[PATCH v3] drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register

[PATCH v3] drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register

[Luca Leonardo Scorcia]

The call to mipi_dsi_host_register triggers a callback to mtk_dsi_bind,
which uses dev_get_drvdata to retrieve the mtk_dsi struct, so this
structure needs to be stored inside the driver data before invoking it.

As drvdata is currently uninitialized it leads to a crash when
registering the DSI DRM encoder right after acquiring
the mode_config.idr_mutex, blocking all subsequent DRM operations.

Fixes the following crash during mediatek-drm probe (tested on Xiaomi
Smart Clock x04g):

Unable to handle kernel NULL pointer dereference at virtual address
 0000000000000040
[...]
Modules linked in: mediatek_drm(+) drm_display_helper cec drm_client_lib
 drm_dma_helper drm_kms_helper panel_simple
[...]
Call trace:
 drm_mode_object_add+0x58/0x98 (P)
 __drm_encoder_init+0x48/0x140
 drm_encoder_init+0x6c/0xa0
 drm_simple_encoder_init+0x20/0x34 [drm_kms_helper]
 mtk_dsi_bind+0x34/0x13c [mediatek_drm]
 component_bind_all+0x120/0x280
 mtk_drm_bind+0x284/0x67c [mediatek_drm]
 try_to_bring_up_aggregate_device+0x23c/0x320
 __component_add+0xa4/0x198
 component_add+0x14/0x20
 mtk_dsi_host_attach+0x78/0x100 [mediatek_drm]
 mipi_dsi_attach+0x2c/0x50
 panel_simple_dsi_probe+0x4c/0x9c [panel_simple]
 mipi_dsi_drv_probe+0x1c/0x28
 really_probe+0xc0/0x3dc
 __driver_probe_device+0x80/0x160
 driver_probe_device+0x40/0x120
 __device_attach_driver+0xbc/0x17c
 bus_for_each_drv+0x88/0xf0
 __device_attach+0x9c/0x1cc
 device_initial_probe+0x54/0x60
 bus_probe_device+0x34/0xa0
 device_add+0x5b0/0x800
 mipi_dsi_device_register_full+0xdc/0x16c
 mipi_dsi_host_register+0xc4/0x17c
 mtk_dsi_probe+0x10c/0x260 [mediatek_drm]
 platform_probe+0x5c/0xa4
 really_probe+0xc0/0x3dc
 __driver_probe_device+0x80/0x160
 driver_probe_device+0x40/0x120
 __driver_attach+0xc8/0x1f8
 bus_for_each_dev+0x7c/0xe0
 driver_attach+0x24/0x30
 bus_add_driver+0x11c/0x240
 driver_register+0x68/0x130
 __platform_register_drivers+0x64/0x160
 mtk_drm_init+0x24/0x1000 [mediatek_drm]
 do_one_initcall+0x60/0x1d0
 do_init_module+0x54/0x240
 load_module+0x1838/0x1dc0
 init_module_from_file+0xd8/0xf0
 __arm64_sys_finit_module+0x1b4/0x428
 invoke_syscall.constprop.0+0x48/0xc8
 do_el0_svc+0x3c/0xb8
 el0_svc+0x34/0xe8
 el0t_64_sync_handler+0xa0/0xe4
 el0t_64_sync+0x198/0x19c
Code: 52800022 941004ab 2a0003f3 37f80040 (29005a80)
---[ end trace 0000000000000000 ]---

Fixes: e4732b590a77 ("drm/mediatek: dsi: Register DSI host after acquiring clocks and PHY")
Signed-off-by: Luca Leonardo Scorcia <l.scorcia@gmail.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
---
v3: Also initialize irq_wait_queue before calling platform_set_drvdata
v2: Added Fixes tag

 drivers/gpu/drm/mediatek/mtk_dsi.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c
index d7726091819c..acee2227275b 100644
--- a/drivers/gpu/drm/mediatek/mtk_dsi.c
+++ b/drivers/gpu/drm/mediatek/mtk_dsi.c
@@ -1232,6 +1232,11 @@ static int mtk_dsi_probe(struct platform_device *pdev)
 
 	dsi->host.ops = &mtk_dsi_ops;
 	dsi->host.dev = dev;
+
+	init_waitqueue_head(&dsi->irq_wait_queue);
+
+	platform_set_drvdata(pdev, dsi);
+
 	ret = mipi_dsi_host_register(&dsi->host);
 	if (ret < 0)
 		return dev_err_probe(dev, ret, "Failed to register DSI host\n");
@@ -1243,10 +1248,6 @@ static int mtk_dsi_probe(struct platform_device *pdev)
 		return dev_err_probe(&pdev->dev, ret, "Failed to request DSI irq\n");
 	}
 
