[PATCH v3] drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register

[PATCH v3] drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register

[Luca Leonardo Scorcia]

The call to mipi_dsi_host_register triggers a callback to mtk_dsi_bind,
which uses dev_get_drvdata to retrieve the mtk_dsi struct, so this
structure needs to be stored inside the driver data before invoking it.

As drvdata is currently uninitialized it leads to a crash when
registering the DSI DRM encoder right after acquiring
the mode_config.idr_mutex, blocking all subsequent DRM operations.

Fixes the following crash during mediatek-drm probe (tested on Xiaomi
Smart Clock x04g):

Unable to handle kernel NULL pointer dereference at virtual address
 0000000000000040
[...]
Modules linked in: mediatek_drm(+) drm_display_helper cec drm_client_lib
 drm_dma_helper drm_kms_helper panel_simple
[...]
Call trace:
 drm_mode_object_add+0x58/0x98 (P)
 __drm_encoder_init+0x48/0x140
 drm_encoder_init+0x6c/0xa0
 drm_simple_encoder_init+0x20/0x34 [drm_kms_helper]
 mtk_dsi_bind+0x34/0x13c [mediatek_drm]
 component_bind_all+0x120/0x280
 mtk_drm_bind+0x284/0x67c [mediatek_drm]
 try_to_bring_up_aggregate_device+0x23c/0x320
 __component_add+0xa4/0x198
 component_add+0x14/0x20
 mtk_dsi_host_attach+0x78/0x100 [mediatek_drm]
 mipi_dsi_attach+0x2c/0x50
 panel_simple_dsi_probe+0x4c/0x9c [panel_simple]
 mipi_dsi_drv_probe+0x1c/0x28
 really_probe+0xc0/0x3dc
 __driver_probe_device+0x80/0x160
 driver_probe_device+0x40/0x120
 __device_attach_driver+0xbc/0x17c
 bus_for_each_drv+0x88/0xf0
 __device_attach+0x9c/0x1cc
 device_initial_probe+0x54/0x60
 bus_probe_device+0x34/0xa0
 device_add+0x5b0/0x800
 mipi_dsi_device_register_full+0xdc/0x16c
 mipi_dsi_host_register+0xc4/0x17c
 mtk_dsi_probe+0x10c/0x260 [mediatek_drm]
 platform_probe+0x5c/0xa4
 really_probe+0xc0/0x3dc
 __driver_probe_device+0x80/0x160
 driver_probe_device+0x40/0x120
 __driver_attach+0xc8/0x1f8
 bus_for_each_dev+0x7c/0xe0
 driver_attach+0x24/0x30
 bus_add_driver+0x11c/0x240
 driver_register+0x68/0x130
 __platform_register_drivers+0x64/0x160
 mtk_drm_init+0x24/0x1000 [mediatek_drm]
 do_one_initcall+0x60/0x1d0
 do_init_module+0x54/0x240
 load_module+0x1838/0x1dc0
 init_module_from_file+0xd8/0xf0
 __arm64_sys_finit_module+0x1b4/0x428
 invoke_syscall.constprop.0+0x48/0xc8
 do_el0_svc+0x3c/0xb8
 el0_svc+0x34/0xe8
 el0t_64_sync_handler+0xa0/0xe4
 el0t_64_sync+0x198/0x19c
Code: 52800022 941004ab 2a0003f3 37f80040 (29005a80)
---[ end trace 0000000000000000 ]---

Fixes: e4732b590a77 ("drm/mediatek: dsi: Register DSI host after acquiring clocks and PHY")
Signed-off-by: Luca Leonardo Scorcia <l.scorcia@gmail.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
---
v3: Also initialize irq_wait_queue before calling platform_set_drvdata
v2: Added Fixes tag

 drivers/gpu/drm/mediatek/mtk_dsi.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c
index d7726091819c..acee2227275b 100644
--- a/drivers/gpu/drm/mediatek/mtk_dsi.c
+++ b/drivers/gpu/drm/mediatek/mtk_dsi.c
@@ -1232,6 +1232,11 @@ static int mtk_dsi_probe(struct platform_device *pdev)
 
 	dsi->host.ops = &mtk_dsi_ops;
 	dsi->host.dev = dev;
+
+	init_waitqueue_head(&dsi->irq_wait_queue);
+
+	platform_set_drvdata(pdev, dsi);
+
 	ret = mipi_dsi_host_register(&dsi->host);
 	if (ret < 0)
 		return dev_err_probe(dev, ret, "Failed to register DSI host\n");
@@ -1243,10 +1248,6 @@ static int mtk_dsi_probe(struct platform_device *pdev)
 		return dev_err_probe(&pdev->dev, ret, "Failed to request DSI irq\n");
 	}
 
