[PATCH 00/32] drm/mipi-dsi: avoid DSI host drivers to have pointers to DSI devices
Luca Ceresoli
luca.ceresoli at bootlin.com
Mon Jul 7 09:58:53 UTC 2025
On Mon, 7 Jul 2025 08:16:49 +0200
Maxime Ripard <mripard at kernel.org> wrote:
> Hi Luca,
>
> On Wed, Jun 25, 2025 at 06:45:04PM +0200, Luca Ceresoli wrote:
> > This series is the first attempt at avoiding DSI host drivers to have
> > pointers to DSI devices (struct mipi_dsi_device), as discussed during the
> > Linux Plumbers Conference 2024 with Maxime and Dmitry.
> >
> > It is working, but I consider this a draft in order to discuss and
> > challenge the proposed approach.
> >
> > Overall work
> > ============
> >
> > This is part of the work towards removal of bridges from a still existing
> > DRM pipeline without use-after-free. The grand plan as discussed in [1].
> > Here's the work breakdown (➜ marks the current series):
> >
> > 1. … add refcounting to DRM bridges (struct drm_bridge)
> > (based on devm_drm_bridge_alloc() [0])
> > A. ✔ add new alloc API and refcounting (in v6.16-rc1)
> > B. ✔ convert all bridge drivers to new API (now in drm-misc-next)
> > C. ✔ kunit tests (now in drm-misc-next)
> > D. … add get/put to drm_bridge_add/remove() + attach/detach()
> > and warn on old allocation pattern (under review)
> > E. … add get/put on drm_bridge accessors
> > 1. … drm_bridge_chain_get_first_bridge() + add a cleanup action
> > 2. … drm_bridge_chain_get_last_bridge()
> > 3. drm_bridge_get_prev_bridge()
> > 4. drm_bridge_get_next_bridge()
> > 5. drm_for_each_bridge_in_chain()
> > 6. drm_bridge_connector_init
> > 7. of_drm_find_bridge
> > 8. drm_of_find_panel_or_bridge, *_of_get_bridge
> > F. debugfs improvements
> > 2. handle gracefully atomic updates during bridge removal
> > 3. ➜ avoid DSI host drivers to have dangling pointers to DSI devices
> > (this series)
> > 4. finish the hotplug bridge work, removing the "always-disconnected"
> > connector, moving code to the core and potentially removing the
> > hotplug-bridge itself (this needs to be clarified as points 1-3 are
> > developed)
> >
> > [0] https://gitlab.freedesktop.org/drm/misc/kernel/-/commit/0cc6aadd7fc1e629b715ea3d1ba537ef2da95eec
> > [1] https://lore.kernel.org/lkml/20250206-hotplug-drm-bridge-v6-0-9d6f2c9c3058@bootlin.com/t/#u
> >
> > Motivation
> > ==========
> >
> > The motivation for this series is that with hot-pluggable hardware a DSI
> > device can be disconnected from the DSI host at runtime, and later on
> > reconnected, potentially with a different model having different bus
> > parameters.
> >
> > DSI host drivers currently receive a struct mipi_dsi_device pointer in the
> > attach callback and some store it permanently for later access to the bur
> > format data (lanes, channel, pixel format etc). The stored pointer can
> > become dangling if the device is removed, leading to a use-after-free.
> >
> > Currently the data exchange between DSI host and device happens primarily
> > by two means:
> >
> > * the device requests attach, detach and message transfer to the host by
> > calling mipi_dsi_attach/detach/transfer which in turn call the callbacks
> > in struct mipi_dsi_host_ops
> > - for this to work, struct mipi_dsi_device has a pointer to the host:
> > this is OK because the goal is supporting hotplug of the "remote"
> > part of the DRM pipeline
> > * the host accesses directly the fields of struct mipi_dsi_device, to
> > which it receives a pointer in the .attach and .detach callbacks
> >
> > The second bullet is the problematic one, which we want to remove.
> >
> > Strategy
> > ========
> >
> > I devised two possible strategies to address it:
> >
> > 1. change the host ops to not pass a struct mipi_dsi_device, but instead
> > to pass only a copy of the needed information (bus format mainly), so
> > the host driver does never access any info from the device
> >
> > 2. let the host get info from the device as needed, but without having a
> > pointer to it; this is be based on:
> > - storing a __private mipi_dsi_device pointer in struct mipi_dsi_host
> > - adding getters to the DSI core for the host to query the needed
> > info, e.g. drm_mipi_dsi_host_get_device_lanes(host) (the getters
> > would be allowed to dereference the device pointer)
> >
> > This series implements strategy 1. It does so by adding a .attach_new host
> > op, which does not take a mipi_dsi_device pointer, and converting most host
> > drivers to it. Once all drivers are converted, the old op can be removed,
> > and .attach_new renamed to .attach.
>
> I don't recall discussing this particular aspect at Plumbers, so sorry
> if we're coming back to the same discussion we had.
