From nobody Tue Apr 7 17:13:27 2026 Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 370CF3D9047 for ; Fri, 27 Feb 2026 05:33:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772170406; cv=none; b=pbxmmACZWRGFv1AdnPXbCLMkwyGpxWNBAkC+ItXJX5jQ225pWlaLyuy2cXaCzruxHL2Max8MBnZpsiNQkcnhm9wec9+yDE0022r0AfXU6FsqBGshUUbCutYZe0ri/cuR9loWeQOYWSZolIJhIzlVzxvLbNhp5M4fsFDnnWGhiDw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772170406; c=relaxed/simple; bh=b9b22Ozhvo19VJujzVT1horPbr1WA97i8oWgfeEATgg=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=KBGrxis+uEWQAUjVKNcORd5QG1LScxRM36v6bMbzigcQynkDUa+afZ/NDQy2hbEQWlG+Io63K0xCBa5cFxnvq3KWj+mUzat+4+nx/3vEiiZbdiZI4rfORchbElGr/b1NfgjvH/mGTYwVc/MPxD0fJ9CNiTdf5XA9jLvUA5CYT5c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jo3uANIK; arc=none smtp.client-ip=209.85.210.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jo3uANIK" Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-82735a41920so674127b3a.2 for ; Thu, 26 Feb 2026 21:33:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772170404; x=1772775204; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=kWzBer8K/lUNOlKz33ehPBmEnMKwxXodb/hUWZrwOGc=; b=jo3uANIKQqy4fRyqLKWxjo/tW4WyzQo0WjSg5vfDfuQrKOOnUJzS4cSv0cAgh2/oRr O/5yed+Gwt8Vto3PJfHuCYd0lkHR1eqFVRYt2nG8VC+YHaqV0SVRkR3UVKIDa7fDWDF7 7vcxah+vuuuji5ENOl2H6O9Yf7ZBuomshJkuxj1aUX0CU1vMUEcoQ1J5jaP4hEXQt+uK eSJefHQS6LBQ7GhRu0McxTAblNFnJM+afRqssQqrSUdpHd03++0m1rgu32qbhxRLEcs8 n6BopYEfse4+Nuw71VVrJgksuoeDZ1kGBDcK3RXPRp/oSiQHr4KVgfnSWLOGoz6MpYLJ 7CBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772170404; x=1772775204; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=kWzBer8K/lUNOlKz33ehPBmEnMKwxXodb/hUWZrwOGc=; b=DgP4NS9gDvjkjvWSn6T1devSnG0fo1RHqGeeJgZYxD6DfNhP4nS0du36NQZ0HzcQDu mLFU77abpHB/ICM8GV56uaOEPKK9J+JOIeZ3YHd+EkKAMAL5PoMPkOe+mueSIaGXChwW pCoZNiPgp0sfGb0mX3p6dD8gIQmjvI4Gv6KNiHS/edsQyjNb06wtcrp5oXgQyq2wnEvv jDD1dSOZlrdXDsTkRkm4OEhhtLymC7NkAqx0bzJONbr7BuSXdDn/BziS77Th9Q+GW6VM C2UXLV+zNz/5eRs7RoQ1y8vOsDaZLQMb6/6y4HMlzCvDrd64G/VXwtwFd+SZaw7LjwtF Kudw== X-Forwarded-Encrypted: i=1; AJvYcCUzQ6s/PhvKCIiDa7B019N/8m1DVIyLOcPds1KwNrXgn0Un4iW3kJVTLv7+yBqxfuM4XISwccPwT99aoDo=@vger.kernel.org X-Gm-Message-State: AOJu0YxUfMXJUiVkVBis0HH+RK0OJUIFC41edixTLqGCu648FCxD0ALV NC5FdTpUuayLZ6lUNvDbytGjYAsYRpQAEeFCA9LJ6tLoFGZBN8mJIilI X-Gm-Gg: ATEYQzwCqPj6TE2gP3c3pUFVAUXWqdllJo1gbFsjU35dOL1JaitvROeIJltWw4h+D/C b52jZgHNesyTvgrW5XCIPVwdEOKrkam/x9KQhQIpLWTJOny/TmVt3LNmFfx7nNIBFFb6arB4vRx cuYDCXgw1jvRFLwQF8PFpvijNMeVTZiecGYubGuIl52j45JYA/9WHtNAY5FFK40WEXzpTYUpnB0 c+6odTvK7FDYofzAs8xnpcWs+q6RBYztV7X3IddSt97ddef5Rkr4Hgb8RYOjIQQ1qtNPmgLvkRH 5zQ7efPvtEWnIp60LsB9uBKcgeczng+wlVhHUGG6iyBOnCZMxm6lcwI3d3pClQaCAwrFgAZyDpP x+cZQ7UatsbzJkgGSEROKgXlGJqhvYuPctorFJ8EzSs7r/vzxwYPb5AKro8tb5RHw0EfSO0KejQ 0oibSnXdDYYMlJ5c4BalalZnw8FJB0+GZb8RXSYqsWJb7g6DBwlQ== X-Received: by 2002:a05:6a00:2d11:b0:824:16ae:9ec4 with SMTP id d2e1a72fcca58-8274da248famr1742089b3a.63.1772170404587; Thu, 26 Feb 2026 21:33:24 -0800 (PST) Received: from name2965-Precision-7820-Tower.. ([175.201.112.127]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-8273a048615sm3815828b3a.52.2026.02.26.21.33.