From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9DD8B1F9F70; Thu, 12 Mar 2026 20:17:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773346667; cv=none; b=c5kT8fjhopB9kzCFS/g9s4sfIBsiL/BDtSj3OTK7tXRJqeCSLw29OkeZtTpYwey8lHoDKokelI1q4iEduuClVfFkFAnr7mtb9LDagdU/5FbzZRp27KKuFA4dFjejI7UcjbH2vNCnTSIyqnTmmxj05+IcCdWkv/J0jnUpCiGMbK8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773346667; c=relaxed/simple; bh=GeU7oAVMc5LIRzaHT8PDJWCavul8yqiimnWelDQzbWc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qHcy2XlyDQCF9RGNqIPaFj7QHPpJ2vdk0qsqBVW+5HCRXdPS4ALHRguMqME5/eB37deObjEJv6SSTg7Ipkq8D9xic4DWbDZpUMUBk6H79Wd16ISABBs09czYyT3kfhYLGHAsqWHuxBiTo4FhYns7JMxWcS/DiNXLT1ee4Wqbw7Y= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=HbspHXLp; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="HbspHXLp" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C8E7AC4CEF7; Thu, 12 Mar 2026 20:17:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1773346667; bh=GeU7oAVMc5LIRzaHT8PDJWCavul8yqiimnWelDQzbWc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HbspHXLp7bGeeiat5llkjT0KKUmXZeTnHr5HneCd9CKfU9jvVGrYIVZyJD6WU75yA 1SBbdequ97ZYzohKebFD/mNS87ehs/1cfZFfJn0RKRdts3L3aUk3doFHGEcG/7EYiG i8ETcdhN/eCJxKKrhfvH7Lc9dtzZLv31A3oaqCzU= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Jeongjun Park , Inki Dae , Sasha Levin Subject: [PATCH 6.12 095/265] drm/exynos: vidi: fix to avoid directly dereferencing user pointer Date: Thu, 12 Mar 2026 21:08:02 +0100 Message-ID: <20260312201021.660593507@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260312201018.128816016@linuxfoundation.org> References: <20260312201018.128816016@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jeongjun Park [ Upstream commit d4c98c077c7fb2dfdece7d605e694b5ea2665085 ] In vidi_connection_ioctl(), vidi->edid(user pointer) is directly dereferenced in the kernel. This allows arbitrary kernel memory access from the user space, so instead of directly accessing the user pointer in the kernel, we should modify it to copy edid to kernel memory using copy_from_user() and use it. Cc: Signed-off-by: Jeongjun Park Signed-off-by: Inki Dae Signed-off-by: Sasha Levin --- drivers/gpu/drm/exynos/exynos_drm_vidi.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exynos/exynos_drm_vidi.c index 6de0cced6c9d2..007fd8dad3559 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c +++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c @@ -246,13 +246,27 @@ int vidi_connection_ioctl(struct drm_device *drm_dev, void *data, if (vidi->connection) { const struct drm_edid *drm_edid; - const struct edid *raw_edid; + const void __user *edid_userptr = u64_to_user_ptr(vidi->edid); + void *edid_buf; + struct edid hdr; size_t size; - raw_edid = (const struct edid *)(unsigned long)vidi->edid; - size = (raw_edid->extensions + 1) * EDID_LENGTH; + if (copy_from_user(&hdr, edid_userptr, sizeof(hdr))) + return -EFAULT; - drm_edid = drm_edid_alloc(raw_edid, size); + size = (hdr.extensions + 1) * EDID_LENGTH; + + edid_buf = kmalloc(size, GFP_KERNEL); + if (!edid_buf) + return -ENOMEM; + + if (copy_from_user(edid_buf, edid_userptr, size)) { + kfree(edid_buf); + return -EFAULT; + } + + drm_edid = drm_edid_alloc(edid_buf, size); + kfree(edid_buf); if (!drm_edid) return -ENOMEM; -- 2.51.0