From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AC7AB26CE32; Mon, 13 Apr 2026 16:27:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776097666; cv=none; b=FNvykYEdAsNkkLlpesGrGGqeZ/oWeIm4N37lcYXWGibNABAiMa4Ik+JxpdC3gCNBCH9BLKaBnTD2mCp0bIoS8idSz6S6u5N+LnM3yESs9QYl6W8CAecUcjJkQVCfBk8E+gaRjEraSeNxNmQWE5rt71x5q29HLk5wdZuYnzkMj8I= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776097666; c=relaxed/simple; bh=jTaSkeW9QzkKj7vuINH+HjReSLrbvKkJyMyPVhlK6Bs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=F4Wikh8MwgfuLDAWv3VKovqtFI1NGW+n/phBkkG679vS98HtTjzcnX+4DFskKHglNBJQI/HQnGnivx9ZoVOTDVmACMgRXYnJWXo3FZkzilbJmdper/gxziD+oz3y4TMf+WJNMC4Lb6UqjNs82mQ41avPB012uSO0qd7YXSHb8ZM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=LmEKxcTs; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="LmEKxcTs" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 422E9C2BCAF; Mon, 13 Apr 2026 16:27:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1776097666; bh=jTaSkeW9QzkKj7vuINH+HjReSLrbvKkJyMyPVhlK6Bs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LmEKxcTsEyhFfW+Ds6UZ5361W9HcBtI28z0iq6rYvm7W0KOABGSFxXqYoH2qYnLtN 1hG3JRb60q2Qy6EQVm7CWWbiUns+Y6HY9kyFDR+M0enVnJyVxkhlxF85HBWHVM4Jtf 0bC8RVqYeL0QQ3TFxojgzK1J3xGLk/60zkVrT4CY= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Jeongjun Park , Inki Dae Subject: [PATCH 5.15 224/570] drm/exynos: vidi: fix to avoid directly dereferencing user pointer Date: Mon, 13 Apr 2026 17:55:55 +0200 Message-ID: <20260413155838.846303776@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260413155830.386096114@linuxfoundation.org> References: <20260413155830.386096114@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jeongjun Park commit d4c98c077c7fb2dfdece7d605e694b5ea2665085 upstream. In vidi_connection_ioctl(), vidi->edid(user pointer) is directly dereferenced in the kernel. This allows arbitrary kernel memory access from the user space, so instead of directly accessing the user pointer in the kernel, we should modify it to copy edid to kernel memory using copy_from_user() and use it. Cc: Signed-off-by: Jeongjun Park Signed-off-by: Inki Dae Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/exynos/exynos_drm_vidi.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) --- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c +++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c @@ -251,19 +251,26 @@ int vidi_connection_ioctl(struct drm_dev if (vidi->connection) { struct edid *raw_edid; + struct edid edid_buf; + void *edid_userptr = u64_to_user_ptr(vidi->edid); - raw_edid = (struct edid *)(unsigned long)vidi->edid; - if (!drm_edid_is_valid(raw_edid)) { + if (copy_from_user(&edid_buf, edid_userptr, sizeof(struct edid))) + return -EFAULT; + + if (!drm_edid_is_valid(&edid_buf)) { DRM_DEV_DEBUG_KMS(ctx->dev, "edid data is invalid.\n"); return -EINVAL; } - ctx->raw_edid = drm_edid_duplicate(raw_edid); - if (!ctx->raw_edid) { + + raw_edid = drm_edid_duplicate(&edid_buf); + + if (!raw_edid) { DRM_DEV_DEBUG_KMS(ctx->dev, "failed to allocate raw_edid.\n"); return -ENOMEM; } + ctx->raw_edid = raw_edid; } else { /* * with connection = 0, free raw_edid