[PATCH 5.4 001/191] drm/mcde: dsi: Fix invalid pointer dereference if panel cannot be found

From: Greg Kroah-Hartman
Date: Tue Jan 07 2020 - 15:56:17 EST


From: Stephan Gerhold <stephan@xxxxxxxxxxx>

[ Upstream commit c131280c03bd1c225c2e64e9ef75873ffca3d96e ]

The "panel" pointer is not reset to NULL if of_drm_find_panel()
returns an error. Therefore we later assume that a panel was found,
and try to dereference the error pointer, resulting in:

mcde-dsi a0351000.dsi: failed to find panel try bridge (4294966779)
Unable to handle kernel paging request at virtual address fffffe03
PC is at drm_panel_bridge_add.part.0+0x10/0x5c
LR is at mcde_dsi_bind+0x120/0x464
...

Reset "panel" to NULL to avoid this problem.
Also change the format string of the error to %ld to print
the negative errors correctly. The crash above then becomes:

mcde-dsi a0351000.dsi: failed to find panel try bridge (-517)
mcde-dsi a0351000.dsi: no panel or bridge
...

Fixes: 5fc537bfd000 ("drm/mcde: Add new driver for ST-Ericsson MCDE")
Signed-off-by: Stephan Gerhold <stephan@xxxxxxxxxxx>
Signed-off-by: Linus Walleij <linus.walleij@xxxxxxxxxx>
Link: https://patchwork.freedesktop.org/patch/msgid/20191118130252.170324-1-stephan@xxxxxxxxxxx
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/gpu/drm/mcde/mcde_dsi.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/mcde/mcde_dsi.c b/drivers/gpu/drm/mcde/mcde_dsi.c
index f9c9e32b299c..35bb825d1918 100644
--- a/drivers/gpu/drm/mcde/mcde_dsi.c
+++ b/drivers/gpu/drm/mcde/mcde_dsi.c
@@ -935,11 +935,13 @@ static int mcde_dsi_bind(struct device *dev, struct device *master,
for_each_available_child_of_node(dev->of_node, child) {
panel = of_drm_find_panel(child);
if (IS_ERR(panel)) {
- dev_err(dev, "failed to find panel try bridge (%lu)\n",
+ dev_err(dev, "failed to find panel try bridge (%ld)\n",
PTR_ERR(panel));
+ panel = NULL;
+
bridge = of_drm_find_bridge(child);
if (IS_ERR(bridge)) {
- dev_err(dev, "failed to find bridge (%lu)\n",
+ dev_err(dev, "failed to find bridge (%ld)\n",
PTR_ERR(bridge));
return PTR_ERR(bridge);
}
--
2.20.1