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Feb 2026 21:33:24 -0800 (PST) From: Jeongjun Park To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , Inki Dae , Seung-Woo Kim , Kyungmin Park , David Airlie , Simona Vetter , Krzysztof Kozlowski , Alim Akhtar , dri-devel@lists.freedesktop.org, linux-arm-kernel@lists.infradead.org, linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org, Jeongjun Park Subject: [PATCH 6.1.y 5.15.y 5.10.y 1/3] drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl() Date: Fri, 27 Feb 2026 14:33:15 +0900 Message-Id: <20260227053317.426000-2-aha310510@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260227053317.426000-1-aha310510@gmail.com> References: <20260227053317.426000-1-aha310510@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" [ Upstream commit d3968a0d85b211e197f2f4f06268a7031079e0d0 ] vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to obtain a struct vidi_context pointer. However, drm_dev->dev is the exynos-drm master device, and the driver_data contained therein is not the vidi component device, but a completely different device. This can lead to various bugs, ranging from null pointer dereferences and garbage value accesses to, in unlucky cases, out-of-bounds errors, use-after-free errors, and more. To resolve this issue, we need to store/delete the vidi device pointer in exynos_drm_private->vidi_dev during bind/unbind, and then read this exynos_drm_private->vidi_dev within ioctl() to obtain the correct struct vidi_context pointer. Cc: Signed-off-by: Jeongjun Park Signed-off-by: Inki Dae --- drivers/gpu/drm/exynos/exynos_drm_drv.h | 1 + drivers/gpu/drm/exynos/exynos_drm_vidi.c | 14 +++++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_drv.h b/drivers/gpu/drm/exyn= os/exynos_drm_drv.h index 23646e55f142..06c29ff2aac0 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_drv.h +++ b/drivers/gpu/drm/exynos/exynos_drm_drv.h @@ -199,6 +199,7 @@ struct drm_exynos_file_private { struct exynos_drm_private { struct device *g2d_dev; struct device *dma_dev; + struct device *vidi_dev; void *mapping; =20 /* for atomic commit */ diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy= nos/exynos_drm_vidi.c index 6de0cced6c9d..b31eefb3a8b1 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c +++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c @@ -223,9 +223,14 @@ ATTRIBUTE_GROUPS(vidi); int vidi_connection_ioctl(struct drm_device *drm_dev, void *data, struct drm_file *file_priv) { - struct vidi_context *ctx =3D dev_get_drvdata(drm_dev->dev); + struct exynos_drm_private *priv =3D drm_dev->dev_private; + struct device *dev =3D priv ? priv->vidi_dev : NULL; + struct vidi_context *ctx =3D dev ? dev_get_drvdata(dev) : NULL; struct drm_exynos_vidi_connection *vidi =3D data; =20 + if (!ctx) + return -ENODEV; + if (!vidi) { DRM_DEV_DEBUG_KMS(ctx->dev, "user data for vidi is null.