From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: bus: mhi: Capture DDR training data using command mode
Date: Sun, 22 Mar 2026 04:44:35 +1000
Message-ID: <review-patch7-20260319-sahara_protocol_new_v2-v4-7-47ad79308762@oss.qualcomm.com>
In-Reply-To: <20260319-sahara_protocol_new_v2-v4-7-47ad79308762@oss.qualcomm.com>
References: <20260319-sahara_protocol_new_v2-v4-0-47ad79308762@oss.qualcomm.com> <20260319-sahara_protocol_new_v2-v4-7-47ad79308762@oss.qualcomm.com>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Patch Review

This is the most complex patch and has the most serious issues.

**Issues:**

- **Bug: Unsigned comparison always false** at `sahara.c:706`:
  ```c
  le32_to_cpu(context->rx->command_execute_resp.response_length) < 0
  ```
  `le32_to_cpu()` returns `u32`. This comparison is always false and provid=
es no validation.

- **Bug: Sleeping in atomic context.** `sahara_mhi_dl_xfer_cb()` (line 1367=
) is an MHI transfer callback that can run in tasklet/softirq context. It c=
alls:
  - `sahara_ctrl_trng_get()` =E2=86=92 `devres_alloc(..., GFP_KERNEL)` =E2=
=80=94 may sleep
  - `mutex_lock(&ct->lock)` =E2=80=94 may sleep
 =20
  Both are illegal in atomic context.

- **Bug: Unbounded `kzalloc` from device-controlled value** at `sahara.c:73=
5`:
  ```c
  ct->data =3D kzalloc(resp_len, GFP_KERNEL);
  ```
  `resp_len` comes directly from the device with no upper bound. A maliciou=
s/buggy device could cause an enormous allocation. Add a sanity cap.

- **Bug: `ct->data` checked outside the lock** at `sahara.c:741`:
  ```c
  mutex_unlock(&ct->lock);
  if (!ct->data) { ...
  ```
  After releasing the lock, `ct->data` could be freed by another thread. Mo=
ve the NULL check inside the critical section.

- **Data races**: `context->is_cmd_mode`, `receiving_trng_data`, `trng_rcvd=
`, `trng_size`, `trng_nbuf` are accessed from both the DL callback (potenti=
ally tasklet context) and the work queue without any locking or memory barr=
iers.

- **TX buffer reuse**: At `sahara.c:716-719`, `sahara_command_execute_data(=
)` and `sahara_command_execute()` both write to `context->tx[0]` and queue =
it. The first may not have been consumed by MHI before the second overwrite=
s it.

- **Missing `cancel_work_sync(&context->read_data_work)`** in the remove pa=
th (line 1347-1357). Only `fw_work`, `dump_work`, and `cmd_work` are cancel=
led.

---
Generated by Claude Code Patch Reviewer