From nobody Tue Apr  7 18:45:28 2026
Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com
 [209.85.210.174])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id DA72B3D7D9A
	for <linux-kernel@vger.kernel.org>; Fri, 27 Feb 2026 05:33:27 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.174
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772170409; cv=none;
 b=nVG29a3ZbbeGlYxrfgRJRLysbgconXMqXngO+QT4wd7wc5Fa6v1Hcs6hIqznlz5zd7V1Sjxqt/X+ILPkUQJhp1BYmPdxXYD5y+4826P/dXClqjgKjnHMzPiUw++vXe/ViSgHVTQL7EjF2wqjnO1+mwDDdEigDeiYDSNpQJ2gDsg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772170409; c=relaxed/simple;
	bh=0V9TfcF0jCfymmrv79UOCNsFP+ZBkFqnn+Tpw8wkDGw=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=B9i6d702O1VXqtEOzmOPdd3t0wPrMLzuiUb+kHxSkIi5HuqztPq/KItpAwwzaagGJa9fN92l52eQupNvUcz4kj4wpO1id7MwO/lXWSHuOSwMQ1g3p0XaU+3+nTevo3LfKji9SQCgrXm4psuPFxKKlv3zU6SxJmylz/qbsUa20nM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=acg6Dy9r; arc=none smtp.client-ip=209.85.210.174
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="acg6Dy9r"
Received: by mail-pf1-f174.google.com with SMTP id
 d2e1a72fcca58-8249fc726e9so1018988b3a.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 26 Feb 2026 21:33:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1772170407; x=1772775207;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=TqIhYcF+CYSjiR8zV9a6G8BIYgFMg1pnmFFZ2FA8I4I=;
        b=acg6Dy9rYJBVhQUCyjvRLXGmF4w5MOUCphXKoDzV4l9UwgfzfJgN0FWcoR/rVExRpI
         Rz12p+1rGH3cB32IKGKQ6gcdxhx0tM6IhiZgCWrRif3kEVvZXqxMUtAYt+cZ3x0lnaNO
         3OyfYExciJdkSCXfIktIpPa7w1v/iKrssyfoKcIM9lwOvTbqheqCSBOKKRd2hM6GLrKt
         Y5FteuMBTIcA4jp9blskAynrodmVdT9oejilEd+4ZwSvYLyHJKbBn2rP1eEng7ZddaPp
         ebkFOinMqPFxnw69bklrO0BNva4QSjo+kwwcZLMN14Ha+6EyAm8OuUp2vWb1d6Zq9quy
         LhtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772170407; x=1772775207;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=TqIhYcF+CYSjiR8zV9a6G8BIYgFMg1pnmFFZ2FA8I4I=;
        b=lgdwDi+6afpTfLR8U7TYiaYa6v8CqaG4vIgMpyq+iUjiao+Qfb05TSAkrF64W9oMg9
         BRhTj250rtlvvesfY/HxgKqqVHeZUlLz2yIy0BuOgjd649fhb5uS42z2lLpuPW0uyUhq
         Yl3oncbSHv8k6/WeCZ5e3j0VSkfM1PXWO+j068/b7C8VrIeCUsGa6PKyHYeZjpxQCPWL
         btogkUjy4R0G/a3t1isz+lBQM8UzaLS/L7dwDljboUBx6C56E3b9AEjvUnVSVRAAeQAW
         m+w7ubl2soGubYIjRupHV+3K17CJx9v+N5zZwKdwW5wtfyj9dfLsjFQwc1pHDo7WwNtw
         QsaQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCVNzzo6oOFhx49OC/PfdgKyK7wSnY/vZO+ujS6/jTso5S0Afp899F8hBfFXzT9ULnOpEnhjHa21ei6pUpQ=@vger.kernel.org
X-Gm-Message-State: AOJu0Yw3brLbW6hzkbFverIt4kHXbj0UY4dEpOCN3H1glvrWJcrYWp+r
	RBl1Fm4DATXG3Tc1bRFSryqBerAXqOXnviEb8qAz4ByXO7AeUC2XY0uD
X-Gm-Gg: ATEYQzxJNgto+Vz0aWbtO6vpZhQlRTfqri5j2dDZtDECa7ny1mZ+U/L0MtIaItNJNN3
	bRYZy287Bp0a0XuNDwmzYsIS+Q/hpdhcjPkY/P14guY/Co7igxXhqIG/TntxtGyHN/gwyS3d4vS
	nVG1mZ2g8ScC5j6gqS7AyoBkVQApzKHAQgwPG6U78eY/LMZHjQ/IheHZTdJd+lCyMwo4BXkzBb/
	zauVhFKM36kYTNjcZ3eslSlAd/au2iIVWAAqPT/1bGJ6+7Wvtttp73pmoSr9eiC8Lq7zYmAd/gy
	8ouYD4OJHf0VgqenM9J9WbwOAqDog7a0Td+wmtLDTZFUSeixjbrepybMvTMG9pm4JirSlw65hb0
	kNr7y+99zMdX4u6Z/7xr/F0+9asrZalyjY1EJxdSsu5EGAj83Xg2EZCFAw6J19r8fbj96UYir7U
	uSDjVvto3sZw9lQACz0xrywnYwujdTS4f2az87KY8VOf0l3QJqLA==
X-Received: by 2002:a05:6a00:94c4:b0:823:c59:9cb0 with SMTP id
 d2e1a72fcca58-8274d93b0b2mr1369523b3a.1.1772170407236;
        Thu, 26 Feb 2026 21:33:27 -0800 (PST)
Received: from name2965-Precision-7820-Tower.. ([175.201.112.127])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-8273a048615sm3815828b3a.52.2026.02.26.21.33.24
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 26 Feb 2026 21:33:26 -0800 (PST)
From: Jeongjun Park <aha310510@gmail.com>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Inki Dae <inki.dae@samsung.com>,
	Seung-Woo Kim <sw0312.kim@samsung.com>,
	Kyungmin Park <kyungmin.park@samsung.com>,
	David Airlie <airlied@gmail.com>,
	Simona Vetter <simona@ffwll.ch>,
	Krzysztof Kozlowski <krzk@kernel.org>,
	Alim Akhtar <alim.akhtar@samsung.com>,
	dri-devel@lists.freedesktop.org,
	linux-arm-kernel@lists.infradead.org,
	linux-samsung-soc@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Jeongjun Park <aha310510@gmail.com>
Subject: [PATCH 6.1.y 5.15.y 5.10.y 2/3] drm/exynos: vidi: fix to avoid
 directly dereferencing user pointer
Date: Fri, 27 Feb 2026 14:33:16 +0900
Message-Id: <20260227053317.426000-3-aha310510@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260227053317.426000-1-aha310510@gmail.com>
References: <20260227053317.426000-1-aha310510@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

[ Upstream commit d4c98c077c7fb2dfdece7d605e694b5ea2665085 ]

In vidi_connection_ioctl(), vidi->edid(user pointer) is directly
dereferenced in the kernel.

This allows arbitrary kernel memory access from the user space, so instead
of directly accessing the user pointer in the kernel, we should modify it
to copy edid to kernel memory using copy_from_user() and use it.

Cc: <stable@vger.kernel.org>
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
---
 drivers/gpu/drm/exynos/exynos_drm_vidi.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exy=
nos/exynos_drm_vidi.c
index d0e394397eca..576d79ebe9a8 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
@@ -252,19 +252,26 @@ int vidi_connection_ioctl(struct drm_device *drm_dev,=
 void *data,
=20
 	if (vidi->connection) {
 		struct edid *raw_edid;
+		struct edid edid_buf;
+		void *edid_userptr =3D u64_to_user_ptr(vidi->edid);
=20
-		raw_edid =3D (struct edid *)(unsigned long)vidi->edid;
-		if (!drm_edid_is_valid(raw_edid)) {
+		if (copy_from_user(&edid_buf, edid_userptr, sizeof(struct edid)))
+			return -EFAULT;
+
+		if (!drm_edid_is_valid(&edid_buf)) {
 			DRM_DEV_DEBUG_KMS(ctx->dev,
 					  "edid data is invalid.\n");
 			return -EINVAL;
 		}
-		ctx->raw_edid =3D drm_edid_duplicate(raw_edid);
-		if (!ctx->raw_edid) {
+
+		raw_edid =3D drm_edid_duplicate(&edid_buf);
+
+		if (!raw_edid) {
 			DRM_DEV_DEBUG_KMS(ctx->dev,
 					  "failed to allocate raw_edid.\n");
 			return -ENOMEM;
 		}
+		ctx->raw_edid =3D raw_edid;
 	} else {
 		/*
 		 * with connection =3D 0, free raw_edid
--