\n"); @@ -374,6 +379,7 @@ static int vidi_bind(struct device *dev, struct device = *master, void *data) { struct vidi_context *ctx =3D dev_get_drvdata(dev); struct drm_device *drm_dev =3D data; + struct exynos_drm_private *priv =3D drm_dev->dev_private; struct drm_encoder *encoder =3D &ctx->encoder; struct exynos_drm_plane *exynos_plane; struct exynos_drm_plane_config plane_config =3D { 0 }; @@ -381,6 +387,8 @@ static int vidi_bind(struct device *dev, struct device = *master, void *data) int ret; =20 ctx->drm_dev =3D drm_dev; + if (priv) + priv->vidi_dev =3D dev; =20 plane_config.pixel_formats =3D formats; plane_config.num_pixel_formats =3D ARRAY_SIZE(formats); @@ -426,8 +434,12 @@ static int vidi_bind(struct device *dev, struct device= *master, void *data) static void vidi_unbind(struct device *dev, struct device *master, void *d= ata) { struct vidi_context *ctx =3D dev_get_drvdata(dev); + struct drm_device *drm_dev =3D data; + struct exynos_drm_private *priv =3D drm_dev->dev_private; =20 del_timer_sync(&ctx->timer); + if (priv) + priv->vidi_dev =3D NULL; } =20 static const struct component_ops vidi_component_ops =3D { -- From nobody Tue Apr 7 17:13:27 2026 Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DA72B3D7D9A for ; Fri, 27 Feb 2026 05:33:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772170409; cv=none; b=nVG29a3ZbbeGlYxrfgRJRLysbgconXMqXngO+QT4wd7wc5Fa6v1Hcs6hIqznlz5zd7V1Sjxqt/X+ILPkUQJhp1BYmPdxXYD5y+4826P/dXClqjgKjnHMzPiUw++vXe/ViSgHVTQL7EjF2wqjnO1+mwDDdEigDeiYDSNpQJ2gDsg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772170409; c=relaxed/simple; bh=0V9TfcF0jCfymmrv79UOCNsFP+ZBkFqnn+Tpw8wkDGw=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=B9i6d702O1VXqtEOzmOPdd3t0wPrMLzuiUb+kHxSkIi5HuqztPq/KItpAwwzaagGJa9fN92l52eQupNvUcz4kj4wpO1id7MwO/lXWSHuOSwMQ1g3p0XaU+3+nTevo3LfKji9SQCgrXm4psuPFxKKlv3zU6SxJmylz/qbsUa20nM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=acg6Dy9r; arc=none smtp.client-ip=209.85.210.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="acg6Dy9r" Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-8249fc726e9so1018988b3a.2 for ; Thu, 26 Feb 2026 21:33:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772170407; x=1772775207; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TqIhYcF+CYSjiR8zV9a6G8BIYgFMg1pnmFFZ2FA8I4I=; b=acg6Dy9rYJBVhQUCyjvRLXGmF4w5MOUCphXKoDzV4l9UwgfzfJgN0FWcoR/rVExRpI Rz12p+1rGH3cB32IKGKQ6gcdxhx0tM6IhiZgCWrRif3kEVvZXqxMUtAYt+cZ3x0lnaNO 3OyfYExciJdkSCXfIktIpPa7w1v/iKrssyfoKcIM9lwOvTbqheqCSBOKKRd2hM6GLrKt Y5FteuMBTIcA4jp9blskAynrodmVdT9oejilEd+4ZwSvYLyHJKbBn2rP1eEng7ZddaPp ebkFOinMqPFxnw69bklrO0BNva4QSjo+kwwcZLMN14Ha+6EyAm8OuUp2vWb1d6Zq9quy LhtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772170407; x=1772775207; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=TqIhYcF+CYSjiR8zV9a6G8BIYgFMg1pnmFFZ2FA8I4I=; b=lgdwDi+6afpTfLR8U7TYiaYa6v8CqaG4vIgMpyq+iUjiao+Qfb05TSAkrF64W9oMg9 BRhTj250rtlvvesfY/HxgKqqVHeZUlLz2yIy0BuOgjd649fhb5uS42z2lLpuPW0uyUhq Yl3oncbSHv8k6/WeCZ5e3j0VSkfM1PXWO+j068/b7C8VrIeCUsGa6PKyHYeZjpxQCPWL btogkUjy4R0G/a3t1isz+lBQM8UzaLS/L7dwDljboUBx6C56E3b9AEjvUnVSVRAAeQAW m+w7ubl2soGubYIjRupHV+3K17CJx9v+N5zZwKdwW5wtfyj9dfLsjFQwc1pHDo7WwNtw QsaQ== X-Forwarded-Encrypted: i=1; AJvYcCVNzzo6oOFhx49OC/PfdgKyK7wSnY/vZO+ujS6/jTso5S0Afp899F8hBfFXzT9ULnOpEnhjHa21ei6pUpQ=@vger.kernel.org X-Gm-Message-State: AOJu0Yw3brLbW6hzkbFverIt4kHXbj0UY4dEpOCN3H1glvrWJcrYWp+r RBl1Fm4DATXG3Tc1bRFSryqBerAXqOXnviEb8qAz4ByXO7AeUC2XY0uD X-Gm-Gg: ATEYQzxJNgto+Vz0aWbtO6vpZhQlRTfqri5j2dDZtDECa7ny1mZ+U/L0MtIaItNJNN3 bRYZy287Bp0a0XuNDwmzYsIS+Q/hpdhcjPkY/P14guY/Co7igxXhqIG/TntxtGyHN/gwyS3d4vS nVG1mZ2g8ScC5j6gqS7AyoBkVQApzKHAQgwPG6U78eY/LMZHjQ/IheHZTdJd+lCyMwo4BXkzBb/ zauVhFKM36kYTNjcZ3eslSlAd/au2iIVWAAqPT/1bGJ6+7Wvtttp73pmoSr9eiC8Lq7zYmAd/gy 8ouYD4OJHf0VgqenM9J9WbwOAqDog7a0Td+wmtLDTZFUSeixjbrepybMvTMG9pm4JirSlw65hb0 kNr7y+99zMdX4u6Z/7xr/F0+9asrZalyjY1EJxdSsu5EGAj83Xg2EZCFAw6J19r8fbj96UYir7U uSDjVvto3sZw9lQACz0xrywnYwujdTS4f2az87KY8VOf0l3QJqLA== X-Received: by 2002:a05:6a00:94c4:b0:823:c59:9cb0 with SMTP id d2e1a72fcca58-8274d93b0b2mr1369523b3a.1.1772170407236; Thu, 26 Feb 2026 21:33:27 -0800 (PST) Received: from name2965-Precision-7820-Tower.. ([175.201.112.127]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-8273a048615sm3815828b3a.52.2026.02.26.21.33.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Feb 2026 21:33:26 -0800 (PST) From: Jeongjun Park To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , Inki Dae , Seung-Woo Kim , Kyungmin Park , David Airlie , Simona Vetter , Krzysztof Kozlowski , Alim Akhtar , dri-devel@lists.freedesktop.org, linux-arm-kernel@lists.infradead.org, linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org, Jeongjun Park Subject: [PATCH 6.1.y 5.15.y 5.10.y 2/3] drm/exynos: vidi: fix to avoid directly dereferencing user pointer Date: Fri, 27 Feb 2026 14:33:16 +0900 Message-Id: <20260227053317.426000-3-aha310510@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260227053317.426000-1-aha310510@gmail.com> References: <20260227053317.426000-1-aha310510@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" [ Upstream commit d4c98c077c7fb2dfdece7d605e694b5ea2665085 ] In vidi_connection_ioctl(), vidi->edid(user pointer) is directly dereferenced in the kernel. This allows arbitrary kernel memory access from the user space, so instead of directly accessing the user pointer in the kernel, we should modify it to copy edid to kernel memory using copy_from_user() and use it. Cc: Signed-off-by: Jeongjun Park Signed-off-by: Inki Dae --- drivers/gpu/drm/exynos/exynos_drm_vidi.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy= nos/exynos_drm_vidi.c index d0e394397eca..576d79ebe9a8 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c +++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c @@ -252,19 +252,26 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,= void *data, =20 if (vidi->connection) { struct edid *raw_edid; + struct edid edid_buf; + void *edid_userptr =3D u64_to_user_ptr(vidi->edid); =20 - raw_edid =3D (struct edid *)(unsigned long)vidi->edid; - if (!drm_edid_is_valid(raw_edid)) { + if (copy_from_user(&edid_buf, edid_userptr, sizeof(struct edid))) + return -EFAULT; + + if (!drm_edid_is_valid(&edid_buf)) { DRM_DEV_DEBUG_KMS(ctx->dev, "edid data is invalid.