-	init_waitqueue_head(&dsi->irq_wait_queue);
-
-	platform_set_drvdata(pdev, dsi);
-
 	dsi->bridge.of_node = dev->of_node;
 	dsi->bridge.type = DRM_MODE_CONNECTOR_DSI;
 
-- 
2.43.0

Re: [PATCH v3] drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register

[CK Hu (胡俊光)]

[-- Attachment #1: Type: text/plain, Size: 4301 bytes --]

On Wed, 2026-02-25 at 09:38 +0000, Luca Leonardo Scorcia wrote:
> External email : Please do not click links or open attachments until you have verified the sender or the content.
> 
> 
> The call to mipi_dsi_host_register triggers a callback to mtk_dsi_bind,
> which uses dev_get_drvdata to retrieve the mtk_dsi struct, so this
> structure needs to be stored inside the driver data before invoking it.
> 
> As drvdata is currently uninitialized it leads to a crash when
> registering the DSI DRM encoder right after acquiring
> the mode_config.idr_mutex, blocking all subsequent DRM operations.
> 
> Fixes the following crash during mediatek-drm probe (tested on Xiaomi
> Smart Clock x04g):
> 
> Unable to handle kernel NULL pointer dereference at virtual address
>  0000000000000040
> [...]
> Modules linked in: mediatek_drm(+) drm_display_helper cec drm_client_lib
>  drm_dma_helper drm_kms_helper panel_simple
> [...]
> Call trace:
>  drm_mode_object_add+0x58/0x98 (P)
>  __drm_encoder_init+0x48/0x140
>  drm_encoder_init+0x6c/0xa0
>  drm_simple_encoder_init+0x20/0x34 [drm_kms_helper]
>  mtk_dsi_bind+0x34/0x13c [mediatek_drm]
>  component_bind_all+0x120/0x280
>  mtk_drm_bind+0x284/0x67c [mediatek_drm]
>  try_to_bring_up_aggregate_device+0x23c/0x320
>  __component_add+0xa4/0x198
>  component_add+0x14/0x20
>  mtk_dsi_host_attach+0x78/0x100 [mediatek_drm]
>  mipi_dsi_attach+0x2c/0x50
>  panel_simple_dsi_probe+0x4c/0x9c [panel_simple]
>  mipi_dsi_drv_probe+0x1c/0x28
>  really_probe+0xc0/0x3dc
>  __driver_probe_device+0x80/0x160
>  driver_probe_device+0x40/0x120
>  __device_attach_driver+0xbc/0x17c
>  bus_for_each_drv+0x88/0xf0
>  __device_attach+0x9c/0x1cc
>  device_initial_probe+0x54/0x60
>  bus_probe_device+0x34/0xa0
>  device_add+0x5b0/0x800
>  mipi_dsi_device_register_full+0xdc/0x16c
>  mipi_dsi_host_register+0xc4/0x17c
>  mtk_dsi_probe+0x10c/0x260 [mediatek_drm]
>  platform_probe+0x5c/0xa4
>  really_probe+0xc0/0x3dc
>  __driver_probe_device+0x80/0x160
>  driver_probe_device+0x40/0x120
>  __driver_attach+0xc8/0x1f8
>  bus_for_each_dev+0x7c/0xe0
>  driver_attach+0x24/0x30
>  bus_add_driver+0x11c/0x240
>  driver_register+0x68/0x130
>  __platform_register_drivers+0x64/0x160
>  mtk_drm_init+0x24/0x1000 [mediatek_drm]
>  do_one_initcall+0x60/0x1d0
>  do_init_module+0x54/0x240
>  load_module+0x1838/0x1dc0
>  init_module_from_file+0xd8/0xf0
>  __arm64_sys_finit_module+0x1b4/0x428
>  invoke_syscall.constprop.0+0x48/0xc8
>  do_el0_svc+0x3c/0xb8
>  el0_svc+0x34/0xe8
>  el0t_64_sync_handler+0xa0/0xe4
>  el0t_64_sync+0x198/0x19c
> Code: 52800022 941004ab 2a0003f3 37f80040 (29005a80)
> ---[ end trace 0000000000000000 ]---

