 2026 21:00:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1772168401; x=1772773201;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=kWzBer8K/lUNOlKz33ehPBmEnMKwxXodb/hUWZrwOGc=;
        b=bdz/Dk03AQjRFAMl+2+AwTRbK1nMimX9u5TZQ3CCVvakGeqsImXEHIv1IAabOkG8Gl
         KokNMRmPpI3aP8RsdJtrDUzVYVnLE0gMYY84/8MkOQMz21vBSlBobTgW8Hc46IvS7dJE
         QR9kfsMoyyexTdWTSHzJDAKc89Ze5nVPIXgsYA9gA0yqcfPlkznSPxfWamdivXu/Wd4F
         ZFxZiuqb0iDkUtAClbY5OEusY8dFGcABkYZMxuZN67XTcLu3TdrRsjeAW7Z+PrTHVvh/
         s8SDxVGyyJFr6XBwU4mkagLQliGcKIv91mERLilTc43ABq+RjiIpYCd5LU2vDcX8boCf
         aPhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772168401; x=1772773201;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=kWzBer8K/lUNOlKz33ehPBmEnMKwxXodb/hUWZrwOGc=;
        b=KRj7LLbUtsfbh+tYfyk05jRtlN7uvBaXQu4Nf7eFP86wJrpTqKQihtj0yNfZ3rrgHI
         5ZRW3M9MzE9F6RqBdEkEB5F2esl8INA/B+J+a8rQwMZ2uufJbhcGPIz3JXUihtRxbtwk
         rJK7FOGMAtzNFVXhp9fjYrHOtqRkPwthBjJUGqtR2Lc+q9tTTQT5I/wQOaEUIuuULGej
         CCLojZf/BC20wxbFp/VKnKg5Zh6gS3R/LcapdKHMRjSSkfpEXgtS8J/Fx9aU6nFW4/zB
         U8yK+BjLW4pYIn3Pc6gpQSixpANftyG+eGNOXikbjM6+mCFwkuRtXYFv2Xu5vL793W1k
         z8JA==
X-Forwarded-Encrypted: i=1;
 AJvYcCWncA9mMuLxNfWrOoTliM+LC2jn/q7HfzDWIIT1HpFX7lalvE42hsSIdmFmTS/L+G3tQLLaOn8AR5YG2RI=@vger.kernel.org
X-Gm-Message-State: AOJu0Yw0+6dtRbHuNWDqeD4nHu3jF98Y/dczcEaMIKfddjyRrP2IZ/lD
	Z+CVRWSyneAwAsWoyQTPqrLI1JxblPFyN/6nFTLHx51BK/f2Z7DJZOHg
X-Gm-Gg: ATEYQzz0I8GGc3kNeBUG8jMkJQ79zgg0/QDRTQjWRL4U66PBEP4U+VD8lyNBgZnzbMo
	dHaidbkXNy4pPbaBpStgGHehy83RVchmx0lT+e67mAT8fflS+Na77IUjuvyQ89JBHAkORypLfn5
	3tKilkBH2mdjghC8STEys2GDsc+dVabAQtIFg2x35pDNFxpYfso/Cpd3wxCoyvAa/JHktforOGf
	2f2uNiO2Ux0dGdp765jnRQWJbOPMD2zfgfAeWXUTse7fQzk7KEe6qWrcZJojlvDSwUFck3aL/pN
	7j8CvE9mCY0hgisJpsc/I1Hql8qndaQRfK/t+Eez5ZzKYcTD9ZAD3tmySvfslek25nunBc8iL2s
	sFNUZwXiiXcElOO+zGTesD0MQ+JfUFfX5JPfSkOIcGhFYih6larq70H1RHOqBGQ4a1orgDGt4ZH
	iRdkTNUI+YE070i/10AMMwZ4h7i6O5xYXYSBMR3Ud51CagulPhKQ==
X-Received: by 2002:a05:6a00:9518:b0:823:30a1:d5ba with SMTP id
 d2e1a72fcca58-8274da04bfbmr1455329b3a.51.1772168401020;
        Thu, 26 Feb 2026 21:00:01 -0800 (PST)
Received: from name2965-Precision-7820-Tower.. ([175.201.112.127])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82739d94de6sm3966543b3a.24.2026.02.26.20.59.58
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 26 Feb 2026 21:00:00 -0800 (PST)
From: Jeongjun Park <aha310510@gmail.com>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Inki Dae <inki.dae@samsung.com>,
	Seung-Woo Kim <sw0312.kim@samsung.com>,
	Kyungmin Park <kyungmin.park@samsung.com>,
	David Airlie <airlied@gmail.com>,
	Simona Vetter <simona@ffwll.ch>,
	Krzysztof Kozlowski <krzk@kernel.org>,
	Alim Akhtar <alim.akhtar@samsung.com>,
	dri-devel@lists.freedesktop.org,
	linux-arm-kernel@lists.infradead.org,
	linux-samsung-soc@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Jeongjun Park <aha310510@gmail.com>
Subject: [PATCH 6.6.y 1/3] drm/exynos: vidi: use priv->vidi_dev for ctx lookup
 in vidi_connection_ioctl()
Date: Fri, 27 Feb 2026 13:59:51 +0900
Message-Id: <20260227045953.165751-2-aha310510@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260227045953.165751-1-aha310510@gmail.com>
References: <20260227045953.165751-1-aha310510@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

[ Upstream commit d3968a0d85b211e197f2f4f06268a7031079e0d0 ]

vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to
obtain a struct vidi_context pointer. However, drm_dev->dev is the
exynos-drm master device, and the driver_data contained therein is not
the vidi component device, but a completely different device.

This can lead to various bugs, ranging from null pointer dereferences and
garbage value accesses to, in unlucky cases, out-of-bounds errors,
use-after-free errors, and more.

To resolve this issue, we need to store/delete the vidi device pointer in
exynos_drm_private->vidi_dev during bind/unbind, and then read this
exynos_drm_private->vidi_dev within ioctl() to obtain the correct
struct vidi_context pointer.

Cc: <stable@vger.kernel.org>
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
---
 drivers/gpu/drm/exynos/exynos_drm_drv.h  |  1 +
 drivers/gpu/drm/exynos/exynos_drm_vidi.c | 14 +++++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/exynos/exynos_drm_drv.h b/drivers/gpu/drm/exyn=
os/exynos_drm_drv.h
index 23646e55f142..06c29ff2aac0 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_drv.h
+++ b/drivers/gpu/drm/exynos/exynos_drm_drv.h
@@ -199,6 +199,7 @@ struct drm_exynos_file_private {
 struct exynos_drm_private {
 	struct device *g2d_dev;
 	struct device *dma_dev;
+	struct device *vidi_dev;
 	void *mapping;
=20
 	/* for atomic commit */
diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy=
nos/exynos_drm_vidi.c
index 6de0cced6c9d..b31eefb3a8b1 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
@@ -223,9 +223,14 @@ ATTRIBUTE_GROUPS(vidi);
 int vidi_connection_ioctl(struct drm_device *drm_dev, void *data,
 				struct drm_file *file_priv)
 {
-	struct vidi_context *ctx =3D dev_get_drvdata(drm_dev->dev);
+	struct exynos_drm_private *priv =3D drm_dev->dev_private;
+	struct device *dev =3D priv ? priv->vidi_dev : NULL;
+	struct vidi_context *ctx =3D dev ? dev_get_drvdata(dev) : NULL;
 	struct drm_exynos_vidi_connection *vidi =3D data;
=20
+	if (!ctx)
+		return -ENODEV;
+
 	if (!vidi) {
 		DRM_DEV_DEBUG_KMS(ctx->dev,
 				  "user data for vidi is null.\n");
@@ -374,6 +379,7 @@ static int vidi_bind(struct device *dev, struct device =
*master, void *data)
 {
 	struct vidi_context *ctx =3D dev_get_drvdata(dev);
 	struct drm_device *drm_dev =3D data;
+	struct exynos_drm_private *priv =3D drm_dev->dev_private;
 	struct drm_encoder *encoder =3D &ctx->encoder;
 	struct exynos_drm_plane *exynos_plane;
 	struct exynos_drm_plane_config plane_config =3D { 0 };
@@ -381,6 +387,8 @@ static int vidi_bind(struct device *dev, struct device =
*master, void *data)
 	int ret;
=20
 	ctx->drm_dev =3D drm_dev;
+	if (priv)
+		priv->vidi_dev =3D dev;
=20
 	plane_config.pixel_formats =3D formats;
 	plane_config.num_pixel_formats =3D ARRAY_SIZE(formats);
@@ -426,8 +434,12 @@ static int vidi_bind(struct device *dev, struct device=
 *master, void *data)
 static void vidi_unbind(struct device *dev, struct device *master, void *d=
ata)
 {
 	struct vidi_context *ctx =3D dev_get_drvdata(dev);
+	struct drm_device *drm_dev =3D data;
+	struct exynos_drm_private *priv =3D drm_dev->dev_private;
=20
 	del_timer_sync(&ctx->timer);
+	if (priv)
+		priv->vidi_dev =3D NULL;
 }
=20
 static const struct component_ops vidi_component_ops =3D {
--
From nobody Tue Apr  7 17:12:33 2026
Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com
 [209.85.210.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 592A5361DB0
	for <linux-kernel@vger.kernel.org>; Fri, 27 Feb 2026 05:00:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772168405; cv=none;
 b=iwemCwtFTRmPNFcCFgr9WAuvPqAcQZ90Q929EZAP66+DrnsW6dJ+9Xbf34Tf7vo3f1aiNwq2mHBDXcmGmHCteUBCykplLIfZWkMqRlw4JRpOQ+fKpHuxduq1c7ldxg/vfjxSJDCgorb6R2N0Ww78eQyNVKI/hAXTPEbHVdN3CrQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772168405; c=relaxed/simple;
	bh=0V9TfcF0jCfymmrv79UOCNsFP+ZBkFqnn+Tpw8wkDGw=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=NNNSypdLL6RNNtFiLHbgqLIivQjDHAOBxLreE3XFpBwulVJuDU2MNZ8DCUbSlXEzMxTfT2zb/lyzJKxxBZ+CJ7dDsbdqzk7R5P4kpqNk8x2qRNi4pi98WEvkV4FJ84NG8tnaz/e0ntYViUEqW72cfd9Ptm8+d7jaKWSVroazREc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=lzLtuleo; arc=none smtp.client-ip=209.85.210.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="lzLtuleo"
Received: by mail-pf1-f177.google.com with SMTP id
 d2e1a72fcca58-824af5e5c81so1819307b3a.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 26 Feb 2026 21:00:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1772168404; x=1772773204;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=TqIhYcF+CYSjiR8zV9a6G8BIYgFMg1pnmFFZ2FA8I4I=;
        b=lzLtuleopx7xWpjGSSkGs48wbvj/CLTwwV1DhHSnp2+qOi5lSlaMZ2/GdU1rEod/BC
         TXx3LGDEQp5hYKmYoq2Naz4H2EVM/6lUWA/DJ8Ibe8LfHi87QcGXvJzm+547VYizz2+5
         5JbtGc8YoxLvDpf0Efl3UA/18Jas2j3iXLfiC6XlvZbx8mGbmTRhFjObNmPLLjb8Mr1p
         mxIwW1gP6EEEN1gIoGnDj+zjbIS4qN72TYd8IyQ4py5Iu5pqxqZcux16Jtdy8WODcTdT
         e6Hjdxs+24GsQ5jIuPfNpG953biPxaansl7pJXVwCgK5iiFvVBxxlj+mxzStKlt3+p3C
         LOmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772168404; x=1772773204;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=TqIhYcF+CYSjiR8zV9a6G8BIYgFMg1pnmFFZ2FA8I4I=;
        b=c1pBHyGdxG5ZpqTGXsuCtBuVCKz0Ovj7A5JuVQYPcoRki6uztLtnW2ibMxfcZ3LIXD
         DBmmycP17qXP6tHA4/t4WOkffSa6zkUkoF5AHlwDwwJSh57hYxRMvT4j+EHmm5WHp8Hw
         GQpcWztteuIB664J9X1gJz4sJbPwSPrWFC010se1jIgnsR2aiiCVZkqUtcqciHHMsjrE
         oVhdMWHc4MDOqNB3IoG0t2OGqTNFaIBGE4rMBCo/W4nn9bhmvLGYBk28IvEbROqrQfLX
         vHNPrupKmJsz8zOyt4an3RTMGM8EWT593vv4QZzjqH2mnhUQZO9pa5GQmjJJjHNV3s52
         WzFw==
X-Forwarded-Encrypted: i=1;
 AJvYcCV/KfgFIxo4M+6f6Q2u8Ih1qd1HiJxixnfTIiQ4aXi9NfGSEUAgAKWlItTDlfVqbad2pPoF+QoF/LW3FXQ=@vger.kernel.org
X-Gm-Message-State: AOJu0YysWlSjmujv5mSiE74ymrEmaLRFHwWUjGN7qRqbRD4xreJ4j65Z
	DAWZdSXIfkVosFa9D1rgwn6MDaCbKo5a6MB0hx1LNic+erKfM9Kqxex4
X-Gm-Gg: ATEYQzx888sM+Osz1RFq5rNrGQ5qSJO5mnlAjYnLYz2skA9ZmoJ3URUrAPjBYZ3i639
	gd8L9GootnijN3l6qMNKbFlEtSr7sMjztXk/sc5bSjnRrw1MFwLg9nFmVtUoRfK4ZU8/jXUlLS7
	Sd8EbUzBp9s7z59M6swlYM6oU9holMFa7aAelLWuy13sOpYryKKqbU9fhHKTA4X3UCCdG57WgTf
	K7FuHcS729nNAwzKuSfGgDeabh0EKVfHujGNhTaE2+sKHy+CZEEzd8KYze97d4435e47VGvC8tB
	gI3YZZwyICYhRnykQgT4CXZgMFUBbjLcmVITDKWoWAnYDX5DQWjEPWMiYVNPEtvFDRsvHLVBR8d
	5fya5GUwPhAn+nyWLwnZ4UPU7fvbav+7FvJf8qDbR5CioS2F0mp3BlrIfL+NUWwCwWYJDb6kCOo
	KZQA72qK6Fow/CFzvaqwFSWWeAkFgHGTYIofYydhcOzMJgpkGsXw==
X-Received: by 2002:a05:6a00:1a0b:b0:827:2c11:f137 with SMTP id
 d2e1a72fcca58-8274da7a4f0mr1480551b3a.62.1772168403587;
        Thu, 26 Feb 2026 21:00:03 -0800 (PST)
Received: from name2965-Precision-7820-Tower.. ([175.201.112.127])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82739d94de6sm3966543b3a.24.2026.02.26.21.00.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 26 Feb 2026 21:00:03 -0800 (PST)
From: Jeongjun Park <aha310510@gmail.com>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Inki Dae <inki.dae@samsung.com>,
	Seung-Woo Kim <sw0312.kim@samsung.com>,
	Kyungmin Park <kyungmin.park@samsung.com>,
	David Airlie <airlied@gmail.com>,
	Simona Vetter <simona@ffwll.ch>,
	Krzysztof Kozlowski <krzk@kernel.org>,
	Alim Akhtar <alim.akhtar@samsung.com>,
	dri-devel@lists.freedesktop.org,
	linux-arm-kernel@lists.infradead.org,
	linux-samsung-soc@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Jeongjun Park <aha310510@gmail.com>
Subject: [PATCH 6.6.y 2/3] drm/exynos: vidi: fix to avoid directly
 dereferencing user pointer
Date: Fri, 27 Feb 2026 13:59:52 +0900
Message-Id: <20260227045953.165751-3-aha310510@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260227045953.165751-1-aha310510@gmail.com>
References: <20260227045953.165751-1-aha310510@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

[ Upstream commit d4c98c077c7fb2dfdece7d605e694b5ea2665085 ]

In vidi_connection_ioctl(), vidi->edid(user pointer) is directly
dereferenced in the kernel.

This allows arbitrary kernel memory access from the user space, so instead
of directly accessing the user pointer in the kernel, we should modify it
to copy edid to kernel memory using copy_from_user() and use it.

Cc: <stable@vger.kernel.org>
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
---
 drivers/gpu/drm/exynos/exynos_drm_vidi.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy=
nos/exynos_drm_vidi.c
index d0e394397eca..576d79ebe9a8 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
@@ -252,19 +252,26 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,=
 void *data,
=20
 	if (vidi->connection) {
 		struct edid *raw_edid;
+		struct edid edid_buf;
+		void *edid_userptr =3D u64_to_user_ptr(vidi->edid);
=20
-		raw_edid =3D (struct edid *)(unsigned long)vidi->edid;
-		if (!drm_edid_is_valid(raw_edid)) {
+		if (copy_from_user(&edid_buf, edid_userptr, sizeof(struct edid)))
+			return -EFAULT;
+
+		if (!drm_edid_is_valid(&edid_buf)) {
 			DRM_DEV_DEBUG_KMS(ctx->dev,
 					  "edid data is invalid.\n");
 			return -EINVAL;
 		}
-		ctx->raw_edid =3D drm_edid_duplicate(raw_edid);
-		if (!ctx->raw_edid) {
+
+		raw_edid =3D drm_edid_duplicate(&edid_buf);
+
+		if (!raw_edid) {
 			DRM_DEV_DEBUG_KMS(ctx->dev,
 					  "failed to allocate raw_edid.\n");
 			return -ENOMEM;
 		}
+		ctx->raw_edid =3D raw_edid;
 	} else {
 		/*
 		 * with connection =3D 0, free raw_edid
--
From nobody Tue Apr  7 17:12:33 2026
Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com
 [209.85.210.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id F0E833624A4
	for <linux-kernel@vger.kernel.org>; Fri, 27 Feb 2026 05:00:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.175
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772168408; cv=none;
 b=O5GFmvFaQ+0EScdT4QcjUlBAyu323kirrXskfNRXid2qcerhLlxUdiMrRJ/Gpb+73zspwqpK/yN959fhWsheR3iGOlLb5fxNY5jNvApA2RfLx+ywUWRZqDeWpGE8broKdLbITm7oBU0t61Mxa8dBRix1PzU87h5LEYNSPBJ+2pw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772168408; c=relaxed/simple;
	bh=sBdF7+0u19ZP3gybl8MNQCA85kIrnAKsI6e62lko7KQ=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=CKc2mDkUbTRtuXfm7VgGTAf0G6c8pv7Szbc6xkA54ybaq42U8Kx2li4QDnhnhHge3xPgbUNi+zZ4xyZXJiKI6qiFt05wEvSRp49jBjInpeqbFEgk6WB+JFtwepb92+b5/fSjqbiOCC50YmuSn6d0vqKqqskeJp2zfrOhfs8cnOM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=Dbo/Pm2d; arc=none smtp.client-ip=209.85.210.175
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="Dbo/Pm2d"
Received: by mail-pf1-f175.google.com with SMTP id
 d2e1a72fcca58-824a3509a12so767005b3a.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 26 Feb 2026 21:00:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1772168406; x=1772773206;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=feZZgyhgnxd2MB3vtB7LaA+CWft2WYSV7ZFSVYTIeiU=;
        b=Dbo/Pm2d664NpiZnwBkGplOx6gWSJ+aoAQouNS7va3kA5r/jiMGDGszNYeUItENnwR
         pvtIJ0EuOvXZwBsothd9V/LTsqmjfPLmumYnCGqGqPf528DcuVtfI4U6pCq5H2TFquKO
         Onkarz9Ew+TtPACbpzgtjc3SghlKUqxKUyh5vRtg5eT7EpPW9s663oavZ6JA1N22nuhF
         GUPrcWc+4LymvaeMt4M9d9rZN7VZd6JRX9Kv6nFlGhqaRgM4LGHtTp8xzWbgO6stdZez
         ktUD4A5TstYAFkT5QQCqdq20ltZUIBELkD30JFkmpDLNE1ayje3/lh0Qyrstfd+z0SLW
         HCJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772168406; x=1772773206;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=feZZgyhgnxd2MB3vtB7LaA+CWft2WYSV7ZFSVYTIeiU=;
        b=KnCpgSLy1kTS/o0b2rhcrx3WDFAqedYN3NF6343UkwZsQCpYesQZLkZqjBDylfWQ9z
         zDlbhTSySX35KdKg5Js9fU/6INXJSO910ARXUbc31aNq/fU/YlCLloLdBn7GneaEm/qq
         K7p+rXM8al/sYqQLNn/RtpunaDCe04EL/rqlyqTmOSDReYbxWrqbsOLxn03lFMqdMV9P
         veMeXoU3FDQg4g7BBf/mpB9fsT/GRWKXeGyBqoUksS3XtZfp/84eMpToDol2uluipGHC
         wbRNjbVFnSk0FXqdqcQzTLwcv7DQqeAYE38KNnvs3i22z2bI9+IGVXXsrdMakAhZrCG3
         cKKw==
X-Forwarded-Encrypted: i=1;
 AJvYcCUgBKDEy+x8ohxtI2Q3TkX26wJX/uBia/uQwkkY/aALD/HO5MLXRJ8R09dc8zwxVS0bZLrMDRQ/v3FiXkc=@vger.kernel.org
X-Gm-Message-State: AOJu0YxiaWY8fUxwpRxjzT+9SSjDBF1IdJbWa9uOeztesfOqRCsSt7tm
	roc4PTvDH3i5+U0zVx7XlSyXzWleklFADKfq2r97x/DFAl+nqMLnUVw5
X-Gm-Gg: ATEYQzxp+/28Vdi2dBXDDgt2AmMwQDo/dbtT3GREPmhFNuNdNr9Ug0atvr6HgiWcNa+
	bZ9X0fYAbLyHH+L/MaAMNBsA7iIoSpEYFWd3xxqs7IKgxruxydKjMTWE4ozFDJ3qqLuLmM5cLw1
	tDirzTOkamo3uFqLfGasdOa7u4bLoq9po+Wsthk3nuUYdem7aDNTUCzo5e3G8gW4FwvN2JKqdAu
	KHdM24wKcKV4YVo4X0A+a0+U+LtCqWkoiKyxP8nm/D0MLtZNcKdMmggjOBsWjTu1XJKUqcoJQvl
	ZV3uP20IYxpBJcttQpMIEpt77ftuepHHePxDcqI4qXxMcP/neDZT8dDZX+mL9XUaDIozodG9OOJ
	we4daiKwKaPDJOpmoaMN35UHAWk02d25LT82Fry2UQgsGxWukW6iwNfgOJllX5vZpGnOfPU2wWU
	R+efmjHvUg44h26WqSHlx+i2bBBtinXKgkF/Sw9qLyTXOXsYaEmw==
X-Received: by 2002:a05:6a00:7615:b0:827:2a46:685b with SMTP id
 d2e1a72fcca58-8274da07311mr962288b3a.46.1772168406150;
        Thu, 26 Feb 2026 21:00:06 -0800 (PST)
Received: from name2965-Precision-7820-Tower.. ([175.201.112.127])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82739d94de6sm3966543b3a.24.2026.02.26.21.00.03
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 26 Feb 2026 21:00:05 -0800 (PST)
From: Jeongjun Park <aha310510@gmail.com>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Inki Dae <inki.dae@samsung.com>,
	Seung-Woo Kim <sw0312.kim@samsung.com>,
	Kyungmin Park <kyungmin.park@samsung.com>,
	David Airlie <airlied@gmail.com>,
	Simona Vetter <simona@ffwll.ch>,
	Krzysztof Kozlowski <krzk@kernel.org>,
	Alim Akhtar <alim.akhtar@samsung.com>,
	dri-devel@lists.freedesktop.org,
	linux-arm-kernel@lists.infradead.org,
	linux-samsung-soc@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Jeongjun Park <aha310510@gmail.com>
Subject: [PATCH 6.6.y 3/3] drm/exynos: vidi: use ctx->lock to protect struct
 vidi_context member variables related to memory alloc/free
Date: Fri, 27 Feb 2026 13:59:53 +0900
Message-Id: <20260227045953.165751-4-aha310510@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260227045953.165751-1-aha310510@gmail.com>
References: <20260227045953.165751-1-aha310510@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