\n"); return -EINVAL; } - ctx->raw_edid =3D drm_edid_duplicate(raw_edid); - if (!ctx->raw_edid) { + + raw_edid =3D drm_edid_duplicate(&edid_buf); + + if (!raw_edid) { DRM_DEV_DEBUG_KMS(ctx->dev, "failed to allocate raw_edid.\n"); return -ENOMEM; } + ctx->raw_edid =3D raw_edid; } else { /* * with connection =3D 0, free raw_edid -- From nobody Tue Apr 7 17:13:27 2026 Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9A0443DA7D7 for ; Fri, 27 Feb 2026 05:33:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772170411; cv=none; b=Lgvs3qvH0rHZnc4v/JvJ/5ys29aSP9qQK7V0QWo1IrO3J1taZ29X5zhg2IiPRU0el2nSMfv88w58TwrGfi0sEtO8qsT55M3HyJ2DH6f+7GQoQQ4fcitpkKYEFl870dB047Q6tfK4o/cEkAU4DhFAlPvENdpsT5njYiKUD9zOCJI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772170411; c=relaxed/simple; bh=sBdF7+0u19ZP3gybl8MNQCA85kIrnAKsI6e62lko7KQ=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=lvK0cQG07oze9wHPeLiuXGmm7C5V9MAwNitZQGPWgeVZegoheGDSkJyBY+iiu0WneEHxouf1+JfUBBF/HOSVmp2PyGpg1skfkuOHgZthb5e93WQpFWXMnTeYUD/huqT5YmcjPo+YTxYA2N0EFXYGxqmUgpBc2jcVJm2Iv5B97f4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=eu3G09PD; arc=none smtp.client-ip=209.85.210.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="eu3G09PD" Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-82748095963so492013b3a.2 for ; Thu, 26 Feb 2026 21:33:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772170410; x=1772775210; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=feZZgyhgnxd2MB3vtB7LaA+CWft2WYSV7ZFSVYTIeiU=; b=eu3G09PDfZM/CBVYSo37kRoGQWlPRsP2wJQ+2n77iIRIKoaIRqCdEfrSsbKZ5GFR7q 188fJYw6BU4xOHz+C6a8jHt7EIKyQD4Oe6Z3Iu2GL+y1yko5dv/dFgojljI6IlwJsHqU 8VJHvMTB1+vGu6E32DOhqkSs+SuUL2H30AkBYEhI8PzuCdKzeNNCEBulnJweM7VzQg9U bjkKQ9MA2lXhSFbM1SM1hcPuWE3Na+a9VAyqNMpjYU0WT7ryKNSc36C7IkFPAXNje3sh Xrjpwuwn7AHfqBsUc59XgVdy90vHEHxJpmOTmiSqBHWyA6iyum2enJOWImoVKvUQ/A7E skmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772170410; x=1772775210; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=feZZgyhgnxd2MB3vtB7LaA+CWft2WYSV7ZFSVYTIeiU=; b=WPUggnTXld7SyIFMdFzRkzU5wzBmU7JFTKWADiGuxDfZ6uEnNvlBsnwjtHnV3eQ9hp mTZkgT1jdUEwGNeCYjZZsOXq/T749d9MNconvN4gUL6iQ0BE0n564Lv7SpmBRdcOvkey h3Y6enzEqP4Y4Xh6wW/fYR5mbPRN0dkbtaoofpa017rcvzeUXfwO+hxhOBZNXrDnqlQ9 na7JYmyC7QiUzN5ZvCH6ArMMl+EI5xoO/IFDuMyPhOoa+O5N3+lHWGO5LksxnleMZiZ3 sMKXUsHqZGF89/Jq7gFeF94eQsjEkf0u2A739v4Ht29sKL36cBvSsDe3gcJyNa0tztjQ RHPw== X-Forwarded-Encrypted: i=1; AJvYcCXoP5WReDGcEHxHDFYTPWcXexSY1bq+6slXRx+fzpM2d1Wd9H8+iScxfeL3dovohe5ACPY58BQkxnmScjw=@vger.kernel.org X-Gm-Message-State: AOJu0YwKQX+1o2fW3MYGjz0rGLw5heNYyE8rkD19swEcCbGbCpcjmBzh yq1SMqa9uAevQEYTEouGJJaeKR8JuNBnQbqiPFWI4d2WZsZ1MTBjpVRU X-Gm-Gg: ATEYQzw7OOLlZXtXzVZn0MNa9c8o9h3c41gpoEc4L6E9dJCNEdP6NwZCNWdIX2XzA67 qd7Ntvugg5gVeWUGrbhywBHjmMtf8mStMnRfNFEDdfL1FQvApcKMy9RmsEAPCsIFuDmCG6Bmv5e mSg0KmwMrRzNGn0Aw/ymaG4DZRMTuUnWCrTEITZKhtfijkbi8V8ZqPoY6pRPhr8YwnPB6rZqml+ jGHu1nlMV405950HHLQNQgQMvuMNoZlFJbZKJTDqlkQ42tHLMbUAMUSUdfJbB1Yp36ZN63IqiL+ 67CTeC91PyHnLyM8bPbQHSoiBLs9WufiG9rI3CG0nsyyM9IYwn9SmdbfOLgl/81Tvbp9JKXg4Uo 6WOg8V1WaJzxXVV4wHggGvifpjGG8hYAgIPaL20o88A/BTxeCmuqEEytWePBVjShMnpLlOYwpOo SRdmNoAk58TzGIQ0/f9KsHcf9yBqOr477tRVBperUUB6fbhK/4Gw== X-Received: by 2002:a05:6a00:4c84:b0:824:9451:c1e2 with SMTP id d2e1a72fcca58-8274da275b4mr1328637b3a.59.1772170409864; Thu, 26 Feb 2026 21:33:29 -0800 (PST) Received: from name2965-Precision-7820-Tower.. ([175.201.112.127]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-8273a048615sm3815828b3a.52.2026.02.26.21.33.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Feb 2026 21:33:29 -0800 (PST) From: Jeongjun Park To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , Inki Dae , Seung-Woo Kim , Kyungmin Park , David Airlie , Simona Vetter , Krzysztof Kozlowski , Alim Akhtar , dri-devel@lists.freedesktop.org, linux-arm-kernel@lists.infradead.org, linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org, Jeongjun Park Subject: [PATCH 6.1.y 5.15.y 5.10.y 3/3] drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free Date: Fri, 27 Feb 2026 14:33:17 +0900 Message-Id: <20260227053317.426000-4-aha310510@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260227053317.426000-1-aha310510@gmail.com> References: <20260227053317.426000-1-aha310510@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" [ Upstream commit 52b330799e2d6f825ae2bb74662ec1b10eb954bb ] Exynos Virtual Display driver performs memory alloc/free operations without lock protection, which easily causes concurrency problem. For example, use-after-free can occur in race scenario like this: ``` CPU0 CPU1 CPU2 ---- ---- ---- vidi_connection_ioctl() if (vidi->connection) // true drm_edid =3D drm_edid_alloc(); // alloc drm_edid ... ctx->raw_edid =3D drm_edid; ... drm_mode_getconnector() drm_helper_probe_single_connector_modes() vidi_get_modes() if (ctx->raw_edid) // true drm_edid_dup(ctx->raw_edid); if (!drm_edid) // false ... vidi_connection_ioctl() if (vidi->connection) // false drm_edid_free(ctx->raw_edid); // free drm_edid ... drm_edid_alloc(drm_edid->edid) kmemdup(edid); // UAF!! ... ``` To prevent these vulns, at least in vidi_context, member variables related to memory alloc/free should be protected with ctx->lock. Cc: Signed-off-by: Jeongjun Park --- drivers/gpu/drm/exynos/exynos_drm_vidi.c | 43 +++++++++++++++++++----- 1 file changed, 35 insertions(+), 8 deletions(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy= nos/exynos_drm_vidi.c index 576d79ebe9a8..b7eae2469b31 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c +++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c @@ -186,15 +186,17 @@ static ssize_t vidi_store_connection(struct device *d= ev, const char *buf, size_t len) { struct vidi_context *ctx =3D dev_get_drvdata(dev); - int ret; + int ret, new_connected; =20 - ret =3D kstrtoint(buf, 0, &ctx->connected); + ret =3D kstrtoint(buf, 0, &new_connected); if (ret) return ret; =20 - if (ctx->connected > 1) + if (new_connected > 1) return -EINVAL; =20 + mutex_lock(&ctx->lock); + /* use fake edid data for test. */ if (!ctx->raw_edid) ctx->raw_edid =3D (struct edid *)fake_edid_info; @@ -202,14 +204,21 @@ static ssize_t vidi_store_connection(struct device *d= ev, /* if raw_edid isn't same as fake data then it can't be tested. */ if (ctx->raw_edid !=3D (struct edid *)fake_edid_info) { DRM_DEV_DEBUG_KMS(dev, "edid data is not fake data.\n"); - return -EINVAL; + ret =3D -EINVAL; + goto fail; } =20 + ctx->connected =3D new_connected; + mutex_unlock(&ctx->lock); + DRM_DEV_DEBUG_KMS(dev, "requested connection.\n"); =20 drm_helper_hpd_irq_event(ctx->drm_dev); =20 return len; +fail: + mutex_unlock(&ctx->lock); + return ret; } =20 static DEVICE_ATTR(connection, 0644, vidi_show_connection, @@ -244,11 +253,14 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,= void *data, return -EINVAL; } =20 + mutex_lock(&ctx->lock); if (ctx->connected =3D=3D vidi->connection) { + mutex_unlock(&ctx->lock); DRM_DEV_DEBUG_KMS(ctx->dev, "same connection request.\n"); return -EINVAL; } + mutex_unlock(&ctx->lock); =20 if (vidi->connection) { struct edid *raw_edid; @@ -271,20 +283,27 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,= void *data, "failed to allocate raw_edid.\n"); return -ENOMEM; } + mutex_lock(&ctx->lock); ctx->raw_edid =3D raw_edid; + mutex_unlock(&ctx->lock); } else { /* * with connection =3D 0, free raw_edid * only if raw edid data isn't same as fake data. */ + mutex_lock(&ctx->lock); if (ctx->raw_edid && ctx->raw_edid !=3D (struct edid *)fake_edid_info) { kfree(ctx->raw_edid); ctx->raw_edid =3D NULL; } + mutex_unlock(&ctx->lock); } =20 + mutex_lock(&ctx->lock); ctx->connected =3D vidi->connection; + mutex_unlock(&ctx->lock); + drm_helper_hpd_irq_event(ctx->drm_dev); =20 return 0; @@ -299,7 +318,7 @@ static enum drm_connector_status vidi_detect(struct drm= _connector *connector, * connection request would come from user side * to do hotplug through specific ioctl. */ - return ctx->connected ? connector_status_connected : + return READ_ONCE(ctx->connected) ? connector_status_connected : connector_status_disconnected; } =20 @@ -321,22 +340,24 @@ static int vidi_get_modes(struct drm_connector *conne= ctor) struct vidi_context *ctx =3D ctx_from_connector(connector); struct edid *edid; int edid_len; - int count; + int count =3D 0; =20 /* * the edid data comes from user side and it would be set * to ctx->raw_edid through specific ioctl. */ + + mutex_lock(&ctx->lock); if (!ctx->raw_edid) { DRM_DEV_DEBUG_KMS(ctx->dev, "raw_edid is null.\n"); - return 0; + goto fail; } =20 edid_len =3D (1 + ctx->raw_edid->extensions) * EDID_LENGTH; edid =3D kmemdup(ctx->raw_edid, edid_len, GFP_KERNEL); if (!edid) { DRM_DEV_DEBUG_KMS(ctx->dev, "failed to allocate edid\n"); - return 0; + goto fail; } =20 drm_connector_update_edid_property(connector, edid); @@ -345,6 +366,8 @@ static int vidi_get_modes(struct drm_connector *connect= or) =20 kfree(edid); =20 +fail: + mutex_unlock(&ctx->lock); return count; } =20 @@ -490,11 +513,15 @@ static int vidi_remove(struct platform_device *pdev) { struct vidi_context *ctx =3D platform_get_drvdata(pdev); =20 + mutex_lock(&ctx->lock); + if (ctx->raw_edid !=3D (struct edid *)fake_edid_info) { kfree(ctx->raw_edid); ctx->raw_edid =3D NULL; } =20 + mutex_unlock(&ctx->lock); + component_del(&pdev->dev, &vidi_component_ops); =20 return 0; --