>
> I'm not necessarily opposed to changing the MIPI-DSI bus API, but I
> don't think changing the semantics to remove the fact that a particular
> device is connected or not is a good idea.
>
> I would have expected to have bus driver (maybe) take a device pointer
> at attach, and drop it at detach.
>
> Then, when we detect the hotplug of a DSI device, we detach it from its
> parent, and we're done.
>
> What prevents us from using that approach?
I probably should have done a recap of the whole discussion, so let me
do it now.
It all starts with one fact: a DSI device can be disconnected and then
a different one connected later on, having a different DSI bus format
(lanes, channel, mode flags, whatever). A detach/attach sequence would
handle that, but only in the simple case when there is a host/device
pair. Let's how consider this topology:
┌──────────────────┐
│ DSI bridge │
┌─────────┐ A │ │ B ┌───────────┐
│ DSI host├────►│device host├────►│DSI device │
└─────────┘ └──────────────────┘ └───────────┘
Here link A is always connected, link B is hot-pluggable. When the tail
device is removed and a different one plugged, a detach/attach sequence
can update the bus format on the DSI bridge, but then the DSI bridge
cannot update the format on the first host without faking a
detach/attach that does not map a real event.
The above topology is probably not common, but it is exactly what the
hotplug-bridge introduces [0]. Whether the hotplug-bridge will have to
eventually exist or not to support hotplug is still to be defined, but
regardless there is another problematic aspect.
The second problematic aspect is that several DSI host drivers will not
even drm_bridge_add() until they have an attached DSI device. One such
example is samsung-dsim, which calls drm_bridge_add()
in samsung_dsim_host_attach(). When such a driver implements the first
DSI host, the DSI bridge must register a DSI device before the DRM card
can be instantiated. See the lengthy comment before
hotplug_bridge_dsi_attach() in [0] for more gory details, but the
outcome is that the hotplug-bridge needs to attach a DSI device with
a fake format once initially just to let the DRM card probe, and the
detach and reattach with the correct format once an actual DSI device
is connected at the tail.
[0] https://lore.kernel.org/all/20240917-hotplug-drm-bridge-v4-4-bc4dfee61be6@bootlin.com/
The above would be improved if the DSI host API provided a way to
notify to the host about a bus format change, which is however not
present currently.
The naive solution would be adding a new DSI host op:
struct mipi_dsi_host_ops {
int (*attach)(struct mipi_dsi_host *host,
struct mipi_dsi_device *dsi);
int (*detach)(struct mipi_dsi_host *host,
struct mipi_dsi_device *dsi);
+ int (*bus_fmt_changed)(struct mipi_dsi_host *host,
+ struct mipi_dsi_device *dsi);
ssize_t (*transfer)(struct mipi_dsi_host *host,
const struct mipi_dsi_msg *msg);
};
This would allow reduce the current sequence:
1. attach with dummy format (no tail device yet)
2. fake detach
3. attach
with:
1. attach with dummy format (no tail device yet)
2. update format
Adding such a new op would be part of chapter 4 of this work, being it
quite useless without hotplug.
However while reasoning about this I noticed the DSI host drivers peek
into the struct mipi_dsi_device fields to read the format, so there is
no sort of isolation between host and device. Introducing a struct to
contain all the format fields looked like a good improvement in terms
of code organization.
Yet another aspect is that several host drivers keep a pointer to the
device, and thus in case of format change in the DSI device they might
be reading different fields at different moments, ending up with an
inconsistent format.
The above considerations, which are all partially overlapped, led me to
the idea of introducing a struct to exchange a DSI bus format, to be
exchanged as a whole ("atomically") between host and device. What's
your opinion about introducing such a struct?
The second aspect of this series is not passing pointers, and that's
the core topic you questioned. I realize it is not strictly necessary
to reach the various goals discussed in this e-mail. The work I'm doing
on the drm_bridge struct is actually a way to store a pointer while
avoiding use-after-free, so that can obviously be done for a simpler
scenario such as DSI host-device. However I thought not passing a
pointer would be a more radical solution: if a driver receives no
pointer, then it cannot by mistake keep it stored when it shouldn't,
maybe in a rare case within a complex driver where it is hard to spot.
I'll be OK to change the approach and keep the pointer passed in the
attach/detach ops, if that is the best option. However I'd like to have
your opinion about the above topics before working towards that
direction, and ensure I fully grasp the usefulness of keeping the
pointer.
Post scriptum. The very initial issue that led to all this discussion
when writing the hotplug-bridge driver is that the samsung-dsim driver
will not drm_bridge_add() until a DSI device does .attach to it. Again,
see the comments before hotplug_bridge_dsi_attach() in [0] for details.
However by re-examining the driver for the N-th time now from a new
POV, I _think_ this is not correct and potentially easy to solve. But this leads to one fundamental question:
--
Luca Ceresoli, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the dri-devel
mailing list