Linux kernel and device drivers for NXP i.MX platforms
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: Frank.Li@oss.nxp.com
Cc: devicetree@vger.kernel.org, Frank.Li@kernel.org,
	conor+dt@kernel.org, imx@lists.linux.dev, robh@kernel.org
Subject: Re: [PATCH v7 4/8] media: synopsys: Use media_async_register_subdev() to simplify code
Date: Thu, 02 Jul 2026 16:28:09 +0000	[thread overview]
Message-ID: <20260702162809.AC6171F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260702-imx8qxp_pcam-v7-4-b47d9e363400@nxp.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:

Pre-existing issues:
- [Critical] The code uses an undefined macro `fwnode_graph_for_each_endpoint_scoped`.
- [High] The `vep` variable is used without initialization in `v4l2_async_nf_parse_fwnode`, leading to non-deterministic parsing failures.
- [High] `v4l2_async_nf_parse_fwnode` incorrectly bounds array checks by `ep_count` but indexes by `port`, causing array out-of-bounds access and overwrites.
--

Note: The format of this review is altered due to recitation restrictions. I am providing a free-form summary of the findings rather than using inline quotes from the patch.

commit a062c04404605739dc18e1d269233cd3c55f2e65
Author: Frank Li <Frank.Li@nxp.com>

media: synopsys: Use media_async_register_subdev() to simplify code

This commit simplifies the driver by replacing local subdev registration
and pad setup with media_async_register_subdev().

[Severity: Critical]
This isn't a bug introduced by this patch, but by a previous patch in the
series that added v4l2_async_nf_parse_fwnode().

In drivers/media/v4l2-core/v4l2-fwnode.c:v4l2_async_nf_parse_fwnode(), is
the macro fwnode_graph_for_each_endpoint_scoped() defined anywhere in the
kernel?

It appears this macro is invoked but undefined, which results in an
immediate compilation failure.


[Severity: High]
This is a pre-existing issue from a previous patch in the series, but
looking at v4l2_async_nf_parse_fwnode(), does the uninitialized stack
variable vep cause parsing failures?

The struct v4l2_fwnode_endpoint vep is allocated on the stack but not
zero-initialized before being passed to v4l2_fwnode_endpoint_parse().

The parser relies on vep.bus_type being V4L2_MBUS_UNKNOWN (0) to correctly
guess the bus type:

drivers/media/v4l2-core/v4l2-fwnode.c:__v4l2_fwnode_endpoint_parse() {
    if (vep->bus_type != V4L2_MBUS_UNKNOWN) {
        ...
}

Since vep contains random stack garbage, vep.bus_type will likely be
non-zero, causing the parser to incorrectly assume a specific bus type
was requested. Will this result in a spurious -ENXIO error and break driver
initialization?


[Severity: High]
This is also a pre-existing issue from the previous patch adding
v4l2_async_nf_parse_fwnode(), but does the pad allocation logic
safely handle non-contiguous port numbers or multiple endpoints per port?

The wrapper dynamically allocates exactly ep_count pads based on the total
number of device tree endpoints. However, it indexes the array directly by
the endpoint's port number:

    pad = pads + vep.base.port;

If a port number is skipped in the device tree (for example, port 1 is
present but port 0 is not, making ep_count=1), will vep.base.port (1)
trigger a false-positive vep.base.port >= pads_count bounds check, returning
-EINVAL and failing probe?

Conversely, if a port contains multiple endpoints (e.g., two endpoints under
port 0), won't they both overwrite pads[0], leaving subsequent array elements
completely uninitialized?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260702-imx8qxp_pcam-v7-0-b47d9e363400@nxp.com?part=4

  reply	other threads:[~2026-07-02 16:28 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02 16:03 [PATCH v7 0/8] media: add new API simple subdev register and add imx parallel camera support Frank.Li
2026-07-02 16:03 ` [PATCH v7 1/8] media: subdev: Add set_pad_by_ep() callback to internal ops Frank.Li
2026-07-02 16:03 ` [PATCH v7 2/8] media: subdev: Add media_async_register_subdev() helper Frank.Li
2026-07-02 16:15   ` Laurent Pinchart
2026-07-02 18:11     ` Frank Li
2026-07-02 18:19       ` Laurent Pinchart
2026-07-02 18:59         ` Frank Li
2026-07-02 16:22   ` sashiko-bot
2026-07-02 16:03 ` [PATCH v7 3/8] media: synopsys: Use v4l2_subdev_get_frame_desc_passthrough() Frank.Li
2026-07-02 16:04 ` [PATCH v7 4/8] media: synopsys: Use media_async_register_subdev() to simplify code Frank.Li
2026-07-02 16:28   ` sashiko-bot [this message]
2026-07-02 16:04 ` [PATCH v7 5/8] dt-bindings: media: add i.MX parallel CPI support Frank.Li
2026-07-02 16:04 ` [PATCH v7 6/8] media: nxp: add V4L2 subdev driver for camera parallel interface (CPI) Frank.Li
2026-07-02 16:28   ` sashiko-bot
2026-07-02 16:04 ` [PATCH v7 7/8] arm64: dts: imx8: add camera parallel interface (CPI) node Frank.Li
2026-07-02 16:27   ` sashiko-bot
2026-07-02 16:04 ` [PATCH v7 8/8] arm64: dts: imx8qxp-mek: add parallel ov5640 camera support Frank.Li

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702162809.AC6171F00A3A@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=Frank.Li@kernel.org \
    --cc=Frank.Li@oss.nxp.com \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=imx@lists.linux.dev \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox