[PATCH 6.19.y 6.18.y 0/2] drm/exynos: vidi: fix various memory corruption bugs

[PATCH 6.19.y 6.18.y 0/2] drm/exynos: vidi: fix various memory corruption bugs

[Jeongjun Park]

This backport patch should have been backported along with commit 52b330799e2d
("drm/exynos: vidi: use ctx->lock to protect struct vidi_context member
variables related to memory alloc/free"), but was written separately because
some commits were missing.

https://lore.kernel.org/all/20260119082553.195181-1-aha310510@gmail.com/

After this patch is backported, we plan to write additional patches to
backport to the remaining longterm kernels.

Jeongjun Park (2):
  drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl()
  drm/exynos: vidi: fix to avoid directly dereferencing user pointer

 drivers/gpu/drm/exynos/exynos_drm_drv.h  |  1 +
 drivers/gpu/drm/exynos/exynos_drm_vidi.c | 36 +++++++++++++++++++++++++++++++-----
 2 files changed, 32 insertions(+), 5 deletions(-)

[PATCH 6.19.y 6.18.y 1/2] drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl()

[Jeongjun Park]

[ Upstream commit d3968a0d85b211e197f2f4f06268a7031079e0d0 ]

vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to
obtain a struct vidi_context pointer. However, drm_dev->dev is the
exynos-drm master device, and the driver_data contained therein is not
the vidi component device, but a completely different device.

This can lead to various bugs, ranging from null pointer dereferences and
garbage value accesses to, in unlucky cases, out-of-bounds errors,
use-after-free errors, and more.

To resolve this issue, we need to store/delete the vidi device pointer in
exynos_drm_private->vidi_dev during bind/unbind, and then read this
exynos_drm_private->vidi_dev within ioctl() to obtain the correct
struct vidi_context pointer.

Cc: <stable@vger.kernel.org>
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
---
 drivers/gpu/drm/exynos/exynos_drm_drv.h  |  1 +
 drivers/gpu/drm/exynos/exynos_drm_vidi.c | 14 +++++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/exynos/exynos_drm_drv.h b/drivers/gpu/drm/exynos/exynos_drm_drv.h
index 23646e55f142..06c29ff2aac0 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_drv.h
+++ b/drivers/gpu/drm/exynos/exynos_drm_drv.h
@@ -199,6 +199,7 @@ struct drm_exynos_file_private {
 struct exynos_drm_private {
 	struct device *g2d_dev;
 	struct device *dma_dev;
+	struct device *vidi_dev;
 	void *mapping;
 
 	/* for atomic commit */
diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
index e094b8bbc0f1..1fe297d512e7 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
@@ -223,9 +223,14 @@ ATTRIBUTE_GROUPS(vidi);
 int vidi_connection_ioctl(struct drm_device *drm_dev, void *data,
 				struct drm_file *file_priv)
 {
-	struct vidi_context *ctx = dev_get_drvdata(drm_dev->dev);
+	struct exynos_drm_private *priv = drm_dev->dev_private;
+	struct device *dev = priv ? priv->vidi_dev : NULL;
+	struct vidi_context *ctx = dev ? dev_get_drvdata(dev) : NULL;
 	struct drm_exynos_vidi_connection *vidi = data;
 
+	if (!ctx)
+		return -ENODEV;
+
 	if (!vidi) {
 		DRM_DEV_DEBUG_KMS(ctx->dev,
 				  "user data for vidi is null.\n");
@@ -371,6 +376,7 @@ static int vidi_bind(struct device *dev, struct device *master, void *data)
 {
 	struct vidi_context *ctx = dev_get_drvdata(dev);
 	struct drm_device *drm_dev = data;
+	struct exynos_drm_private *priv = drm_dev->dev_private;
 	struct drm_encoder *encoder = &ctx->encoder;
 	struct exynos_drm_plane *exynos_plane;
 	struct exynos_drm_plane_config plane_config = { 0 };
@@ -378,6 +384,8 @@ static int vidi_bind(struct device *dev, struct device *master, void *data)
 	int ret;
 
