From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: bus: mhi: Capture DDR training data using command mode Date: Wed, 11 Mar 2026 13:35:23 +1000 Message-ID: In-Reply-To: <20260310-sahara_protocol_new_v2-v3-7-994ea4b0d5ad@oss.qualcomm.com> References: <20260310-sahara_protocol_new_v2-v3-0-994ea4b0d5ad@oss.qualcomm.com> <20260310-sahara_protocol_new_v2-v3-7-994ea4b0d5ad@oss.qualcomm.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Patch Review This is the most substantial and most problematic patch (328 lines added). **Bugs:** 1. **Tautological comparison =E2=80=94 always true:** ```c le32_to_cpu(context->rx->command_execute_resp.response_length) < 0 ``` `le32_to_cpu` returns a `u32`, which is unsigned and can never be less t= han 0. This check does nothing. If the intent is to validate the response l= ength, it should check against a maximum or ensure it's non-zero. 2. **Race condition in `sahara_command_execute_resp`:** The function sends = `sahara_command_execute_data()` BEFORE processing the response. For `GET_CO= MMAND_ID_LIST`, it sends the execute_data request and then *also* sends a n= ew `sahara_command_execute(TRAINING_DATA)` request. This means two TX packe= ts are queued back-to-back using `context->tx[0]` =E2=80=94 the second writ= e to `tx[0]` will overwrite the first before it may have been DMA'd. This i= s a potential data corruption issue since `tx[0]` is used as the buffer for= both sends. 3. **`ct->data` NULL check outside lock:** After calling `kzalloc` under th= e lock and releasing it: ```c mutex_lock(&ct->lock); kfree(ct->data); ct->data =3D kzalloc(resp_len, GFP_KERNEL); ... mutex_unlock(&ct->lock); if (!ct->data) { ``` The `ct->data` check is done *after* releasing the lock. Another thread = could theoretically modify `ct->data` between the unlock and the check. The= NULL check should be inside the lock, or the return value should be saved. 4. **`mutex_lock` in DL callback context:** The `sahara_mhi_dl_xfer_cb` cal= lback takes `ct->lock` (a mutex). MHI DL transfer callbacks may be called i= n softirq/tasklet context (depending on the MHI implementation). If so, `mu= tex_lock` would be illegal in that context =E2=80=94 it should use a spinlo= ck instead, or the data copy should be deferred to a workqueue. 5. **Training data larger than `SAHARA_NUM_CMD_BUF * SAHARA_PACKET_MAX_SIZE= `:** If `resp_len` exceeds the total capacity of the pre-allocated cmd buff= ers, the loop at line 752-762 will stop early, `remaining` will be non-zero= , and the data transfer will be incomplete. No error is reported for this c= ase, and `trng_size` still reflects the full requested size, leading to a p= artial/corrupt capture. 6. **`cancel_work_sync(&context->read_data_work)` missing in remove:** The = original code has `read_data_work` but the remove function only cancels `fw= _work`, `dump_work`, and `cmd_work`. The `read_data_work` cancel is missing= (pre-existing bug, but patch 7 adds `cmd_work` cancel without fixing this). **Design concerns:** - The DL callback does pointer comparison (`mhi_result->buf_addr =3D=3D con= text->cmd_buff[i]`) to distinguish training data from control packets. This= is fragile and relies on MHI always returning the exact same pointer. - The command mode state machine is not explicitly modeled. The various boo= lean flags (`is_cmd_mode`, `receiving_trng_data`) create implicit states th= at are easy to get wrong. --- Generated by Claude Code Patch Reviewer