Reviewed-by: CK Hu <ck.hu@mediatek.com>

> 
> Fixes: e4732b590a77 ("drm/mediatek: dsi: Register DSI host after acquiring clocks and PHY")
> Signed-off-by: Luca Leonardo Scorcia <l.scorcia@gmail.com>
> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
> ---
> v3: Also initialize irq_wait_queue before calling platform_set_drvdata
> v2: Added Fixes tag
> 
>  drivers/gpu/drm/mediatek/mtk_dsi.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c
> index d7726091819c..acee2227275b 100644
> --- a/drivers/gpu/drm/mediatek/mtk_dsi.c
> +++ b/drivers/gpu/drm/mediatek/mtk_dsi.c
> @@ -1232,6 +1232,11 @@ static int mtk_dsi_probe(struct platform_device *pdev)
> 
>         dsi->host.ops = &mtk_dsi_ops;
>         dsi->host.dev = dev;
> +
> +       init_waitqueue_head(&dsi->irq_wait_queue);
> +
> +       platform_set_drvdata(pdev, dsi);
> +
>         ret = mipi_dsi_host_register(&dsi->host);
>         if (ret < 0)
>                 return dev_err_probe(dev, ret, "Failed to register DSI host\n");
> @@ -1243,10 +1248,6 @@ static int mtk_dsi_probe(struct platform_device *pdev)
>                 return dev_err_probe(&pdev->dev, ret, "Failed to request DSI irq\n");
>         }
> 
> -       init_waitqueue_head(&dsi->irq_wait_queue);
> -
> -       platform_set_drvdata(pdev, dsi);
> -
>         dsi->bridge.of_node = dev->of_node;
>         dsi->bridge.type = DRM_MODE_CONNECTOR_DSI;
> 
> --
> 2.43.0
> 
> 


[-- Attachment #2: Type: text/html, Size: 7683 bytes --]

Claude review: drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register

[Claude Code Review Bot]

Patch Review

**Correctness: Good**

The commit message clearly explains the bug with a full crash trace showing the call chain from `mipi_dsi_host_register` → `mtk_dsi_host_attach` → `component_add` → `mtk_dsi_bind` → `dev_get_drvdata` returning NULL. The fix moves `platform_set_drvdata(pdev, dsi)` before the `mipi_dsi_host_register()` call, which is the right thing to do.

**init_waitqueue_head move is also correct (v3 improvement):**

The `init_waitqueue_head(&dsi->irq_wait_queue)` is also moved earlier, before `platform_set_drvdata`. This is important because after `mipi_dsi_host_register` completes and `mtk_dsi_bind` runs successfully, the DSI subsystem could theoretically start operations that use the wait queue. More concretely, the IRQ handler `mtk_dsi_irq()` calls `wake_up_interruptible(&dsi->irq_wait_queue)` — so the wait queue must be initialized before `devm_request_irq()`, which is called right after `mipi_dsi_host_register()`. This was already the case in the original code (init was after request_irq — actually a latent bug!), and this patch fixes that ordering too.

**Minor observation — latent pre-existing bug also fixed:**

Looking at the original code in the drm-next tree:

```c
ret = devm_request_irq(&pdev->dev, irq_num, mtk_dsi_irq, ...);  // line 1243
...
init_waitqueue_head(&dsi->irq_wait_queue);  // line 1250
```

The original code initializes the wait queue *after* registering the IRQ handler that calls `wake_up_interruptible()` on it. This is a pre-existing race condition. This patch incidentally fixes it by moving `init_waitqueue_head` before both `mipi_dsi_host_register` and `devm_request_irq`. The commit message (v3 note) mentions this was intentional, which is good.

