From: sashiko-bot@kernel.org
To: "David Heidelberg via B4 Relay" <devnull+david.ixit.cz@kernel.org>
Cc: linux-media@vger.kernel.org
Subject: Re: [PATCH v7 7/8] media: qcom: camss: Account for C-PHY when calculating link frequency
Date: Fri, 05 Jun 2026 14:00:28 +0000 [thread overview]
Message-ID: <20260605140028.DD2A31F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260605-qcom-cphy-v7-7-426c37e9008f@ixit.cz>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Deterministic NULL pointer dereference when calculating link frequency for the CSID linked to the internal Test Pattern Generator (TPG).
- [High] The C-PHY link frequency calculation inverses the symbol rate ratio, resulting in a severely inflated link frequency.
--
commit 0a60c2346d24cbca656cf347fe3da5342c1b9381
Author: David Heidelberg <david@ixit.cz>
media: qcom: camss: Account for C-PHY when calculating link frequency
Ensure that the link frequency divider correctly accounts for C-PHY
operation. The divider differs between D-PHY and C-PHY, as described
in the MIPI CSI-2 specification.
Link: https://docs.kernel.org/driver-api/media/tx-rx.html#pixel-rate
> diff --git a/drivers/media/platform/qcom/camss/camss-csid.c b/drivers/media/platform/qcom/camss/camss-csid.c
> index bcc34ac9dd212..7415e811082da 100644
> --- a/drivers/media/platform/qcom/camss/camss-csid.c
> +++ b/drivers/media/platform/qcom/camss/camss-csid.c
> @@ -539,15 +539,18 @@ const struct csid_format_info *csid_get_fmt_entry(const struct csid_format_info
> static int csid_set_clock_rates(struct csid_device *csid)
> {
> struct device *dev = csid->camss->dev;
> + struct csiphy_device *csiphy = &csid->camss->csiphy[csid->phy.csiphy_id];
> + struct csiphy_lanes_cfg *lane_cfg = &csiphy->cfg.csi2->lane_cfg;
[Severity: High]
Will this cause a NULL pointer dereference when the CSID is linked to the
internal Test Pattern Generator (TPG)?
When the CSID is linked to the internal TPG, csid->phy.csiphy_id is set to
the TPG index, and the pipeline does not have a sensor bound. If
csiphy->cfg.csi2 is NULL, lane_cfg evaluates to an invalid pointer (an
offset from NULL).
This invalid pointer is then passed to camss_get_link_freq(), which
unconditionally dereferences lane_cfg->num_data before verifying if a sensor
pad actually exists. This would trigger a kernel panic. Before this patch,
the code passed csid->phy.lane_cnt by value, safely returning -ENODEV for
TPG and gracefully defaulting to a zero fallback frequency.
> const struct csid_format_info *fmt;
> +
> s64 link_freq;
> int i, j;
> int ret;
>
> fmt = csid_get_fmt_entry(csid->res->formats->formats, csid->res->formats->nformats,
> csid->fmt[MSM_CSIPHY_PAD_SINK].code);
> - link_freq = camss_get_link_freq(&csid->subdev.entity, fmt->bpp,
> - csid->phy.lane_cnt);
> +
> + link_freq = camss_get_link_freq(&csid->subdev.entity, fmt->bpp, lane_cfg);
[ ... ]
> diff --git a/drivers/media/platform/qcom/camss/camss.c b/drivers/media/platform/qcom/camss/camss.c
> index 072c428e25166..db4e14a84a95f 100644
> --- a/drivers/media/platform/qcom/camss/camss.c
> +++ b/drivers/media/platform/qcom/camss/camss.c
[ ... ]
> @@ -4623,20 +4631,24 @@ struct media_pad *camss_find_sensor_pad(struct media_entity *entity)
> * camss_get_link_freq - Get link frequency from sensor
> * @entity: Media entity in the current pipeline
> * @bpp: Number of bits per pixel for the current format
> - * @lanes: Number of lanes in the link to the sensor
> + * @lane_cfg: CSI2 lane configuration
> *
> * Return link frequency on success or a negative error code otherwise
> */
> s64 camss_get_link_freq(struct media_entity *entity, unsigned int bpp,
> - unsigned int lanes)
> + struct csiphy_lanes_cfg *lane_cfg)
> {
> struct media_pad *sensor_pad;
> + u8 num_lanes = lane_cfg->num_data;
> + bool cphy = lane_cfg->phy_cfg == V4L2_MBUS_CSI2_CPHY;
> + unsigned int div = num_lanes * 2 * (cphy ? CAMSS_CPHY_DIVISOR :
> + CAMSS_DPHY_DIVISOR);
>
> sensor_pad = camss_find_sensor_pad(entity);
> if (!sensor_pad)
> return -ENODEV;
>
> - return v4l2_get_link_freq(sensor_pad, bpp, 2 * lanes);
> + return v4l2_get_link_freq(sensor_pad, CAMSS_COMMON_PHY_DIVIDENT * bpp, div);
[Severity: High]
Does this calculation invert the C-PHY link frequency ratio?
