kernel/linux.git/drivers/gpu/drm/exynos, branch v6.19.11

drm/exynos: vidi: fix to avoid directly dereferencing user pointer

2026-02-26T23:01:41+00:00

commit d4c98c077c7fb2dfdece7d605e694b5ea2665085 upstream. In vidi_connection_ioctl(), vidi->edid(user pointer) is directly dereferenced in the kernel. This allows arbitrary kernel memory access from the user space, so instead of directly accessing the user pointer in the kernel, we should modify it to copy edid to kernel memory using copy_from_user() and use it. Cc: Signed-off-by: Jeongjun Park Signed-off-by: Inki Dae Signed-off-by: Greg Kroah-Hartman

drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl()

2026-02-26T23:01:40+00:00

commit d3968a0d85b211e197f2f4f06268a7031079e0d0 upstream. vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to obtain a struct vidi_context pointer. However, drm_dev->dev is the exynos-drm master device, and the driver_data contained therein is not the vidi component device, but a completely different device. This can lead to various bugs, ranging from null pointer dereferences and garbage value accesses to, in unlucky cases, out-of-bounds errors, use-after-free errors, and more. To resolve this issue, we need to store/delete the vidi device pointer in exynos_drm_private->vidi_dev during bind/unbind, and then read this exynos_drm_private->vidi_dev within ioctl() to obtain the correct struct vidi_context pointer. Cc: Signed-off-by: Jeongjun Park Signed-off-by: Inki Dae Signed-off-by: Greg Kroah-Hartman

drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free

2026-02-16T09:13:34+00:00

commit 52b330799e2d6f825ae2bb74662ec1b10eb954bb upstream. Exynos Virtual Display driver performs memory alloc/free operations without lock protection, which easily causes concurrency problem. For example, use-after-free can occur in race scenario like this: ``` CPU0 CPU1 CPU2 ---- ---- ---- vidi_connection_ioctl() if (vidi->connection) // true drm_edid = drm_edid_alloc(); // alloc drm_edid ... ctx->raw_edid = drm_edid; ... drm_mode_getconnector() drm_helper_probe_single_connector_modes() vidi_get_modes() if (ctx->raw_edid) // true drm_edid_dup(ctx->raw_edid); if (!drm_edid) // false ... vidi_connection_ioctl() if (vidi->connection) // false drm_edid_free(ctx->raw_edid); // free drm_edid ... drm_edid_alloc(drm_edid->edid) kmemdup(edid); // UAF!! ... ``` To prevent these vulns, at least in vidi_context, member variables related to memory alloc/free should be protected with ctx->lock. Cc: Signed-off-by: Jeongjun Park Signed-off-by: Inki Dae Signed-off-by: Greg Kroah-Hartman

drm/exynos: hdmi: replace use of system_wq with system_percpu_wq

2026-01-07T08:50:50+00:00

Currently if a user enqueue a work item using schedule_delayed_work() the used wq is "system_wq" (per-cpu wq) while queue_delayed_work() use WORK_CPU_UNBOUND (used when a cpu is not specified). The same applies to schedule_work() that is using system_wq and queue_work(), that makes use again of WORK_CPU_UNBOUND. This lack of consistentcy cannot be addressed without refactoring the API. This patch continues the effort to refactor worqueue APIs, which has begun with the change introducing new workqueues and a new alloc_workqueue flag: commit 128ea9f6ccfb ("workqueue: Add system_percpu_wq and system_dfl_wq") commit 930c2ea566af ("workqueue: Add new WQ_PERCPU flag") system_wq should be the per-cpu workqueue, yet in this name nothing makes that clear, so replace system_wq with system_percpu_wq. The old wq (system_wq) will be kept for a few release cycles. Suggested-by: Tejun Heo Signed-off-by: Marco Crivellari Signed-off-by: Inki Dae

drm/fb-helper: Allocate and release fb_info in single place

2025-11-25T10:02:43+00:00

Move the calls to drm_fb_helper_alloc_info() from drivers into a single place in fbdev helpers. Allocates struct fb_info for a new framebuffer device. Then call drm_fb_helper_single_fb_probe() to create an fbdev screen buffer. Also release the instance on errors by calling drm_fb_helper_release_info(). Simplifies the code and fixes the error cleanup for some of the drivers. Regular release of the struct fb_info instance still happens in drm_fb_helper_fini() as before. v2: - remove error rollback in driver implementations (kernel test robot) - initialize info in TTM implementation (kernel test robot) Signed-off-by: Thomas Zimmermann Acked-by: Christian König # radeon Acked-by: Dmitry Baryshkov # msm Acked-by: Javier Martinez Canillas Link: https://patch.msgid.link/20251027081245.80262-1-tzimmermann@suse.de

drm: include drm_print.h where needed

2025-10-31T08:34:52+00:00

There are a gazillion files that depend on drm_print.h being indirectly included via drm_buddy.h, drm_mm.h, or ttm/ttm_resource.h. In preparation for removing those includes, explicitly include drm_print.h where needed. Cc: Thomas Zimmermann Reviewed-by: Thomas Zimmermann Signed-off-by: Jani Nikula Link: https://lore.kernel.org/r/5fe67395907be33eb5199ea6d540e29fddee71c8.1761734313.git.jani.nikula@intel.com

drm/client: Add client free callback to unprepare fb_helper

2025-10-24T06:44:10+00:00

Add free callback to struct drm_client_funcs. Invoke function to free the client memory as part of the release process. Implement free for fbdev emulation. Fbdev emulation allocates and prepares client memory in drm_fbdev_client_setup(). The release happens in fb_destroy from struct fb_ops. Multiple implementations of this callback exist in the various drivers that provide an fbdev implementation. Each of them needs to follow the implementation details of the fbdev setup code. Adding a free callback for the client puts the unprepare and release of the fbdev client in a single place. Signed-off-by: Thomas Zimmermann Reviewed-by: Dmitry Baryshkov # core, msm Acked-by: Tomi Valkeinen # omapdrm Acked-by: Patrik Jakobsson # gma500 Acked-by: Alex Deucher Link: https://lore.kernel.org/r/20251009132006.45834-2-tzimmermann@suse.de

Merge drm/drm-next into drm-misc-next

2025-10-13T07:19:19+00:00

Updating drm-misc-next to the state of v6.18-rc1. Signed-off-by: Thomas Zimmermann

drm/exynos: Switch to drm_atomic_get_new_crtc_state()

2025-10-06T11:59:11+00:00

The exynos atomic_check implementation uses the deprecated drm_atomic_get_existing_crtc_state() helper. This hook is called as part of the global atomic_check, thus before the states are swapped. The existing state thus points to the new state, and we can use drm_atomic_get_new_crtc_state() instead. Reviewed-by: Ville Syrjälä Link: https://lore.kernel.org/r/20250930-drm-no-more-existing-state-v5-16-eeb9e1287907@kernel.org Signed-off-by: Maxime Ripard

drm/exynos: Compute dumb-buffer sizes with drm_mode_size_dumb()

2025-09-29T12:00:57+00:00

Call drm_mode_size_dumb() to compute dumb-buffer scanline pitch and buffer size. No alignment required. Signed-off-by: Thomas Zimmermann Cc: Inki Dae Cc: Seung-Woo Kim Cc: Kyungmin Park Cc: Krzysztof Kozlowski Cc: Alim Akhtar Acked-by: Inki Dae Link: https://lore.kernel.org/r/20250821081918.79786-8-tzimmermann@suse.de