**No error-path concerns:** `platform_set_drvdata` and `init_waitqueue_head` don't need cleanup on failure, so moving them earlier doesn't create any resource leak issues on the error paths.

**Fixes tag:** Correctly references commit `e4732b590a77` which moved `mipi_dsi_host_register` earlier in the probe function without also moving `platform_set_drvdata` ahead of it.

**Verdict:** The patch is correct and well-motivated. No issues found.

Reviewed-by tags present: AngeloGioacchino Del Regno (Collabora) — appropriate reviewer for MediaTek DRM.

---
Generated by Claude Code Patch Reviewer

Claude review: drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register

[Claude Code Review Bot]

Overall Series Review

Subject: drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register
Author: Luca Leonardo Scorcia <l.scorcia@gmail.com>
Patches: 2
Reviewed: 2026-02-27T13:42:15.167058

---

This is a single-patch fix for a real NULL pointer dereference crash in the MediaTek DSI driver. The analysis is correct: `mipi_dsi_host_register()` can synchronously trigger `mtk_dsi_host_attach()` → `component_add()` → `component_bind_all()` → `mtk_dsi_bind()`, which calls `dev_get_drvdata()`. Since `platform_set_drvdata()` was called *after* `mipi_dsi_host_register()`, `dsi` was NULL in `mtk_dsi_bind()`, causing the crash. The fix is straightforward and correct. The patch has already been reviewed-by AngeloGioacchino Del Regno.

The patch looks good and should be applied.

---
Generated by Claude Code Patch Reviewer

[PATCH v3 RESEND] drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register

[Luca Leonardo Scorcia]

The call to mipi_dsi_host_register triggers a callback to mtk_dsi_bind,
which uses dev_get_drvdata to retrieve the mtk_dsi struct, so this
structure needs to be stored inside the driver data before invoking it.

As drvdata is currently uninitialized it leads to a crash when
registering the DSI DRM encoder right after acquiring
the mode_config.idr_mutex, blocking all subsequent DRM operations.

Fixes the following crash during mediatek-drm probe (tested on Xiaomi
Smart Clock x04g):

Unable to handle kernel NULL pointer dereference at virtual address
 0000000000000040
[...]
Modules linked in: mediatek_drm(+) drm_display_helper cec drm_client_lib
 drm_dma_helper drm_kms_helper panel_simple
[...]
Call trace:
 drm_mode_object_add+0x58/0x98 (P)
 __drm_encoder_init+0x48/0x140
 drm_encoder_init+0x6c/0xa0
 drm_simple_encoder_init+0x20/0x34 [drm_kms_helper]
 mtk_dsi_bind+0x34/0x13c [mediatek_drm]
 component_bind_all+0x120/0x280
 mtk_drm_bind+0x284/0x67c [mediatek_drm]
 try_to_bring_up_aggregate_device+0x23c/0x320
 __component_add+0xa4/0x198
 component_add+0x14/0x20
 mtk_dsi_host_attach+0x78/0x100 [mediatek_drm]
 mipi_dsi_attach+0x2c/0x50
 panel_simple_dsi_probe+0x4c/0x9c [panel_simple]
 mipi_dsi_drv_probe+0x1c/0x28
 really_probe+0xc0/0x3dc
 __driver_probe_device+0x80/0x160
 driver_probe_device+0x40/0x120
 __device_attach_driver+0xbc/0x17c
 bus_for_each_drv+0x88/0xf0
 __device_attach+0x9c/0x1cc
 device_initial_probe+0x54/0x60
 bus_probe_device+0x34/0xa0
 device_add+0x5b0/0x800
 mipi_dsi_device_register_full+0xdc/0x16c
 mipi_dsi_host_register+0xc4/0x17c
 mtk_dsi_probe+0x10c/0x260 [mediatek_drm]
 platform_probe+0x5c/0xa4
 really_probe+0xc0/0x3dc
 __driver_probe_device+0x80/0x160
 driver_probe_device+0x40/0x120
 __driver_attach+0xc8/0x1f8
 bus_for_each_dev+0x7c/0xe0
 driver_attach+0x24/0x30
 bus_add_driver+0x11c/0x240
 driver_register+0x68/0x130
 __platform_register_drivers+0x64/0x160
 mtk_drm_init+0x24/0x1000 [mediatek_drm]
 do_one_initcall+0x60/0x1d0
 do_init_module+0x54/0x240
 load_module+0x1838/0x1dc0
 init_module_from_file+0xd8/0xf0
 __arm64_sys_finit_module+0x1b4/0x428
 invoke_syscall.constprop.0+0x48/0xc8
 do_el0_svc+0x3c/0xb8
 el0_svc+0x34/0xe8
 el0t_64_sync_handler+0xa0/0xe4
 el0t_64_sync+0x198/0x19c
Code: 52800022 941004ab 2a0003f3 37f80040 (29005a80)
---[ end trace 0000000000000000 ]---

Fixes: e4732b590a77 ("drm/mediatek: dsi: Register DSI host after acquiring clocks and PHY")
Signed-off-by: Luca Leonardo Scorcia <l.scorcia@gmail.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Reviewed-by: CK Hu <ck.hu@mediatek.com>
---
v3: Also initialize irq_wait_queue before calling platform_set_drvdata
v2: Added Fixes tag

 drivers/gpu/drm/mediatek/mtk_dsi.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c
index d7726091819c..acee2227275b 100644
--- a/drivers/gpu/drm/mediatek/mtk_dsi.c
+++ b/drivers/gpu/drm/mediatek/mtk_dsi.c
@@ -1232,6 +1232,11 @@ static int mtk_dsi_probe(struct platform_device *pdev)
 
 	dsi->host.ops = &mtk_dsi_ops;
 	dsi->host.dev = dev;
+
+	init_waitqueue_head(&dsi->irq_wait_queue);
+
+	platform_set_drvdata(pdev, dsi);
+
 	ret = mipi_dsi_host_register(&dsi->host);
 	if (ret < 0)
 		return dev_err_probe(dev, ret, "Failed to register DSI host\n");
@@ -1243,10 +1248,6 @@ static int mtk_dsi_probe(struct platform_device *pdev)
 		return dev_err_probe(&pdev->dev, ret, "Failed to request DSI irq\n");
 	}
 
-	init_waitqueue_head(&dsi->irq_wait_queue);
-
-	platform_set_drvdata(pdev, dsi);
-
 	dsi->bridge.of_node = dev->of_node;
 	dsi->bridge.type = DRM_MODE_CONNECTOR_DSI;
 
-- 
2.43.0

Claude review: drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register

[Claude Code Review Bot]

Patch Review

**Problem analysis:** Correct. The call chain is:
`mipi_dsi_host_register` → `panel_simple_dsi_probe` → `mipi_dsi_attach` → `mtk_dsi_host_attach` → `component_add` → `mtk_dsi_bind` → `dev_get_drvdata` (returns NULL) → crash in `drm_simple_encoder_init`.

**Fix correctness:**

1. **Moving `platform_set_drvdata(pdev, dsi)` before `mipi_dsi_host_register`** — correct and necessary. This is the core fix.

2. **Moving `init_waitqueue_head(&dsi->irq_wait_queue)` before `mipi_dsi_host_register`** — also correct. Since the bind path can now execute during `mipi_dsi_host_register`, and the IRQ handler (`mtk_dsi_irq`) uses `dsi->irq_wait_queue` via `wake_up_interruptible`, the waitqueue must be initialized before any code path could potentially trigger it. While the IRQ is requested *after* `mipi_dsi_host_register`, initializing the waitqueue early is defensive and costs nothing.

3. **Error path consideration:** After this patch, if `mipi_dsi_host_register` fails, `platform_set_drvdata` will have been called but the function returns an error and the device will be torn down by devm, so no issue. If `devm_request_irq` fails, the existing cleanup (`mipi_dsi_host_unregister`) is still correct — `drvdata` being set is harmless.

**No issues found.** The Fixes tag correctly references the commit that introduced the regression. The patch is minimal and focused.

