drm/msm: fix use-after-free on probe deferral

The bridge counter was never reset when tearing down the DRM device so
that stale pointers to deallocated structures would be accessed on the
next tear down (e.g. after a second late bind deferral).

Given enough bridges and a few probe deferrals this could currently also
lead to data beyond the bridge array being corrupted.

Fixes: d28ea55 ("drm/msm: properly add and remove internal bridges")
Fixes: a3376e3 ("drm/msm: convert to drm_bridge")
Cc: [email protected]      # 3.12
Reviewed-by: Dmitry Baryshkov <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Tested-by: Kuogee Hsieh <[email protected]>
Reviewed-by: Kuogee Hsieh <[email protected]>
Patchwork: https://patchwork.freedesktop.org/patch/502665/
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Abhinav Kumar <[email protected]>

Author: jhovold

drivers/gpu/drm/msm/msm_drv.c

@@ -247,6 +247,7 @@ static int msm_drm_uninit(struct device *dev)
 
 	for (i = 0; i < priv->num_bridges; i++)
 		drm_bridge_remove(priv->bridges[i]);
+	priv->num_bridges = 0;
 
 	pm_runtime_get_sync(dev);
 	msm_irq_uninstall(ddev);