Re: [PATCH v23 1/8] soc: cadence: Create helper functions for Cadence MHDP

Devicetree
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Laurentiu Palcu" <laurentiu.palcu@oss.nxp.com>
Cc: Frank.Li@kernel.org, robh@kernel.org,
	linux-phy@lists.infradead.org, imx@lists.linux.dev,
	neil.armstrong@linaro.org, vkoul@kernel.org, conor+dt@kernel.org,
	olteanv@gmail.com, devicetree@vger.kernel.org
Subject: Re: [PATCH v23 1/8] soc: cadence: Create helper functions for Cadence MHDP
Date: Tue, 19 May 2026 15:06:06 +0000	[thread overview]
Message-ID: <20260519150606.D9E5AC2BCB3@smtp.kernel.org> (raw)
In-Reply-To: <20260519-dcss-hdmi-upstreaming-v23-1-5615524a9c63@oss.nxp.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] Buffer overflow in cdns_mhdp_secure_mailbox_send_recv_multi() due to ignored bounds check.
- [High] Mailbox size validation bypass and permanent FIFO desynchronization for opcode 0x09.
- [Medium] Mailbox RX FIFO is not properly drained on error paths, leading to permanent desynchronization.
--

commit c962067d82ee12edcd834501898758652f04fb81
Author: Sandor Yu <Sandor.yu@nxp.com>
soc: cadence: Create helper functions for Cadence MHDP

This commit introduces mailbox communication helper functions for Cadence 
MHDP IPs. It adds support for both secure and non-secure mailbox access, 
along with register and DPCD read/write helpers.

> diff --git a/drivers/soc/cadence/cdns-mhdp-helper.c b/drivers/soc/cadence/cdns-mhdp-helper.c
> new file mode 100644
> --- /dev/null
> +++ b/drivers/soc/cadence/cdns-mhdp-helper.c
[ ... ]
> +static int mhdp_mailbox_recv_header(struct cdns_mhdp_base *base,
> +				    u8 module_id, u8 opcode,
> +				    u16 req_size, bool secure)
> +{
[ ... ]
> +	/*
> +	 * If the message in mailbox is not what we want, we need to
> +	 * clear the mailbox by reading its contents.
> +	 * Response data length for HDCP TX HDCP_TRAN_IS_REC_ID_VALID depend on
> +	 * case.
> +	 */
> +	if (opcode != header[0] ||
> +	    module_id != header[1] ||
> +	   (opcode != HDCP_TRAN_IS_REC_ID_VALID && req_size != mbox_size)) {

Does this bypass apply to any module using opcode 0x09?

Looking at the command definitions, DPTX_TRAINING_CONTROL also uses 0x09,
which means it would inadvertently bypass this size validation check since
the module_id isn't checked here.

Additionally, if this check is bypassed and the firmware actually sends an
mbox_size larger than what is dynamically read, will those unread bytes
remain in the RX FIFO? Could the next mailbox command end up reading those
stale leftover bytes as its response header, breaking synchronization?

> +		for (i = 0; i < mbox_size; i++) {
> +			if (secure)
> +				ret = mhdp_mailbox_read_secure(base);
> +			else
> +				ret = mhdp_mailbox_read(base);
> +			if (ret < 0)
> +				break;
> +		}
> +
> +		return -EINVAL;
> +	}
> +
> +	return 0;
> +}
> +
> +static int mhdp_mailbox_recv_data(struct cdns_mhdp_base *base,
> +				  u8 *buff, u16 buff_size, bool secure)
> +{
> +	u32 i;
> +	int ret;
> +
> +	for (i = 0; i < buff_size; i++) {
> +		if (secure)
> +			ret = mhdp_mailbox_read_secure(base);
> +		else
> +			ret = mhdp_mailbox_read(base);
> +		if (ret < 0)
> +			return ret;

If readx_poll_timeout() fails during the read, does returning directly here
leave the rest of the message stuck in the RX FIFO?

If a read times out or fails, could the next thread to acquire the
mailbox_mutex parse these leftover bytes as a new response header? Should the
FIFO be explicitly drained when an error occurs to maintain state machine
synchronization?

> +
> +		buff[i] = ret;
> +	}
> +
> +	return 0;
> +}
[ ... ]
> +int cdns_mhdp_secure_mailbox_send_recv_multi(struct cdns_mhdp_base *base,
> +					     u8 module_id, u8 opcode,
> +					     u16 msg_size, u8 *msg,
> +					     u8 opcode_resp,
> +					     u16 resp1_size, u8 *resp1,
> +					     u16 resp2_size, u8 *resp2)
> +{
[ ... ]
> +	ret = mhdp_mailbox_recv_data(base, resp1, resp1_size, true);
> +	if (ret) {
> +		dev_err(base->dev, "ModuleID=%d, Resp_CMD=%d recv data1 failed: %d\n",
> +			module_id, opcode_resp, ret);
> +		return ret;
> +	}
> +
> +	/*
> +	 * Response data length for HDCP TX HDCP_TRAN_IS_REC_ID_VALID depend on
> +	 * the number of HDCP receivers in resp1[0].
> +	 * 1 for regular case, more can be in repeater.
> +	 */
> +	if (module_id == MB_MODULE_ID_HDCP_TX &&
> +	    opcode == HDCP_TRAN_IS_REC_ID_VALID)
> +		ret = mhdp_mailbox_recv_data(base, resp2, 5 * resp1[0], true);

Could this dynamically calculated length exceed the caller-provided
resp2_size buffer capacity?

Since resp1[0] is read directly from the hardware response and could be up
to 255, this might result in writing up to 1275 bytes into the resp2
buffer. Does this need a bounds check against resp2_size to prevent memory
corruption if a misbehaving or compromised device sends a large value?

> +	else
> +		ret = mhdp_mailbox_recv_data(base, resp2, resp2_size, true);
> +	if (ret)
> +		dev_err(base->dev, "ModuleID=%d, Resp_CMD=%d recv data2 failed: %d\n",
> +			module_id, opcode_resp, ret);
> +	return ret;
> +}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260519-dcss-hdmi-upstreaming-v23-0-5615524a9c63@oss.nxp.com?part=1

next prev parent reply	other threads:[~2026-05-19 15:06 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-19 14:42 [PATCH v23 0/8] Initial support Cadence MHDP8501(HDMI/DP) for i.MX8MQ Laurentiu Palcu
2026-05-19 14:42 ` [PATCH v23 1/8] soc: cadence: Create helper functions for Cadence MHDP Laurentiu Palcu
2026-05-19 15:06   ` sashiko-bot [this message]
2026-05-19 14:42 ` [PATCH v23 2/8] drm: bridge: cadence: Update mhdp8546 mailbox access functions Laurentiu Palcu
2026-05-19 16:11   ` sashiko-bot
2026-05-19 14:42 ` [PATCH v23 3/8] dt-bindings: phy: Add Freescale iMX8MQ DP and HDMI PHY Laurentiu Palcu
2026-05-19 14:42 ` [PATCH v23 4/8] phy: freescale: Add DisplayPort/HDMI Combo-PHY driver for i.MX8MQ Laurentiu Palcu
2026-05-19 14:42 ` [PATCH v23 5/8] dt-bindings: display: bridge: Add Cadence MHDP8501 Laurentiu Palcu
2026-05-19 14:42 ` [PATCH v23 6/8] drm: bridge: Cadence: Add MHDP8501 DP/HDMI driver Laurentiu Palcu
2026-05-19 14:42 ` [PATCH v23 7/8] arm64: dts: imx8mq: Add DCSS + HDMI/DP display pipeline Laurentiu Palcu
2026-05-19 14:42 ` [PATCH v23 8/8] arm64: dts: imx8mq: tqma8mq-mba8mx: Enable HDMI support Laurentiu Palcu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260519150606.D9E5AC2BCB3@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=Frank.Li@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=imx@lists.linux.dev \
    --cc=laurentiu.palcu@oss.nxp.com \
    --cc=linux-phy@lists.infradead.org \
    --cc=neil.armstrong@linaro.org \
    --cc=olteanv@gmail.com \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=vkoul@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox