From nobody Tue Apr  7 18:51:41 2026
Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com
 [209.85.210.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 592A5361DB0
	for <linux-kernel@vger.kernel.org>; Fri, 27 Feb 2026 05:00:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772168405; cv=none;
 b=iwemCwtFTRmPNFcCFgr9WAuvPqAcQZ90Q929EZAP66+DrnsW6dJ+9Xbf34Tf7vo3f1aiNwq2mHBDXcmGmHCteUBCykplLIfZWkMqRlw4JRpOQ+fKpHuxduq1c7ldxg/vfjxSJDCgorb6R2N0Ww78eQyNVKI/hAXTPEbHVdN3CrQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772168405; c=relaxed/simple;
	bh=0V9TfcF0jCfymmrv79UOCNsFP+ZBkFqnn+Tpw8wkDGw=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=NNNSypdLL6RNNtFiLHbgqLIivQjDHAOBxLreE3XFpBwulVJuDU2MNZ8DCUbSlXEzMxTfT2zb/lyzJKxxBZ+CJ7dDsbdqzk7R5P4kpqNk8x2qRNi4pi98WEvkV4FJ84NG8tnaz/e0ntYViUEqW72cfd9Ptm8+d7jaKWSVroazREc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=lzLtuleo; arc=none smtp.client-ip=209.85.210.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="lzLtuleo"
Received: by mail-pf1-f177.google.com with SMTP id
 d2e1a72fcca58-824af5e5c81so1819307b3a.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 26 Feb 2026 21:00:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1772168404; x=1772773204;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=TqIhYcF+CYSjiR8zV9a6G8BIYgFMg1pnmFFZ2FA8I4I=;
        b=lzLtuleopx7xWpjGSSkGs48wbvj/CLTwwV1DhHSnp2+qOi5lSlaMZ2/GdU1rEod/BC
         TXx3LGDEQp5hYKmYoq2Naz4H2EVM/6lUWA/DJ8Ibe8LfHi87QcGXvJzm+547VYizz2+5
         5JbtGc8YoxLvDpf0Efl3UA/18Jas2j3iXLfiC6XlvZbx8mGbmTRhFjObNmPLLjb8Mr1p
         mxIwW1gP6EEEN1gIoGnDj+zjbIS4qN72TYd8IyQ4py5Iu5pqxqZcux16Jtdy8WODcTdT
         e6Hjdxs+24GsQ5jIuPfNpG953biPxaansl7pJXVwCgK5iiFvVBxxlj+mxzStKlt3+p3C
         LOmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772168404; x=1772773204;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=TqIhYcF+CYSjiR8zV9a6G8BIYgFMg1pnmFFZ2FA8I4I=;
        b=c1pBHyGdxG5ZpqTGXsuCtBuVCKz0Ovj7A5JuVQYPcoRki6uztLtnW2ibMxfcZ3LIXD
         DBmmycP17qXP6tHA4/t4WOkffSa6zkUkoF5AHlwDwwJSh57hYxRMvT4j+EHmm5WHp8Hw
         GQpcWztteuIB664J9X1gJz4sJbPwSPrWFC010se1jIgnsR2aiiCVZkqUtcqciHHMsjrE
         oVhdMWHc4MDOqNB3IoG0t2OGqTNFaIBGE4rMBCo/W4nn9bhmvLGYBk28IvEbROqrQfLX
         vHNPrupKmJsz8zOyt4an3RTMGM8EWT593vv4QZzjqH2mnhUQZO9pa5GQmjJJjHNV3s52
         WzFw==
X-Forwarded-Encrypted: i=1;
 AJvYcCV/KfgFIxo4M+6f6Q2u8Ih1qd1HiJxixnfTIiQ4aXi9NfGSEUAgAKWlItTDlfVqbad2pPoF+QoF/LW3FXQ=@vger.kernel.org
X-Gm-Message-State: AOJu0YysWlSjmujv5mSiE74ymrEmaLRFHwWUjGN7qRqbRD4xreJ4j65Z
	DAWZdSXIfkVosFa9D1rgwn6MDaCbKo5a6MB0hx1LNic+erKfM9Kqxex4
X-Gm-Gg: ATEYQzx888sM+Osz1RFq5rNrGQ5qSJO5mnlAjYnLYz2skA9ZmoJ3URUrAPjBYZ3i639
	gd8L9GootnijN3l6qMNKbFlEtSr7sMjztXk/sc5bSjnRrw1MFwLg9nFmVtUoRfK4ZU8/jXUlLS7
	Sd8EbUzBp9s7z59M6swlYM6oU9holMFa7aAelLWuy13sOpYryKKqbU9fhHKTA4X3UCCdG57WgTf
	K7FuHcS729nNAwzKuSfGgDeabh0EKVfHujGNhTaE2+sKHy+CZEEzd8KYze97d4435e47VGvC8tB
	gI3YZZwyICYhRnykQgT4CXZgMFUBbjLcmVITDKWoWAnYDX5DQWjEPWMiYVNPEtvFDRsvHLVBR8d
	5fya5GUwPhAn+nyWLwnZ4UPU7fvbav+7FvJf8qDbR5CioS2F0mp3BlrIfL+NUWwCwWYJDb6kCOo
	KZQA72qK6Fow/CFzvaqwFSWWeAkFgHGTYIofYydhcOzMJgpkGsXw==
X-Received: by 2002:a05:6a00:1a0b:b0:827:2c11:f137 with SMTP id
 d2e1a72fcca58-8274da7a4f0mr1480551b3a.62.1772168403587;
        Thu, 26 Feb 2026 21:00:03 -0800 (PST)
Received: from name2965-Precision-7820-Tower.. ([175.201.112.127])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82739d94de6sm3966543b3a.24.2026.02.26.21.00.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 26 Feb 2026 21:00:03 -0800 (PST)
From: Jeongjun Park <aha310510@gmail.com>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Inki Dae <inki.dae@samsung.com>,
	Seung-Woo Kim <sw0312.kim@samsung.com>,
	Kyungmin Park <kyungmin.park@samsung.com>,
	David Airlie <airlied@gmail.com>,
	Simona Vetter <simona@ffwll.ch>,
	Krzysztof Kozlowski <krzk@kernel.org>,
	Alim Akhtar <alim.akhtar@samsung.com>,
	dri-devel@lists.freedesktop.org,
	linux-arm-kernel@lists.infradead.org,
	linux-samsung-soc@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Jeongjun Park <aha310510@gmail.com>
Subject: [PATCH 6.6.y 2/3] drm/exynos: vidi: fix to avoid directly
 dereferencing user pointer
Date: Fri, 27 Feb 2026 13:59:52 +0900
Message-Id: <20260227045953.165751-3-aha310510@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260227045953.165751-1-aha310510@gmail.com>
References: <20260227045953.165751-1-aha310510@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

[ Upstream commit d4c98c077c7fb2dfdece7d605e694b5ea2665085 ]

In vidi_connection_ioctl(), vidi->edid(user pointer) is directly
dereferenced in the kernel.

This allows arbitrary kernel memory access from the user space, so instead
of directly accessing the user pointer in the kernel, we should modify it
to copy edid to kernel memory using copy_from_user() and use it.

Cc: <stable@vger.kernel.org>
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
---
 drivers/gpu/drm/exynos/exynos_drm_vidi.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy=
nos/exynos_drm_vidi.c
index d0e394397eca..576d79ebe9a8 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
@@ -252,19 +252,26 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,=
 void *data,
=20
 	if (vidi->connection) {
 		struct edid *raw_edid;
+		struct edid edid_buf;
+		void *edid_userptr =3D u64_to_user_ptr(vidi->edid);
=20
-		raw_edid =3D (struct edid *)(unsigned long)vidi->edid;
-		if (!drm_edid_is_valid(raw_edid)) {
+		if (copy_from_user(&edid_buf, edid_userptr, sizeof(struct edid)))
+			return -EFAULT;
+
+		if (!drm_edid_is_valid(&edid_buf)) {
 			DRM_DEV_DEBUG_KMS(ctx->dev,
 					  "edid data is invalid.\n");
 			return -EINVAL;
 		}
-		ctx->raw_edid =3D drm_edid_duplicate(raw_edid);
-		if (!ctx->raw_edid) {
+
+		raw_edid =3D drm_edid_duplicate(&edid_buf);
+
+		if (!raw_edid) {
 			DRM_DEV_DEBUG_KMS(ctx->dev,
 					  "failed to allocate raw_edid.\n");
 			return -ENOMEM;
 		}
+		ctx->raw_edid =3D raw_edid;
 	} else {
 		/*
 		 * with connection =3D 0, free raw_edid
--