git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Jeongjun Park <aha310510@gmail.com>
	Mon, 19 Jan 2026 08:25:51 +0000 (17:25 +0900)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 26 Feb 2026 23:01:40 +0000 (15:01 -0800)
commit	a540f767642f75240a6c35f6a65b69e44cfcea9d
tree	35a4141b4657c8c6b86b11c46994bd5eeaf39a27	tree \| snapshot
parent	44d0b3960ca01c36815b265b63726827cfb3510b	commit \| diff

drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl()

commit d3968a0d85b211e197f2f4f06268a7031079e0d0 upstream.

vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to
obtain a struct vidi_context pointer. However, drm_dev->dev is the
exynos-drm master device, and the driver_data contained therein is not
the vidi component device, but a completely different device.

This can lead to various bugs, ranging from null pointer dereferences and
garbage value accesses to, in unlucky cases, out-of-bounds errors,
use-after-free errors, and more.

To resolve this issue, we need to store/delete the vidi device pointer in
exynos_drm_private->vidi_dev during bind/unbind, and then read this
exynos_drm_private->vidi_dev within ioctl() to obtain the correct
struct vidi_context pointer.

Cc: <stable@vger.kernel.org>
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/gpu/drm/exynos/exynos_drm_drv.h		diff \| blob \| blame \| history
drivers/gpu/drm/exynos/exynos_drm_vidi.c		diff \| blob \| blame \| history