 	ctx->drm_dev = drm_dev;
+	if (priv)
+		priv->vidi_dev = dev;
 
 	plane_config.pixel_formats = formats;
 	plane_config.num_pixel_formats = ARRAY_SIZE(formats);
@@ -423,8 +431,12 @@ static int vidi_bind(struct device *dev, struct device *master, void *data)
 static void vidi_unbind(struct device *dev, struct device *master, void *data)
 {
 	struct vidi_context *ctx = dev_get_drvdata(dev);
+	struct drm_device *drm_dev = data;
+	struct exynos_drm_private *priv = drm_dev->dev_private;
 
 	timer_delete_sync(&ctx->timer);
+	if (priv)
+		priv->vidi_dev = NULL;
 }
 
 static const struct component_ops vidi_component_ops = {
--

[PATCH 6.19.y 6.18.y 2/2] drm/exynos: vidi: fix to avoid directly dereferencing user pointer

[Jeongjun Park]

[ Upstream commit d4c98c077c7fb2dfdece7d605e694b5ea2665085 ]

In vidi_connection_ioctl(), vidi->edid(user pointer) is directly
dereferenced in the kernel.

This allows arbitrary kernel memory access from the user space, so instead
of directly accessing the user pointer in the kernel, we should modify it
to copy edid to kernel memory using copy_from_user() and use it.

Cc: <stable@vger.kernel.org>
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
---
 drivers/gpu/drm/exynos/exynos_drm_vidi.c | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
index 1fe297d512e7..601406b640c7 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
@@ -251,13 +251,27 @@ int vidi_connection_ioctl(struct drm_device *drm_dev, void *data,
 
 	if (vidi->connection) {
 		const struct drm_edid *drm_edid;
-		const struct edid *raw_edid;
+		const void __user *edid_userptr = u64_to_user_ptr(vidi->edid);
+		void *edid_buf;
+		struct edid hdr;
 		size_t size;
 
-		raw_edid = (const struct edid *)(unsigned long)vidi->edid;
-		size = (raw_edid->extensions + 1) * EDID_LENGTH;
+		if (copy_from_user(&hdr, edid_userptr, sizeof(hdr)))
+			return -EFAULT;
 
-		drm_edid = drm_edid_alloc(raw_edid, size);
+		size = (hdr.extensions + 1) * EDID_LENGTH;
+
+		edid_buf = kmalloc(size, GFP_KERNEL);
+		if (!edid_buf)
+			return -ENOMEM;
+
+		if (copy_from_user(edid_buf, edid_userptr, size)) {
+			kfree(edid_buf);
+			return -EFAULT;
+		}
+
+		drm_edid = drm_edid_alloc(edid_buf, size);
+		kfree(edid_buf);
 		if (!drm_edid)
 			return -ENOMEM;
 
--

Claude review: drm/exynos: vidi: fix various memory corruption bugs

[Claude Code Review Bot]

Overall Series Review

Subject: drm/exynos: vidi: fix various memory corruption bugs
Author: Jeongjun Park <aha310510@gmail.com>
Patches: 3
Reviewed: 2026-02-23T06:11:02.494577

---

This is a two-patch backport series for the 6.18.y and 6.19.y stable trees, fixing two bugs in the Exynos DRM VIDI (Virtual Display Interface) driver. Both patches have upstream commits (d3968a0d85b2 and d4c98c077c7f respectively), already merged to drm-next.

Patch 1 fixes a context lookup bug in `vidi_connection_ioctl()` where the driver was incorrectly fetching `vidi_context` from the master DRM device's `driver_data` instead of from the vidi component device. Patch 2 fixes a direct user pointer dereference where `vidi->edid` (a user-space pointer passed via ioctl) was cast and accessed directly in kernel space without `copy_from_user()`.