[ Upstream commit 52b330799e2d6f825ae2bb74662ec1b10eb954bb ]

Exynos Virtual Display driver performs memory alloc/free operations
without lock protection, which easily causes concurrency problem.

For example, use-after-free can occur in race scenario like this:
```
	CPU0				CPU1				CPU2
	----				----				----
  vidi_connection_ioctl()
    if (vidi->connection) // true
      drm_edid =3D drm_edid_alloc(); // alloc drm_edid
      ...
      ctx->raw_edid =3D drm_edid;
      ...
								drm_mode_getconnector()
								  drm_helper_probe_single_connector_modes()
								    vidi_get_modes()
								      if (ctx->raw_edid) // true
								        drm_edid_dup(ctx->raw_edid);
								          if (!drm_edid) // false
								          ...
				vidi_connection_ioctl()
				  if (vidi->connection) // false
				    drm_edid_free(ctx->raw_edid); // free drm_edid
				    ...
								          drm_edid_alloc(drm_edid->edid)
								            kmemdup(edid); // UAF!!
								            ...
```

To prevent these vulns, at least in vidi_context, member variables related
to memory alloc/free should be protected with ctx->lock.

Cc: <stable@vger.kernel.org>
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
---
 drivers/gpu/drm/exynos/exynos_drm_vidi.c | 43 +++++++++++++++++++-----
 1 file changed, 35 insertions(+), 8 deletions(-)

diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy=
nos/exynos_drm_vidi.c
index 576d79ebe9a8..b7eae2469b31 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
@@ -186,15 +186,17 @@ static ssize_t vidi_store_connection(struct device *d=
ev,
 				const char *buf, size_t len)
 {
 	struct vidi_context *ctx =3D dev_get_drvdata(dev);
-	int ret;
+	int ret, new_connected;
=20
-	ret =3D kstrtoint(buf, 0, &ctx->connected);
+	ret =3D kstrtoint(buf, 0, &new_connected);
 	if (ret)
 		return ret;
=20
-	if (ctx->connected > 1)
+	if (new_connected > 1)
 		return -EINVAL;
=20
+	mutex_lock(&ctx->lock);
+
 	/* use fake edid data for test. */
 	if (!ctx->raw_edid)
 		ctx->raw_edid =3D (struct edid *)fake_edid_info;
@@ -202,14 +204,21 @@ static ssize_t vidi_store_connection(struct device *d=
ev,
 	/* if raw_edid isn't same as fake data then it can't be tested. */
 	if (ctx->raw_edid !=3D (struct edid *)fake_edid_info) {
 		DRM_DEV_DEBUG_KMS(dev, "edid data is not fake data.\n");
-		return -EINVAL;
+		ret =3D -EINVAL;
+		goto fail;
 	}
=20
+	ctx->connected =3D new_connected;
+	mutex_unlock(&ctx->lock);
+
 	DRM_DEV_DEBUG_KMS(dev, "requested connection.\n");
=20
 	drm_helper_hpd_irq_event(ctx->drm_dev);
=20
 	return len;
+fail:
+	mutex_unlock(&ctx->lock);
+	return ret;
 }
=20
 static DEVICE_ATTR(connection, 0644, vidi_show_connection,
@@ -244,11 +253,14 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,=
 void *data,
 		return -EINVAL;
 	}
=20
+	mutex_lock(&ctx->lock);
 	if (ctx->connected =3D=3D vidi->connection) {
+		mutex_unlock(&ctx->lock);
 		DRM_DEV_DEBUG_KMS(ctx->dev,
 				  "same connection request.\n");
 		return -EINVAL;
 	}
+	mutex_unlock(&ctx->lock);
=20
 	if (vidi->connection) {
 		struct edid *raw_edid;
@@ -271,20 +283,27 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,=
 void *data,
 					  "failed to allocate raw_edid.\n");
 			return -ENOMEM;
 		}
+		mutex_lock(&ctx->lock);
 		ctx->raw_edid =3D raw_edid;
+		mutex_unlock(&ctx->lock);
 	} else {
 		/*
 		 * with connection =3D 0, free raw_edid
 		 * only if raw edid data isn't same as fake data.
 		 */
+		mutex_lock(&ctx->lock);
 		if (ctx->raw_edid && ctx->raw_edid !=3D
 				(struct edid *)fake_edid_info) {
 			kfree(ctx->raw_edid);
 			ctx->raw_edid =3D NULL;
 		}
+		mutex_unlock(&ctx->lock);
 	}
=20
+	mutex_lock(&ctx->lock);
 	ctx->connected =3D vidi->connection;
+	mutex_unlock(&ctx->lock);
+
 	drm_helper_hpd_irq_event(ctx->drm_dev);
=20
 	return 0;
@@ -299,7 +318,7 @@ static enum drm_connector_status vidi_detect(struct drm=
_connector *connector,
 	 * connection request would come from user side
 	 * to do hotplug through specific ioctl.
 	 */
-	return ctx->connected ? connector_status_connected :
+	return READ_ONCE(ctx->connected) ? connector_status_connected :
 			connector_status_disconnected;
 }
=20
@@ -321,22 +340,24 @@ static int vidi_get_modes(struct drm_connector *conne=
ctor)
 	struct vidi_context *ctx =3D ctx_from_connector(connector);
 	struct edid *edid;
 	int edid_len;
-	int count;
+	int count =3D 0;
=20
 	/*
 	 * the edid data comes from user side and it would be set
 	 * to ctx->raw_edid through specific ioctl.
 	 */
+
+	mutex_lock(&ctx->lock);
 	if (!ctx->raw_edid) {
 		DRM_DEV_DEBUG_KMS(ctx->dev, "raw_edid is null.\n");
-		return 0;
+		goto fail;
 	}
=20
 	edid_len =3D (1 + ctx->raw_edid->extensions) * EDID_LENGTH;
 	edid =3D kmemdup(ctx->raw_edid, edid_len, GFP_KERNEL);
 	if (!edid) {
 		DRM_DEV_DEBUG_KMS(ctx->dev, "failed to allocate edid\n");
-		return 0;
+		goto fail;
 	}
=20
 	drm_connector_update_edid_property(connector, edid);
@@ -345,6 +366,8 @@ static int vidi_get_modes(struct drm_connector *connect=
or)
=20
 	kfree(edid);
=20
+fail:
+	mutex_unlock(&ctx->lock);
 	return count;
 }
=20
@@ -490,11 +513,15 @@ static int vidi_remove(struct platform_device *pdev)
 {
 	struct vidi_context *ctx =3D platform_get_drvdata(pdev);
=20
+	mutex_lock(&ctx->lock);
+
 	if (ctx->raw_edid !=3D (struct edid *)fake_edid_info) {
 		kfree(ctx->raw_edid);
 		ctx->raw_edid =3D NULL;
 	}
=20
+	mutex_unlock(&ctx->lock);
+
 	component_del(&pdev->dev, &vidi_component_ops);
=20
 	return 0;
--