---
Generated by Claude Code Patch Reviewer

Claude review: drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register

[Claude Code Review Bot]

Overall Series Review

Subject: drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register
Author: Luca Leonardo Scorcia <l.scorcia@gmail.com>
Patches: 1
Reviewed: 2026-03-22T03:36:31.537150

---

This is a single-patch fix for a real NULL pointer dereference crash in the MediaTek DSI driver during probe. The analysis is correct and the fix is straightforward. The commit `e4732b590a77` moved `mipi_dsi_host_register` earlier in the probe sequence but left `platform_set_drvdata` after it, causing `dev_get_drvdata` in the `mtk_dsi_bind` callback path to return NULL.

The patch is well-motivated with a clear crash trace, has already been reviewed by the MediaTek DRM maintainers (CK Hu) and Collabora's Angelo Del Regno, and is on its v3 iteration.

**Verdict: Looks good. Ready to merge.**

---
Generated by Claude Code Patch Reviewer

[PATCH v2] drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register

[Luca Leonardo Scorcia]

The call to mipi_dsi_host_register triggers a callback to mtk_dsi_bind,
which uses dev_get_drvdata to retrieve the mtk_dsi struct, so this
structure needs to be stored inside the driver data before invoking it.

As drvdata is currently uninitialized it leads to a crash when
registering the DSI DRM encoder right after acquiring
the mode_config.idr_mutex, blocking all subsequent DRM operations.

Fixes the following crash during mediatek-drm probe (tested on Xiaomi
Smart Clock x04g):

Unable to handle kernel NULL pointer dereference at virtual address
 0000000000000040
[...]
Modules linked in: mediatek_drm(+) drm_display_helper cec drm_client_lib
 drm_dma_helper drm_kms_helper panel_simple
[...]
Call trace:
 drm_mode_object_add+0x58/0x98 (P)
 __drm_encoder_init+0x48/0x140
 drm_encoder_init+0x6c/0xa0
 drm_simple_encoder_init+0x20/0x34 [drm_kms_helper]
 mtk_dsi_bind+0x34/0x13c [mediatek_drm]
 component_bind_all+0x120/0x280
 mtk_drm_bind+0x284/0x67c [mediatek_drm]
 try_to_bring_up_aggregate_device+0x23c/0x320
 __component_add+0xa4/0x198
 component_add+0x14/0x20
 mtk_dsi_host_attach+0x78/0x100 [mediatek_drm]
 mipi_dsi_attach+0x2c/0x50
 panel_simple_dsi_probe+0x4c/0x9c [panel_simple]
 mipi_dsi_drv_probe+0x1c/0x28
 really_probe+0xc0/0x3dc
 __driver_probe_device+0x80/0x160
 driver_probe_device+0x40/0x120
 __device_attach_driver+0xbc/0x17c
 bus_for_each_drv+0x88/0xf0
 __device_attach+0x9c/0x1cc
 device_initial_probe+0x54/0x60
 bus_probe_device+0x34/0xa0
 device_add+0x5b0/0x800
 mipi_dsi_device_register_full+0xdc/0x16c
 mipi_dsi_host_register+0xc4/0x17c
 mtk_dsi_probe+0x10c/0x260 [mediatek_drm]
 platform_probe+0x5c/0xa4
 really_probe+0xc0/0x3dc
 __driver_probe_device+0x80/0x160
 driver_probe_device+0x40/0x120
 __driver_attach+0xc8/0x1f8
 bus_for_each_dev+0x7c/0xe0
 driver_attach+0x24/0x30
 bus_add_driver+0x11c/0x240
 driver_register+0x68/0x130
 __platform_register_drivers+0x64/0x160
 mtk_drm_init+0x24/0x1000 [mediatek_drm]
 do_one_initcall+0x60/0x1d0
 do_init_module+0x54/0x240
 load_module+0x1838/0x1dc0
 init_module_from_file+0xd8/0xf0
 __arm64_sys_finit_module+0x1b4/0x428
 invoke_syscall.constprop.0+0x48/0xc8
 do_el0_svc+0x3c/0xb8
 el0_svc+0x34/0xe8
 el0t_64_sync_handler+0xa0/0xe4
 el0t_64_sync+0x198/0x19c
Code: 52800022 941004ab 2a0003f3 37f80040 (29005a80)
---[ end trace 0000000000000000 ]---

