[PATCH] drm/kmb: Fix error pointer dereference

[PATCH] drm/kmb: Fix error pointer dereference

[Ethan Tidmore]

The function kmb_dsi_init() can return an error pointer and is checked
for it, and once confirm here in this code block below, goes to the label
err_free1:

kmb->kmb_dsi = kmb_dsi_init(dsi_pdev);
if (IS_ERR(kmb->kmb_dsi)) {
	drm_err(&kmb->drm, "failed to initialize DSI\n");
	ret = PTR_ERR(kmb->kmb_dsi);
	goto err_free1;
}

At the label itself it dereferences the confirmed error pointer.

 err_free1:
	dev_set_drvdata(dev, NULL);
	kmb_dsi_host_unregister(kmb->kmb_dsi);

	return ret;
}

Add check for error pointer before running kmb_dsi_host_unregister().

Fixes: 7f7b96a8a0a18 ("drm/kmb: Add support for KeemBay Display")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
---
 drivers/gpu/drm/kmb/kmb_drv.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/kmb/kmb_drv.c b/drivers/gpu/drm/kmb/kmb_drv.c
index 7c2eb1152fc2..9eabbce7574f 100644
--- a/drivers/gpu/drm/kmb/kmb_drv.c
+++ b/drivers/gpu/drm/kmb/kmb_drv.c
@@ -576,7 +576,8 @@ static int kmb_probe(struct platform_device *pdev)
 	drm_mode_config_cleanup(&kmb->drm);
  err_free1:
 	dev_set_drvdata(dev, NULL);
-	kmb_dsi_host_unregister(kmb->kmb_dsi);
+	if (!IS_ERR(kmb->kmb_dsi))
+		kmb_dsi_host_unregister(kmb->kmb_dsi);
 
 	return ret;
 }
-- 
2.53.0

Claude review: drm/kmb: Fix error pointer dereference

[Claude Code Review Bot]

Overall Series Review

Subject: drm/kmb: Fix error pointer dereference
Author: Ethan Tidmore <ethantidmore06@gmail.com>
Patches: 1
Reviewed: 2026-02-23T06:12:42.068591

---

This is a single-patch fix for a real error-pointer dereference bug in the KMB (KeemBay) DRM driver's probe function. When `kmb_dsi_init()` returns an error pointer, the error cleanup path at `err_free1` passes that error pointer directly to `kmb_dsi_host_unregister()`, which immediately dereferences it in `kmb_dsi_clk_disable()`, causing a crash.

The fix is correct and the commit message clearly explains the problem and the solution. The only question is whether the approach is the most idiomatic one for kernel error unwinding -- more on that below.

---
Generated by Claude Code Patch Reviewer

Claude review: drm/kmb: Fix error pointer dereference

[Claude Code Review Bot]

Patch Review

The bug analysis in the commit message is accurate. Confirmed that `kmb_dsi_host_unregister()` immediately dereferences its argument:

```c
void kmb_dsi_host_unregister(struct kmb_dsi *kmb_dsi)
{
	kmb_dsi_clk_disable(kmb_dsi);
	mipi_dsi_host_unregister(kmb_dsi->host);
}
```

So passing an ERR_PTR here will crash.

There are two paths that reach `err_free1`:

1. `kmb_dsi_init()` fails -- `kmb->kmb_dsi` is an ERR_PTR, must not call unregister.
2. `kmb_hw_init()` fails -- `kmb->kmb_dsi` is a valid pointer, must call unregister.

The fix handles both correctly:

> +	if (!IS_ERR(kmb->kmb_dsi))
> +		kmb_dsi_host_unregister(kmb->kmb_dsi);

This works, though the more common kernel pattern for this situation is to add a separate goto label so the `kmb_dsi_init` failure path skips the unregister entirely, rather than adding a runtime check in the cleanup code. Something like having the `kmb_dsi_init` error path jump to a label after the unregister call (or before it, with `dev_set_drvdata` duplicated). The IS_ERR approach is functionally fine but slightly unusual for kernel error unwinding, where the convention is that each label corresponds to unwinding one specific resource.

That said, restructuring the labels would be a larger diff for minimal benefit. The fix as-is is correct and solves the bug.

No other issues found.

---
Generated by Claude Code Patch Reviewer