From: sashiko-bot@kernel.org
To: Frank.Li@oss.nxp.com
Cc: devicetree@vger.kernel.org, Frank.Li@kernel.org,
conor+dt@kernel.org, imx@lists.linux.dev, robh@kernel.org
Subject: Re: [PATCH v7 4/8] media: synopsys: Use media_async_register_subdev() to simplify code
Date: Thu, 02 Jul 2026 16:28:09 +0000 [thread overview]
Message-ID: <20260702162809.AC6171F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260702-imx8qxp_pcam-v7-4-b47d9e363400@nxp.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
Pre-existing issues:
- [Critical] The code uses an undefined macro `fwnode_graph_for_each_endpoint_scoped`.
- [High] The `vep` variable is used without initialization in `v4l2_async_nf_parse_fwnode`, leading to non-deterministic parsing failures.
- [High] `v4l2_async_nf_parse_fwnode` incorrectly bounds array checks by `ep_count` but indexes by `port`, causing array out-of-bounds access and overwrites.
--
Note: The format of this review is altered due to recitation restrictions. I am providing a free-form summary of the findings rather than using inline quotes from the patch.
commit a062c04404605739dc18e1d269233cd3c55f2e65
Author: Frank Li <Frank.Li@nxp.com>
media: synopsys: Use media_async_register_subdev() to simplify code
This commit simplifies the driver by replacing local subdev registration
and pad setup with media_async_register_subdev().
[Severity: Critical]
This isn't a bug introduced by this patch, but by a previous patch in the
series that added v4l2_async_nf_parse_fwnode().
In drivers/media/v4l2-core/v4l2-fwnode.c:v4l2_async_nf_parse_fwnode(), is
the macro fwnode_graph_for_each_endpoint_scoped() defined anywhere in the
kernel?
It appears this macro is invoked but undefined, which results in an
immediate compilation failure.
[Severity: High]
This is a pre-existing issue from a previous patch in the series, but
looking at v4l2_async_nf_parse_fwnode(), does the uninitialized stack
variable vep cause parsing failures?
The struct v4l2_fwnode_endpoint vep is allocated on the stack but not
zero-initialized before being passed to v4l2_fwnode_endpoint_parse().
The parser relies on vep.bus_type being V4L2_MBUS_UNKNOWN (0) to correctly
guess the bus type:
drivers/media/v4l2-core/v4l2-fwnode.c:__v4l2_fwnode_endpoint_parse() {
if (vep->bus_type != V4L2_MBUS_UNKNOWN) {
...
}
Since vep contains random stack garbage, vep.bus_type will likely be
non-zero, causing the parser to incorrectly assume a specific bus type
was requested. Will this result in a spurious -ENXIO error and break driver
initialization?
[Severity: High]
This is also a pre-existing issue from the previous patch adding
v4l2_async_nf_parse_fwnode(), but does the pad allocation logic
safely handle non-contiguous port numbers or multiple endpoints per port?
The wrapper dynamically allocates exactly ep_count pads based on the total
number of device tree endpoints. However, it indexes the array directly by
the endpoint's port number:
pad = pads + vep.base.port;
If a port number is skipped in the device tree (for example, port 1 is
present but port 0 is not, making ep_count=1), will vep.base.port (1)
trigger a false-positive vep.base.port >= pads_count bounds check, returning
-EINVAL and failing probe?
Conversely, if a port contains multiple endpoints (e.g., two endpoints under
port 0), won't they both overwrite pads[0], leaving subsequent array elements
completely uninitialized?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260702-imx8qxp_pcam-v7-0-b47d9e363400@nxp.com?part=4
next prev parent reply other threads:[~2026-07-02 16:28 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 16:03 [PATCH v7 0/8] media: add new API simple subdev register and add imx parallel camera support Frank.Li
2026-07-02 16:03 ` [PATCH v7 1/8] media: subdev: Add set_pad_by_ep() callback to internal ops Frank.Li
2026-07-02 16:03 ` [PATCH v7 2/8] media: subdev: Add media_async_register_subdev() helper Frank.Li
2026-07-02 16:15 ` Laurent Pinchart
2026-07-02 18:11 ` Frank Li
2026-07-02 18:19 ` Laurent Pinchart
2026-07-02 18:59 ` Frank Li
2026-07-02 16:22 ` sashiko-bot
2026-07-02 16:03 ` [PATCH v7 3/8] media: synopsys: Use v4l2_subdev_get_frame_desc_passthrough() Frank.Li
2026-07-02 16:04 ` [PATCH v7 4/8] media: synopsys: Use media_async_register_subdev() to simplify code Frank.Li
2026-07-02 16:28 ` sashiko-bot [this message]
2026-07-02 16:04 ` [PATCH v7 5/8] dt-bindings: media: add i.MX parallel CPI support Frank.Li
2026-07-02 16:04 ` [PATCH v7 6/8] media: nxp: add V4L2 subdev driver for camera parallel interface (CPI) Frank.Li
2026-07-02 16:28 ` sashiko-bot
2026-07-02 16:04 ` [PATCH v7 7/8] arm64: dts: imx8: add camera parallel interface (CPI) node Frank.Li
2026-07-02 16:27 ` sashiko-bot
2026-07-02 16:04 ` [PATCH v7 8/8] arm64: dts: imx8qxp-mek: add parallel ov5640 camera support Frank.Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702162809.AC6171F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=Frank.Li@oss.nxp.com \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=imx@lists.linux.dev \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox