From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A2A0C108E1F7 for ; Thu, 19 Mar 2026 12:01:48 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 0E2D310E987; Thu, 19 Mar 2026 12:01:48 +0000 (UTC) Authentication-Results: gabe.freedesktop.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="gPMVbTTT"; dkim-atps=neutral Received: from sea.source.kernel.org (sea.source.kernel.org [172.234.252.31]) by gabe.freedesktop.org (Postfix) with ESMTPS id 06C8110E987 for ; Thu, 19 Mar 2026 12:01:46 +0000 (UTC) Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sea.source.kernel.org (Postfix) with ESMTP id E2FC0439CC; Thu, 19 Mar 2026 12:01:45 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 512A9C2BCB0; Thu, 19 Mar 2026 12:01:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1773921705; bh=FI2RzMl4vqwoOgQ284Xq5uO4APyYsWh2CfzxL2lSpqE=; h=Subject:To:Cc:From:Date:In-Reply-To:From; b=gPMVbTTTZDpZo1uqG/bHPeCytbq7RlFU4/vESVAGuVRtsh0kgjgPfdB7qBS4C+nB3 l4TCCivwe+4mf0KRA2pD5TzDjn2VF9CoVJ12VdqAK+VgEBJbm5QEgNrkFVsuRzBu/j 79TT/RsWbhFFxDOL1F9tuDeQFNcMl0AaHj0byrwc= Subject: Patch "drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free" has been added to the 6.6-stable tree To: aha310510@gmail.com, airlied@gmail.com, alim.akhtar@samsung.com, dri-devel@lists.freedesktop.org, gregkh@linuxfoundation.org, inki.dae@samsung.com, krzk@kernel.org, kyungmin.park@samsung.com, linux-arm-kernel@lists.infradead.org, simona@ffwll.ch, sw0312.kim@samsung.com Cc: From: Date: Thu, 19 Mar 2026 13:01:24 +0100 In-Reply-To: <20260227045953.165751-4-aha310510@gmail.com> Message-ID: <2026031923-decimal-gulp-13b4@gregkh> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit X-stable: commit X-Patchwork-Hint: ignore X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" This is a note to let you know that I've just added the patch titled drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free to the 6.6-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: drm-exynos-vidi-use-ctx-lock-to-protect-struct-vidi_context-member-variables-related-to-memory-alloc-free.patch and it can be found in the queue-6.6 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >From stable+bounces-219911-greg=kroah.com@vger.kernel.org Fri Feb 27 06:01:30 2026 From: Jeongjun Park Date: Fri, 27 Feb 2026 13:59:53 +0900 Subject: drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , Inki Dae , Seung-Woo Kim , Kyungmin Park , David Airlie , Simona Vetter , Krzysztof Kozlowski , Alim Akhtar , dri-devel@lists.freedesktop.org, linux-arm-kernel@lists.infradead.org, linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org, Jeongjun Park Message-ID: <20260227045953.165751-4-aha310510@gmail.com> From: Jeongjun Park [ Upstream commit 52b330799e2d6f825ae2bb74662ec1b10eb954bb ] Exynos Virtual Display driver performs memory alloc/free operations without lock protection, which easily causes concurrency problem. For example, use-after-free can occur in race scenario like this: ``` CPU0 CPU1 CPU2 ---- ---- ---- vidi_connection_ioctl() if (vidi->connection) // true drm_edid = drm_edid_alloc(); // alloc drm_edid ... ctx->raw_edid = drm_edid; ... drm_mode_getconnector() drm_helper_probe_single_connector_modes() vidi_get_modes() if (ctx->raw_edid) // true drm_edid_dup(ctx->raw_edid); if (!drm_edid) // false ... vidi_connection_ioctl() if (vidi->connection) // false drm_edid_free(ctx->raw_edid); // free drm_edid ... drm_edid_alloc(drm_edid->edid) kmemdup(edid); // UAF!! ... ``` To prevent these vulns, at least in vidi_context, member variables related to memory alloc/free should be protected with ctx->lock. Cc: Signed-off-by: Jeongjun Park Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/exynos/exynos_drm_vidi.c | 43 +++++++++++++++++++++++++------ 1 file changed, 35 insertions(+), 8 deletions(-) --- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c +++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c @@ -186,15 +186,17 @@ static ssize_t vidi_store_connection(str const char *buf, size_t len) { struct vidi_context *ctx = dev_get_drvdata(dev); - int ret; + int ret, new_connected; - ret = kstrtoint(buf, 0, &ctx->connected); + ret = kstrtoint(buf, 0, &new_connected); if (ret) return ret; - if (ctx->connected > 1) + if (new_connected > 1) return -EINVAL; + mutex_lock(&ctx->lock); + /* use fake edid data for test. */ if (!ctx->raw_edid) ctx->raw_edid = (struct edid *)fake_edid_info; @@ -202,14 +204,21 @@ static ssize_t vidi_store_connection(str /* if raw_edid isn't same as fake data then it can't be tested. */ if (ctx->raw_edid != (struct edid *)fake_edid_info) { DRM_DEV_DEBUG_KMS(dev, "edid data is not fake data.\n"); - return -EINVAL; + ret = -EINVAL; + goto fail; } + ctx->connected = new_connected; + mutex_unlock(&ctx->lock); + DRM_DEV_DEBUG_KMS(dev, "requested connection.\n"); drm_helper_hpd_irq_event(ctx->drm_dev); return len; +fail: + mutex_unlock(&ctx->lock); + return ret; } static DEVICE_ATTR(connection, 0644, vidi_show_connection, @@ -244,11 +253,14 @@ int vidi_connection_ioctl(struct drm_dev return -EINVAL; } + mutex_lock(&ctx->lock); if (ctx->connected == vidi->connection) { + mutex_unlock(&ctx->lock); DRM_DEV_DEBUG_KMS(ctx->dev, "same connection request.\n"); return -EINVAL; } + mutex_unlock(&ctx->lock); if (vidi->connection) { struct edid *raw_edid; @@ -271,20 +283,27 @@ int vidi_connection_ioctl(struct drm_dev "failed to allocate raw_edid.\n"); return -ENOMEM; } + mutex_lock(&ctx->lock); ctx->raw_edid = raw_edid; + mutex_unlock(&ctx->lock); } else { /* * with connection = 0, free raw_edid * only if raw edid data isn't same as fake data. */ + mutex_lock(&ctx->lock); if (ctx->raw_edid && ctx->raw_edid != (struct edid *)fake_edid_info) { kfree(ctx->raw_edid); ctx->raw_edid = NULL; } + mutex_unlock(&ctx->lock); } + mutex_lock(&ctx->lock); ctx->connected = vidi->connection; + mutex_unlock(&ctx->lock); + drm_helper_hpd_irq_event(ctx->drm_dev); return 0; @@ -299,7 +318,7 @@ static enum drm_connector_status vidi_de * connection request would come from user side * to do hotplug through specific ioctl. */ - return ctx->connected ? connector_status_connected : + return READ_ONCE(ctx->connected) ? connector_status_connected : connector_status_disconnected; } @@ -321,22 +340,24 @@ static int vidi_get_modes(struct drm_con struct vidi_context *ctx = ctx_from_connector(connector); struct edid *edid; int edid_len; - int count; + int count = 0; /* * the edid data comes from user side and it would be set * to ctx->raw_edid through specific ioctl. */ + + mutex_lock(&ctx->lock); if (!ctx->raw_edid) { DRM_DEV_DEBUG_KMS(ctx->dev, "raw_edid is null.\n"); - return 0; + goto fail; } edid_len = (1 + ctx->raw_edid->extensions) * EDID_LENGTH; edid = kmemdup(ctx->raw_edid, edid_len, GFP_KERNEL); if (!edid) { DRM_DEV_DEBUG_KMS(ctx->dev, "failed to allocate edid\n"); - return 0; + goto fail; } drm_connector_update_edid_property(connector, edid); @@ -345,6 +366,8 @@ static int vidi_get_modes(struct drm_con kfree(edid); +fail: + mutex_unlock(&ctx->lock); return count; } @@ -490,11 +513,15 @@ static int vidi_remove(struct platform_d { struct vidi_context *ctx = platform_get_drvdata(pdev); + mutex_lock(&ctx->lock); + if (ctx->raw_edid != (struct edid *)fake_edid_info) { kfree(ctx->raw_edid); ctx->raw_edid = NULL; } + mutex_unlock(&ctx->lock); + component_del(&pdev->dev, &vidi_component_ops); return 0; Patches currently in stable-queue which might be from aha310510@gmail.com are queue-6.6/drm-exynos-vidi-use-ctx-lock-to-protect-struct-vidi_context-member-variables-related-to-memory-alloc-free.patch queue-6.6/drm-exynos-vidi-use-priv-vidi_dev-for-ctx-lookup-in-vidi_connection_ioctl.patch queue-6.6/drm-exynos-vidi-fix-to-avoid-directly-dereferencing-user-pointer.patch