kernel/linux.git/drivers/gpu/drm/exynos, branch v6.6.132 Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.6.132 2026-03-25T10:06:01+00:00 drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free 2026-03-25T10:06:01+00:00 Jeongjun Park aha310510@gmail.com 2026-02-27T04:59:53+00:00 urn:sha1:1b24d3e8792bcc050c70e8e0dea6b49c4fc63b13 [ Upstream commit 52b330799e2d6f825ae2bb74662ec1b10eb954bb ] Exynos Virtual Display driver performs memory alloc/free operations without lock protection, which easily causes concurrency problem. For example, use-after-free can occur in race scenario like this: ``` CPU0 CPU1 CPU2 ---- ---- ---- vidi_connection_ioctl() if (vidi->connection) // true drm_edid = drm_edid_alloc(); // alloc drm_edid ... ctx->raw_edid = drm_edid; ... drm_mode_getconnector() drm_helper_probe_single_connector_modes() vidi_get_modes() if (ctx->raw_edid) // true drm_edid_dup(ctx->raw_edid); if (!drm_edid) // false ... vidi_connection_ioctl() if (vidi->connection) // false drm_edid_free(ctx->raw_edid); // free drm_edid ... drm_edid_alloc(drm_edid->edid) kmemdup(edid); // UAF!! ... ``` To prevent these vulns, at least in vidi_context, member variables related to memory alloc/free should be protected with ctx->lock. Cc: <stable@vger.kernel.org> Signed-off-by: Jeongjun Park <aha310510@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> drm/exynos: vidi: fix to avoid directly dereferencing user pointer 2026-03-25T10:06:01+00:00 Jeongjun Park aha310510@gmail.com 2026-02-27T04:59:52+00:00 urn:sha1:2e147aa3169b83eaf044776f81d86235bf147de1 [ Upstream commit d4c98c077c7fb2dfdece7d605e694b5ea2665085 ] In vidi_connection_ioctl(), vidi->edid(user pointer) is directly dereferenced in the kernel. This allows arbitrary kernel memory access from the user space, so instead of directly accessing the user pointer in the kernel, we should modify it to copy edid to kernel memory using copy_from_user() and use it. Cc: <stable@vger.kernel.org> Signed-off-by: Jeongjun Park <aha310510@gmail.com> Signed-off-by: Inki Dae <inki.dae@samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl() 2026-03-25T10:06:01+00:00 Jeongjun Park aha310510@gmail.com 2026-02-27T04:59:51+00:00 urn:sha1:21ca24ba51a2c28bcc4df9d7e5a40b0eb66ab76d [ Upstream commit d3968a0d85b211e197f2f4f06268a7031079e0d0 ] vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to obtain a struct vidi_context pointer. However, drm_dev->dev is the exynos-drm master device, and the driver_data contained therein is not the vidi component device, but a completely different device. This can lead to various bugs, ranging from null pointer dereferences and garbage value accesses to, in unlucky cases, out-of-bounds errors, use-after-free errors, and more. To resolve this issue, we need to store/delete the vidi device pointer in exynos_drm_private->vidi_dev during bind/unbind, and then read this exynos_drm_private->vidi_dev within ioctl() to obtain the correct struct vidi_context pointer. Cc: <stable@vger.kernel.org> Signed-off-by: Jeongjun Park <aha310510@gmail.com> Signed-off-by: Inki Dae <inki.dae@samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> drm/exynos: exynos7_drm_decon: remove ctx->suspended 2025-10-23T14:16:28+00:00 Kaustabh Chakraborty kauschluss@disroot.org 2025-10-18T02:18:19+00:00 urn:sha1:7a27f07948ef812af2111f2403d9fe9c4e9845d4 [ Upstream commit e1361a4f1be9cb69a662c6d7b5ce218007d6e82b ] Condition guards are found to be redundant, as the call flow is properly managed now, as also observed in the Exynos5433 DECON driver. Since state checking is no longer necessary, remove it. This also fixes an issue which prevented decon_commit() from decon_atomic_enable() due to an incorrect state change setting. Fixes: 96976c3d9aff ("drm/exynos: Add DECON driver") Cc: stable@vger.kernel.org Suggested-by: Inki Dae <inki.dae@samsung.com> Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org> Signed-off-by: Inki Dae <inki.dae@samsung.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> drm/exynos: exynos7_drm_decon: properly clear channels during bind 2025-10-23T14:16:28+00:00 Kaustabh Chakraborty kauschluss@disroot.org 2025-10-18T02:18:18+00:00 urn:sha1:cbbe08268a13cae91bbde85ae349b3c76b0549bf [ Upstream commit 5f1a453974204175f20b3788824a0fe23cc36f79 ] The DECON channels are not cleared properly as the windows aren't shadow protected. When accompanied with an IOMMU, it pagefaults, and the kernel panics. Implement shadow protect/unprotect, along with a standalone update, for channel clearing to properly take effect. Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org> Signed-off-by: Inki Dae <inki.dae@samsung.com> Stable-dep-of: e1361a4f1be9 ("drm/exynos: exynos7_drm_decon: remove ctx->suspended") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> drm/exynos: exynos7_drm_decon: fix uninitialized crtc reference in functions 2025-10-23T14:16:27+00:00 Kaustabh Chakraborty kauschluss@disroot.org 2025-10-18T02:18:17+00:00 urn:sha1:98c15dc950093b3d016b4be1ae37cd036b89b327 [ Upstream commit d31bbacf783daf1e71fbe5c68df93550c446bf44 ] Modify the functions to accept a pointer to struct decon_context instead. Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org> Signed-off-by: Inki Dae <inki.dae@samsung.com> Stable-dep-of: e1361a4f1be9 ("drm/exynos: exynos7_drm_decon: remove ctx->suspended") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling 2025-07-17T16:35:07+00:00 Kaustabh Chakraborty kauschluss@disroot.org 2025-06-26T19:20:30+00:00 urn:sha1:391e5ea5b877230b844c9bd8bbcd91b681b1ce2d commit b846350aa272de99bf6fecfa6b08e64ebfb13173 upstream. If there's support for another console device (such as a TTY serial), the kernel occasionally panics during boot. The panic message and a relevant snippet of the call stack is as follows: Unable to handle kernel NULL pointer dereference at virtual address 000000000000000 Call trace: drm_crtc_handle_vblank+0x10/0x30 (P) decon_irq_handler+0x88/0xb4 [...] Otherwise, the panics don't happen. This indicates that it's some sort of race condition. Add a check to validate if the drm device can handle vblanks before calling drm_crtc_handle_vblank() to avoid this. Cc: stable@vger.kernel.org Fixes: 96976c3d9aff ("drm/exynos: Add DECON driver") Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org> Signed-off-by: Inki Dae <inki.dae@samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> drm/exynos: fimd: Guard display clock control with runtime PM calls 2025-07-10T14:03:08+00:00 Marek Szyprowski m.szyprowski@samsung.com 2025-06-18T12:06:26+00:00 urn:sha1:1fc5dc930137f6a31262c7f84aa74d379800ef3d [ Upstream commit 5d91394f236167ac624b823820faf4aa928b889e ] Commit c9b1150a68d9 ("drm/atomic-helper: Re-order bridge chain pre-enable and post-disable") changed the call sequence to the CRTC enable/disable and bridge pre_enable/post_disable methods, so those bridge methods are now called when CRTC is not yet enabled. This causes a lockup observed on Samsung Peach-Pit/Pi Chromebooks. The source of this lockup is a call to fimd_dp_clock_enable() function, when FIMD device is not yet runtime resumed. It worked before the mentioned commit only because the CRTC implemented by the FIMD driver was always enabled what guaranteed the FIMD device to be runtime resumed. This patch adds runtime PM guards to the fimd_dp_clock_enable() function to enable its proper operation also when the CRTC implemented by FIMD is not yet enabled. Fixes: 196e059a8a6a ("drm/exynos: convert clock_enable crtc callback to pipeline clock") Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com> Signed-off-by: Inki Dae <inki.dae@samsung.com> Signed-off-by: Sasha Levin <sashal@kernel.org> drm/exynos: hdmi: use eld_mutex to protect access to connector->eld 2025-02-17T08:40:05+00:00 Dmitry Baryshkov dmitry.baryshkov@linaro.org 2024-12-06T09:43:08+00:00 urn:sha1:0493070d7ceeda0abe54df86081a07ce2eca939f [ Upstream commit 5e8436d334ed7f6785416447c50b42077c6503e0 ] Reading access to connector->eld can happen at the same time the drm_edid_to_eld() updates the data. Take the newly added eld_mutex in order to protect connector->eld from concurrent access. Reviewed-by: Maxime Ripard <mripard@kernel.org> Link: https://patchwork.freedesktop.org/patch/msgid/20241206-drm-connector-eld-mutex-v2-5-c9bce1ee8bea@linaro.org Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> Signed-off-by: Sasha Levin <sashal@kernel.org> drivers:drm:exynos_drm_gsc:Fix wrong assignment in gsc_bind() 2024-10-04T14:29:12+00:00 Yuesong Li liyuesong@vivo.com 2024-08-22T09:09:27+00:00 urn:sha1:37c40c01cf1ac034194f31d7a7def97ad856ef2c [ Upstream commit 94ebc3d3235c5c516f67315059ce657e5090e94b ] cocci reported a double assignment problem. Upon reviewing previous commits, it appears this may actually be an incorrect assignment. Fixes: 8b9550344d39 ("drm/ipp: clean up debug messages") Signed-off-by: Yuesong Li <liyuesong@vivo.com> Signed-off-by: Inki Dae <inki.dae@samsung.com> Signed-off-by: Sasha Levin <sashal@kernel.org>