From: Tuo Li <[email protected]>
[ Upstream commit 95eed73b871111123a8b1d31cb1fce7e902e49ea ]
In jdi_panel_dsi_remove(), jdi is explicitly checked, indicating that it
may be NULL:
if (!jdi)
mipi_dsi_detach(dsi);
However, when jdi is NULL, the function does not return and continues by
calling jdi_panel_disable():
err = jdi_panel_disable(&jdi->base);
Inside jdi_panel_disable(), jdi is dereferenced unconditionally, which can
lead to a NULL-pointer dereference:
struct jdi_panel *jdi = to_panel_jdi(panel);
backlight_disable(jdi->backlight);
To prevent such a potential NULL-pointer dereference, return early from
jdi_panel_dsi_remove() when jdi is NULL.
Signed-off-by: Tuo Li <[email protected]>
Reviewed-by: Neil Armstrong <[email protected]>
Signed-off-by: Neil Armstrong <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
LLM Generated explanations, may be completely bogus:
## Analysis
### Commit Message Analysis
The commit message is clear and well-structured. It identifies a **null
pointer dereference** in `jdi_panel_dsi_remove()`. The existing code
checks `if (!jdi)` but only calls `mipi_dsi_detach(dsi)` without
returning, so execution falls through to `jdi_panel_disable(&jdi->base)`
which dereferences the NULL `jdi` pointer. This is a classic missing-
return-after-early-check bug.
The commit has been **Reviewed-by** a subsystem maintainer (Neil
Armstrong), lending credibility.
### Code Change Analysis
The fix is extremely small and surgical — it adds braces around the
existing `if (!jdi)` block and inserts a `return;` statement:
```c
- if (!jdi)
+ if (!jdi) {
mipi_dsi_detach(dsi);
+ return;
+ }
```
This is a textbook null-pointer dereference fix. The original code
intended to handle the `jdi == NULL` case (DSI-LINK2 interface that only
needs detach), but forgot to return early, causing the function to
continue and dereference `jdi` through `jdi_panel_disable(&jdi->base)`.
### Bug Classification
- **Type**: NULL pointer dereference
- **Trigger**: When `jdi_panel_dsi_remove()` is called for the DSI-LINK2
interface where `mipi_dsi_get_drvdata(dsi)` returns NULL
- **Consequence**: Kernel oops/crash due to dereferencing a NULL pointer
- **Severity**: Medium-High — this is a crash in a driver removal path,
triggered during device unbind or module unload
### Scope and Risk Assessment
- **Lines changed**: 3 lines (add braces and a `return`)
- **Files changed**: 1 file
- **Risk**: Extremely low — the fix is obviously correct and cannot
introduce regressions. It only adds an early return when `jdi` is
NULL, which is clearly the intended behavior given the existing NULL
check.
### Stable Kernel Criteria
1. **Obviously correct and tested**: Yes — reviewed by subsystem
maintainer, trivially correct
2. **Fixes a real bug**: Yes — NULL pointer dereference leading to
kernel crash
3. **Fixes an important issue**: Yes — crash in driver removal path
4. **Small and contained**: Yes — 3 lines in a single file
5. **No new features**: Correct — pure bug fix
6. **Applies cleanly**: Likely — the change is very localized
### Dependencies
This patch is self-contained with no dependencies on other commits.
### User Impact
This affects users of the JDI LPM102A188A panel (used in some
Chromebook-style devices). When the panel's DSI link is being removed
(e.g., during driver unbind or system shutdown), the kernel would crash.
While this is a niche driver, the fix is risk-free and prevents a real
crash.
**YES**
drivers/gpu/drm/panel/panel-jdi-lpm102a188a.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/panel/panel-jdi-lpm102a188a.c
b/drivers/gpu/drm/panel/panel-jdi-lpm102a188a.c
index 23462065d726b..ea975170fafff 100644
--- a/drivers/gpu/drm/panel/panel-jdi-lpm102a188a.c
+++ b/drivers/gpu/drm/panel/panel-jdi-lpm102a188a.c
@@ -434,8 +434,10 @@ static void jdi_panel_dsi_remove(struct mipi_dsi_device
*dsi)
int err;
/* only detach from host for the DSI-LINK2 interface */
- if (!jdi)
+ if (!jdi) {
mipi_dsi_detach(dsi);
+ return;
+ }
err = jdi_panel_disable(&jdi->base);
if (err < 0)
--
2.51.0