According to the MIPI C-PHY specification and V4L2 documentation, 16 bits encode
into 7 symbols, meaning the symbol rate (link frequency) should be:
(pixel_rate * bpp * 7) / (16 * num_lanes).
Here, the multiplier passed to v4l2_get_link_freq() is (16 * bpp), and the
divisor is (num_lanes * 2 * 7) for C-PHY. This effectively multiplies by 16
and divides by 14, instead of multiplying by 7 and dividing by 16.
This logic appears to inflate the calculated link frequency for C-PHY by a
factor of roughly 2.6x, which could lead to pixel clock configuration failures
or physical hardware malfunction.
> }
>
> /*
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260605-qcom-cphy-v7-0-426c37e9008f@ixit.cz?part=7
next prev parent reply other threads:[~2026-06-05 14:00 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-05 13:14 [PATCH v7 0/8] media: camss: Add support for C-PHY configuration on Qualcomm platforms David Heidelberg via B4 Relay
2026-06-05 13:14 ` David Heidelberg
2026-06-05 13:14 ` [PATCH v7 1/8] media: qcom: camss: csiphy: Introduce PHY configuration David Heidelberg via B4 Relay
2026-06-05 13:14 ` David Heidelberg
2026-06-05 13:14 ` [PATCH v7 2/8] media: qcom: camss: csiphy-3ph: Use odd bits for configuring C-PHY lanes David Heidelberg via B4 Relay
2026-06-05 13:14 ` David Heidelberg
2026-06-05 13:30 ` sashiko-bot
2026-06-08 18:16 ` Frank Li
2026-06-05 13:14 ` [PATCH v7 3/8] media: qcom: camss: Prepare CSID for C-PHY support David Heidelberg via B4 Relay
2026-06-05 13:14 ` David Heidelberg
2026-06-05 13:35 ` sashiko-bot
2026-06-08 18:18 ` Frank Li
2026-06-05 13:14 ` [PATCH v7 4/8] media: qcom: camss: Initialize lanes after lane configuration is available David Heidelberg via B4 Relay
2026-06-05 13:14 ` David Heidelberg
2026-06-05 13:40 ` sashiko-bot
2026-06-05 13:14 ` [PATCH v7 5/8] media: qcom: camss: csiphy-3ph: Add Gen2 v1.1 MIPI CSI-2 C-PHY init David Heidelberg via B4 Relay
2026-06-05 13:14 ` David Heidelberg
2026-06-08 9:00 ` Bryan O'Donoghue
2026-06-08 10:37 ` David Heidelberg
2026-06-05 13:14 ` [PATCH v7 6/8] media: qcom: camss: csiphy-3ph: Update " David Heidelberg via B4 Relay
2026-06-05 13:14 ` David Heidelberg
2026-06-05 13:14 ` [PATCH v7 7/8] media: qcom: camss: Account for C-PHY when calculating link frequency David Heidelberg via B4 Relay
2026-06-05 13:14 ` David Heidelberg
2026-06-05 14:00 ` sashiko-bot [this message]
2026-06-05 13:14 ` [PATCH v7 8/8] media: qcom: camss: Enable C-PHY where available David Heidelberg via B4 Relay
2026-06-05 13:14 ` David Heidelberg
2026-06-08 8:56 ` [PATCH v7 0/8] media: camss: Add support for C-PHY configuration on Qualcomm platforms Bryan O'Donoghue
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260605140028.DD2A31F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=devnull+david.ixit.cz@kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.