-	init_waitqueue_head(&dsi->irq_wait_queue);
-
-	platform_set_drvdata(pdev, dsi);
-
 	dsi->bridge.of_node = dev->of_node;
 	dsi->bridge.type = DRM_MODE_CONNECTOR_DSI;
 
-- 
2.43.0

Re: [PATCH v3] drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register

[CK Hu (胡俊光)]

[-- Attachment #1: Type: text/plain, Size: 4301 bytes --]

On Wed, 2026-02-25 at 09:38 +0000, Luca Leonardo Scorcia wrote:
> External email : Please do not click links or open attachments until you have verified the sender or the content.
> 
> 
> The call to mipi_dsi_host_register triggers a callback to mtk_dsi_bind,
> which uses dev_get_drvdata to retrieve the mtk_dsi struct, so this
> structure needs to be stored inside the driver data before invoking it.
> 
> As drvdata is currently uninitialized it leads to a crash when
> registering the DSI DRM encoder right after acquiring
> the mode_config.idr_mutex, blocking all subsequent DRM operations.
> 
> Fixes the following crash during mediatek-drm probe (tested on Xiaomi
> Smart Clock x04g):
> 
> Unable to handle kernel NULL pointer dereference at virtual address
>  0000000000000040
> [...]
> Modules linked in: mediatek_drm(+) drm_display_helper cec drm_client_lib
>  drm_dma_helper drm_kms_helper panel_simple
> [...]
> Call trace:
>  drm_mode_object_add+0x58/0x98 (P)
>  __drm_encoder_init+0x48/0x140
>  drm_encoder_init+0x6c/0xa0
>  drm_simple_encoder_init+0x20/0x34 [drm_kms_helper]
>  mtk_dsi_bind+0x34/0x13c [mediatek_drm]
>  component_bind_all+0x120/0x280
>  mtk_drm_bind+0x284/0x67c [mediatek_drm]
>  try_to_bring_up_aggregate_device+0x23c/0x320
>  __component_add+0xa4/0x198
>  component_add+0x14/0x20
>  mtk_dsi_host_attach+0x78/0x100 [mediatek_drm]
>  mipi_dsi_attach+0x2c/0x50
>  panel_simple_dsi_probe+0x4c/0x9c [panel_simple]
>  mipi_dsi_drv_probe+0x1c/0x28
>  really_probe+0xc0/0x3dc
>  __driver_probe_device+0x80/0x160
>  driver_probe_device+0x40/0x120
>  __device_attach_driver+0xbc/0x17c
>  bus_for_each_drv+0x88/0xf0
>  __device_attach+0x9c/0x1cc
>  device_initial_probe+0x54/0x60
>  bus_probe_device+0x34/0xa0
>  device_add+0x5b0/0x800
>  mipi_dsi_device_register_full+0xdc/0x16c
>  mipi_dsi_host_register+0xc4/0x17c
>  mtk_dsi_probe+0x10c/0x260 [mediatek_drm]
>  platform_probe+0x5c/0xa4
>  really_probe+0xc0/0x3dc
>  __driver_probe_device+0x80/0x160
>  driver_probe_device+0x40/0x120
>  __driver_attach+0xc8/0x1f8
>  bus_for_each_dev+0x7c/0xe0
>  driver_attach+0x24/0x30
>  bus_add_driver+0x11c/0x240
>  driver_register+0x68/0x130
>  __platform_register_drivers+0x64/0x160
>  mtk_drm_init+0x24/0x1000 [mediatek_drm]
>  do_one_initcall+0x60/0x1d0
>  do_init_module+0x54/0x240
>  load_module+0x1838/0x1dc0
>  init_module_from_file+0xd8/0xf0
>  __arm64_sys_finit_module+0x1b4/0x428
>  invoke_syscall.constprop.0+0x48/0xc8
>  do_el0_svc+0x3c/0xb8
>  el0_svc+0x34/0xe8
>  el0t_64_sync_handler+0xa0/0xe4
>  el0t_64_sync+0x198/0x19c
> Code: 52800022 941004ab 2a0003f3 37f80040 (29005a80)
> ---[ end trace 0000000000000000 ]---

Reviewed-by: CK Hu <ck.hu@mediatek.com>

> 
> Fixes: e4732b590a77 ("drm/mediatek: dsi: Register DSI host after acquiring clocks and PHY")
> Signed-off-by: Luca Leonardo Scorcia <l.scorcia@gmail.com>
> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
> ---
> v3: Also initialize irq_wait_queue before calling platform_set_drvdata
> v2: Added Fixes tag
> 
>  drivers/gpu/drm/mediatek/mtk_dsi.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c
> index d7726091819c..acee2227275b 100644
> --- a/drivers/gpu/drm/mediatek/mtk_dsi.c
> +++ b/drivers/gpu/drm/mediatek/mtk_dsi.c
> @@ -1232,6 +1232,11 @@ static int mtk_dsi_probe(struct platform_device *pdev)
> 
>         dsi->host.ops = &mtk_dsi_ops;
>         dsi->host.dev = dev;
> +
> +       init_waitqueue_head(&dsi->irq_wait_queue);
> +
> +       platform_set_drvdata(pdev, dsi);
> +
>         ret = mipi_dsi_host_register(&dsi->host);
>         if (ret < 0)
>                 return dev_err_probe(dev, ret, "Failed to register DSI host\n");
> @@ -1243,10 +1248,6 @@ static int mtk_dsi_probe(struct platform_device *pdev)
>                 return dev_err_probe(&pdev->dev, ret, "Failed to request DSI irq\n");
>         }
> 
> -       init_waitqueue_head(&dsi->irq_wait_queue);
> -
> -       platform_set_drvdata(pdev, dsi);
> -
>         dsi->bridge.of_node = dev->of_node;
>         dsi->bridge.type = DRM_MODE_CONNECTOR_DSI;
> 
> --
> 2.43.0
> 
> 


[-- Attachment #2: Type: text/html, Size: 7683 bytes --]

Claude review: drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register

[Claude Code Review Bot]

Overall Series Review

Subject: drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register
Author: Luca Leonardo Scorcia <l.scorcia@gmail.com>
Patches: 2
Reviewed: 2026-02-27T13:42:15.167058

---

This is a single-patch fix for a real NULL pointer dereference crash in the MediaTek DSI driver. The analysis is correct: `mipi_dsi_host_register()` can synchronously trigger `mtk_dsi_host_attach()` → `component_add()` → `component_bind_all()` → `mtk_dsi_bind()`, which calls `dev_get_drvdata()`. Since `platform_set_drvdata()` was called *after* `mipi_dsi_host_register()`, `dsi` was NULL in `mtk_dsi_bind()`, causing the crash. The fix is straightforward and correct. The patch has already been reviewed-by AngeloGioacchino Del Regno.

The patch looks good and should be applied.

---
Generated by Claude Code Patch Reviewer

Claude review: drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register

[Claude Code Review Bot]

Patch Review

**Correctness: Good**

The commit message clearly explains the bug with a full crash trace showing the call chain from `mipi_dsi_host_register` → `mtk_dsi_host_attach` → `component_add` → `mtk_dsi_bind` → `dev_get_drvdata` returning NULL. The fix moves `platform_set_drvdata(pdev, dsi)` before the `mipi_dsi_host_register()` call, which is the right thing to do.

**init_waitqueue_head move is also correct (v3 improvement):**

The `init_waitqueue_head(&dsi->irq_wait_queue)` is also moved earlier, before `platform_set_drvdata`. This is important because after `mipi_dsi_host_register` completes and `mtk_dsi_bind` runs successfully, the DSI subsystem could theoretically start operations that use the wait queue. More concretely, the IRQ handler `mtk_dsi_irq()` calls `wake_up_interruptible(&dsi->irq_wait_queue)` — so the wait queue must be initialized before `devm_request_irq()`, which is called right after `mipi_dsi_host_register()`. This was already the case in the original code (init was after request_irq — actually a latent bug!), and this patch fixes that ordering too.

**Minor observation — latent pre-existing bug also fixed:**

Looking at the original code in the drm-next tree:

```c
ret = devm_request_irq(&pdev->dev, irq_num, mtk_dsi_irq, ...);  // line 1243
...
init_waitqueue_head(&dsi->irq_wait_queue);  // line 1250
```

The original code initializes the wait queue *after* registering the IRQ handler that calls `wake_up_interruptible()` on it. This is a pre-existing race condition. This patch incidentally fixes it by moving `init_waitqueue_head` before both `mipi_dsi_host_register` and `devm_request_irq`. The commit message (v3 note) mentions this was intentional, which is good.

**No error-path concerns:** `platform_set_drvdata` and `init_waitqueue_head` don't need cleanup on failure, so moving them earlier doesn't create any resource leak issues on the error paths.

**Fixes tag:** Correctly references commit `e4732b590a77` which moved `mipi_dsi_host_register` earlier in the probe function without also moving `platform_set_drvdata` ahead of it.

**Verdict:** The patch is correct and well-motivated. No issues found.

Reviewed-by tags present: AngeloGioacchino Del Regno (Collabora) — appropriate reviewer for MediaTek DRM.

---
Generated by Claude Code Patch Reviewer