Fixes: e4732b590a77 ("drm/mediatek: dsi: Register DSI host after acquiring clocks and PHY")
Signed-off-by: Luca Leonardo Scorcia <l.scorcia@gmail.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
---
v2: Added Fixes tag

 drivers/gpu/drm/mediatek/mtk_dsi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c
index d7726091819c..af4871de9e4c 100644
--- a/drivers/gpu/drm/mediatek/mtk_dsi.c
+++ b/drivers/gpu/drm/mediatek/mtk_dsi.c
@@ -1232,6 +1232,8 @@ static int mtk_dsi_probe(struct platform_device *pdev)
 
 	dsi->host.ops = &mtk_dsi_ops;
 	dsi->host.dev = dev;
+	platform_set_drvdata(pdev, dsi);
+
 	ret = mipi_dsi_host_register(&dsi->host);
 	if (ret < 0)
 		return dev_err_probe(dev, ret, "Failed to register DSI host\n");
@@ -1245,8 +1247,6 @@ static int mtk_dsi_probe(struct platform_device *pdev)
 
 	init_waitqueue_head(&dsi->irq_wait_queue);
 
-	platform_set_drvdata(pdev, dsi);
-
 	dsi->bridge.of_node = dev->of_node;
 	dsi->bridge.type = DRM_MODE_CONNECTOR_DSI;
 
-- 
2.43.0

Claude review: drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register

[Claude Code Review Bot]

Overall Series Review

Subject: drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register
Author: Luca Leonardo Scorcia <l.scorcia@gmail.com>
Patches: 1
Reviewed: 2026-02-24T10:09:17.084197

---

This is a single-patch fix for a NULL pointer dereference during mediatek-drm DSI probe. The bug is straightforward: commit e4732b590a77 rearranged the probe sequence so that `mipi_dsi_host_register()` is called before `platform_set_drvdata()`, but `mipi_dsi_host_register()` can synchronously trigger `mtk_dsi_host_attach()` -> `component_add()` -> `mtk_dsi_bind()`, which calls `dev_get_drvdata()` and dereferences the result. Since drvdata is still NULL at that point, the kernel crashes.

The fix is minimal and correct: move `platform_set_drvdata(pdev, dsi)` before the `mipi_dsi_host_register()` call. The commit message is well-written, includes the full crash trace for reference, and has an appropriate Fixes tag.

---
Generated by Claude Code Patch Reviewer

Claude review: drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register

[Claude Code Review Bot]

Patch Review

The fix moves `platform_set_drvdata(pdev, dsi)` from after the IRQ request and waitqueue initialization to just before `mipi_dsi_host_register()`:

> +	platform_set_drvdata(pdev, dsi);
> +
>  	ret = mipi_dsi_host_register(&dsi->host);
>  	if (ret < 0)
>  		return dev_err_probe(dev, ret, "Failed to register DSI host\n");

This is correct. The call chain `mipi_dsi_host_register` -> `mtk_dsi_host_attach` -> `component_add` -> `mtk_dsi_bind` uses `dev_get_drvdata(dev)` to retrieve the `mtk_dsi` struct, so the drvdata must be set before registration.

The `dsi` pointer at this point in `mtk_dsi_probe` has already been allocated (via `devm_drm_bridge_alloc`), driver data matched, clocks obtained, registers mapped, PHY acquired, and the IRQ number retrieved — all the fields that `mtk_dsi_bind` might need are initialized. The `host.ops` and `host.dev` assignments are also already done on the lines immediately above.

If `mipi_dsi_host_register()` fails after drvdata is set, the drvdata will point to the `dsi` struct which is devres-managed and will be freed as part of device cleanup — this is harmless since the device itself won't proceed to use the stale drvdata after a failed probe.

No issues found. The fix is minimal, correct, and well-documented.

---
Generated by Claude Code Patch Reviewer