Both fixes are correct and match the code already present in drm-next. The series is properly ordered: patch 1 introduces the `vidi_dev` infrastructure needed for the correct device lookup, and patch 2 builds on that to also fix the unsafe user pointer access. No significant issues found.

---
Generated by Claude Code Patch Reviewer

Claude review: drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl()

[Claude Code Review Bot]

Patch Review

This patch fixes the bug where `vidi_connection_ioctl()` was calling `dev_get_drvdata(drm_dev->dev)`, which returns the driver data for the exynos-drm master device rather than the vidi component device. The fix adds a `vidi_dev` field to `exynos_drm_private`, sets it during bind, clears it during unbind, and uses it in the ioctl to retrieve the correct `vidi_context`.

> +	struct exynos_drm_private *priv = drm_dev->dev_private;
> +	struct device *dev = priv ? priv->vidi_dev : NULL;
> +	struct vidi_context *ctx = dev ? dev_get_drvdata(dev) : NULL;

> +	if (!ctx)
> +		return -ENODEV;

The NULL checks on `priv` are defensive -- `dev_private` should always be set if the ioctl is reachable through the DRM device -- but the important case is when `vidi_dev` is NULL because the vidi component hasn't been bound (or has been unbound). Returning `-ENODEV` is the correct behavior in that case.

> +	if (priv)
> +		priv->vidi_dev = dev;

> +	if (priv)
> +		priv->vidi_dev = NULL;

Same defensive NULL check on `priv` in bind and unbind. In practice, `drm_dev->dev_private` is set before components bind, but there's no harm in the check. This matches what was merged upstream.

No issues found.

---
Generated by Claude Code Patch Reviewer

Claude review: drm/exynos: vidi: fix to avoid directly dereferencing user pointer

[Claude Code Review Bot]

Patch Review

This patch fixes a security issue where the user-space EDID pointer from the ioctl struct was directly cast to a kernel pointer and dereferenced. The fix properly uses `copy_from_user()` to first copy the EDID header (to read the `extensions` count), then allocates a kernel buffer and copies the full EDID data.

> +		const void __user *edid_userptr = u64_to_user_ptr(vidi->edid);
> +		void *edid_buf;
> +		struct edid hdr;
>  		size_t size;
>  
> -		raw_edid = (const struct edid *)(unsigned long)vidi->edid;
> -		size = (raw_edid->extensions + 1) * EDID_LENGTH;
> +		if (copy_from_user(&hdr, edid_userptr, sizeof(hdr)))
> +			return -EFAULT;
> +
> +		size = (hdr.extensions + 1) * EDID_LENGTH;

The size computation is safe from overflow: `hdr.extensions` is a `u8` (max 255), so the maximum size is `256 * 128 = 32768` bytes. The use of `u64_to_user_ptr()` is the correct way to convert the `__u64` ioctl field to a `__user` pointer.

> +		edid_buf = kmalloc(size, GFP_KERNEL);
> +		if (!edid_buf)
> +			return -ENOMEM;
> +
> +		if (copy_from_user(edid_buf, edid_userptr, size)) {
> +			kfree(edid_buf);
> +			return -EFAULT;
> +		}
> +
> +		drm_edid = drm_edid_alloc(edid_buf, size);
> +		kfree(edid_buf);

`drm_edid_alloc()` makes its own internal copy of the EDID data, so freeing `edid_buf` immediately after is correct. The error paths properly free `edid_buf` before returning.

There is a theoretical TOCTOU between the header copy and the full copy (user space could modify the `extensions` field between the two `copy_from_user` calls), but this is harmless: the size is computed from the kernel copy of the header, so the kernel buffer is always correctly sized. If the user modifies the data between copies, the subsequent `drm_edid_valid()` check (present in the existing code below this diff) will catch any inconsistency.

No issues found.

---
Generated by Claude Code Patch Reviewer