From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id CACEBC531FE for ; Fri, 20 Feb 2026 03:36:04 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 15B6510E778; Fri, 20 Feb 2026 03:36:04 +0000 (UTC) Authentication-Results: gabe.freedesktop.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="lwjnmFP5"; dkim-atps=neutral Received: from mail-pg1-f169.google.com (mail-pg1-f169.google.com [209.85.215.169]) by gabe.freedesktop.org (Postfix) with ESMTPS id 3526510E777 for ; Fri, 20 Feb 2026 03:36:02 +0000 (UTC) Received: by mail-pg1-f169.google.com with SMTP id 41be03b00d2f7-c6e1f417918so470184a12.3 for ; Thu, 19 Feb 2026 19:36:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771558561; x=1772163361; darn=lists.freedesktop.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=3SNYtFmJqSV95moRlaJ0QYmUhL+TICukmgmBhi3zA4c=; b=lwjnmFP5LH4otq9DYJFdu7fIov91VYgZagy2CDZPS8pRao6m/nsQKZvhB56MDuvo6w URsyGHrQXlDKoX5VOGQtodjsCoP9q7Uluisp65gWO9Xvkc5hQfXb3sfD+5WcDeqXAg0O zEnypRvhBMmwq8SaA5gsQBATFK7eFHLMwFS2L+0IKphHt3xZKjXEk1dZ92mEyPAib2Wd S5E3LhQgJuPSJhZZif2nfaejpMi0eYSH+cGD/V+fkIzVhPZhMzcdMwJH8X1SgPN5w7H/ JoQgPgxmrz6fjcUSBK4u5u+AWpYoMTSvhQvPwDn4J14iLI85mek+zZCGQjX4VlnVEPqS KChA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771558561; x=1772163361; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=3SNYtFmJqSV95moRlaJ0QYmUhL+TICukmgmBhi3zA4c=; b=qJOtkyWWjmQ9oMsxWTrPBE6c0QyiMxLdI0TDOJ0gy2Lybi9yLy0H9H/qROTHhfryoE zJRKDbbLnqFRsaq8pUnpjY9Hr5uL9brhrxCNbKJtGyvoop/Cgl6Yelg9FvRgNxA8nx2s YJWSvV/0h8b878LOgxIhHr0RzN7c4pu1JxjXv2Hzeovx+UmqVedrtZjoJjJbu4zMmFr3 T4pcd9aGmVjwIiTq1DF0jl4hijD9tgG1YXTKyDs/bcKSGTqHPKPeEcioNRH0orZ3EX2k VIC52pzYoGSOKnel5ARfESh4KvTsoLZc1j6f3kceIknk1m67mEQHzNmGmxCfEu9D4DTF WpVQ== X-Forwarded-Encrypted: i=1; AJvYcCUhZo8zd9fGWulkn2vsxaF2mwu6/4/60ca7BN7GB4xfgZsxpfdkK7w4nL1PhD5CskhyZu9bpeSwQXc=@lists.freedesktop.org X-Gm-Message-State: AOJu0YxN+LOcwTJpUcpa/oOwXUunloDCDpS/G9im6Tl3vecvYk3Uut/7 Y11fAj04VS6aD+YJSoTXFEfMJj7uuidspbCsP+umoWhe6revNc5JfNVd X-Gm-Gg: AZuq6aLFVbiOUcpJ6oP66zh8T4yPG+nP62wsRtYSCWO0krPumzXSGtPdIocPegKiuX7 MUozW3gpcXIho8NFChcmjseNrgKQhm8hgGeXTDriS+3l4Akg2DDAer1N5NG+9cQHIoR6Ng0Biud oSetlaUnbA0SXc6oZtoZpytJ6yafiDLwrDwjPhmiEeJ3i2jWOmZF+H3UlhFBsiUy2dtpnGp+RwL /nZ+TWuLn3WHXX9MqTTbfSXSIP1SxhsziegpZ61he14Hx4jfGCdpvIMgr7bAlyjTSsHWvtcvj20 GaDRTE8La4EBdcsjCRoP7gsrXzXL2Ckg9cXn3wPHlBUMApTgjpx9/6TfxWluVncNeDU9uvhTNXt cYst8sphUcYRdbg/KCadmrGOy8DvbxsgYJ+a4pRhBo9yJYSS8Iso1X9VAATjyX4rwfk1w96rqHX nXTwRxYptPAvhcDaspVwAXR+rufRcpL36xf0bI3yMhW58l9RbPosOHqpszK9vL X-Received: by 2002:a17:902:da8d:b0:2a7:80ac:85b0 with SMTP id d9443c01a7336-2ad17431c2bmr182977825ad.2.1771558561498; Thu, 19 Feb 2026 19:36:01 -0800 (PST) Received: from name2965-Precision-7820-Tower.. ([121.185.236.165]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2ad1a9d5cf8sm177143675ad.52.2026.02.19.19.35.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Feb 2026 19:36:01 -0800 (PST) From: Jeongjun Park To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , Inki Dae , Seung-Woo Kim , Kyungmin Park , David Airlie , Simona Vetter , Krzysztof Kozlowski , Alim Akhtar , dri-devel@lists.freedesktop.org, linux-arm-kernel@lists.infradead.org, linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org, Jeongjun Park Subject: [PATCH 6.19.y 6.18.y 2/2] drm/exynos: vidi: fix to avoid directly dereferencing user pointer Date: Fri, 20 Feb 2026 12:35:50 +0900 Message-Id: <20260220033550.124346-3-aha310510@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260220033550.124346-1-aha310510@gmail.com> References: <20260220033550.124346-1-aha310510@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" [ Upstream commit d4c98c077c7fb2dfdece7d605e694b5ea2665085 ] In vidi_connection_ioctl(), vidi->edid(user pointer) is directly dereferenced in the kernel. This allows arbitrary kernel memory access from the user space, so instead of directly accessing the user pointer in the kernel, we should modify it to copy edid to kernel memory using copy_from_user() and use it. Cc: Signed-off-by: Jeongjun Park Signed-off-by: Inki Dae --- drivers/gpu/drm/exynos/exynos_drm_vidi.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exynos/exynos_drm_vidi.c index 1fe297d512e7..601406b640c7 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c +++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c @@ -251,13 +251,27 @@ int vidi_connection_ioctl(struct drm_device *drm_dev, void *data, if (vidi->connection) { const struct drm_edid *drm_edid; - const struct edid *raw_edid; + const void __user *edid_userptr = u64_to_user_ptr(vidi->edid); + void *edid_buf; + struct edid hdr; size_t size; - raw_edid = (const struct edid *)(unsigned long)vidi->edid; - size = (raw_edid->extensions + 1) * EDID_LENGTH; + if (copy_from_user(&hdr, edid_userptr, sizeof(hdr))) + return -EFAULT; - drm_edid = drm_edid_alloc(raw_edid, size); + size = (hdr.extensions + 1) * EDID_LENGTH; + + edid_buf = kmalloc(size, GFP_KERNEL); + if (!edid_buf) + return -ENOMEM; + + if (copy_from_user(edid_buf, edid_userptr, size)) { + kfree(edid_buf); + return -EFAULT; + } + + drm_edid = drm_edid_alloc(edid_buf, size); + kfree(edid_buf); if (!drm_edid) return -ENOMEM; --