From: sashiko-bot@kernel.org
To: "Akhil R" <akhilrajeev@nvidia.com>
Cc: Frank.Li@kernel.org, linux-hwmon@vger.kernel.org,
robh@kernel.org, devicetree@vger.kernel.org,
linux-i3c@lists.infradead.org, conor+dt@kernel.org
Subject: Re: [PATCH v4 06/12] i3c: master: match I3C device through DT and ACPI
Date: Tue, 16 Jun 2026 10:12:30 +0000 [thread overview]
Message-ID: <20260616101231.3A93B1F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260616095429.3947205-7-akhilrajeev@nvidia.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [High] Lockless access to `i3cdev->desc` introduces a Time-of-Check to Time-of-Use (TOCTOU) race, Use-After-Free (UAF), and NULL pointer dereference when a device is concurrently matched and unregistered.
- [Medium] Missing OF and ACPI modalias generation in `i3c_device_uevent` breaks module autoloading for SETAASA-based I3C devices.
Pre-existing issues:
- [High] Matching logic reads uninitialized stack memory when i3cdev->desc is NULL.
--
commit 3dbcf3bf72698f3de90e327e59cfb2913ecd7503
Author: Akhil R <akhilrajeev@nvidia.com>
i3c: master: match I3C device through DT and ACPI
SETAASA-based devices cannot always be identified by PID or DCR; the
standard I3C id_table matching may not be applicable. Allow such devices
to be matched through Device Tree or ACPI.
> diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
> index bcc9c2d29c342..1bd545447b817 100644
> --- a/drivers/i3c/master.c
> +++ b/drivers/i3c/master.c
[ ... ]
> @@ -345,15 +346,32 @@ static int i3c_device_match(struct device *dev, const struct device_driver *drv)
> {
> struct i3c_device *i3cdev;
> const struct i3c_driver *i3cdrv;
> + u8 static_addr_method = 0;
>
> if (dev->type != &i3c_device_type)
> return 0;
>
> i3cdev = dev_to_i3cdev(dev);
> i3cdrv = drv_to_i3cdrv(drv);
> - if (i3c_device_match_id(i3cdev, i3cdrv->id_table))
> +
> + if (i3cdev->desc && i3cdev->desc->boardinfo)
> + static_addr_method = i3cdev->desc->boardinfo->static_addr_method;
[Severity: High]
Can this lockless access to i3cdev->desc cause a Use-After-Free or NULL
pointer dereference?
If the I3C master is unbound or unregistered concurrently,
i3c_master_unregister_i3c_devs() sets i3cdev->dev->desc = NULL locklessly and
calls device_unregister().
Since i3c_device_match() is called from bus_for_each_dev() without taking the
device lock, if the thread is preempted between checking i3cdev->desc and
reading desc->boardinfo, desc could be freed by i3c_master_bus_cleanup(),
causing a Use-After-Free.
Alternatively, without READ_ONCE(), could the compiler reload i3cdev->desc as
NULL, causing a direct NULL pointer dereference?
> +
> + /*
> + * SETAASA-based devices need not always have a matching ID since
> + * it is not mandatory for such devices to implement deviceinfo
> + * CCC commands. Allow them to register through DT or ACPI.
> + */
> + if (i3cdrv->id_table && i3c_device_match_id(i3cdev, i3cdrv->id_table))
[Severity: High]
This is a pre-existing issue, but can i3c_device_match_id() operate on
uninitialized stack memory here?
If i3cdev->desc is NULL (which can happen concurrently during device teardown
via i3c_master_unregister_i3c_devs()), i3c_device_get_info() returns early
without modifying the devinfo output buffer:
drivers/i3c/device.c:i3c_device_match_id() {
struct i3c_device_info devinfo;
...
i3c_device_get_info(i3cdev, &devinfo);
manuf = I3C_PID_MANUF_ID(devinfo.pid);
...
}
This leaves devinfo uninitialized, causing the matching logic to extract
the manufacturer and part IDs from stack garbage.
> return 1;
>
> + if (static_addr_method & I3C_ADDR_METHOD_SETAASA) {
> + if (of_driver_match_device(dev, drv))
> + return 1;
> + if (acpi_driver_match_device(dev, drv))
> + return 1;
[Severity: Medium]
Since this patch enables Device Tree and ACPI matching, does the bus uevent
callback (i3c_device_uevent()) also need to generate OF and ACPI modaliases?
Without of_device_uevent_modalias() or acpi_device_uevent_modalias(), udev
cannot automatically load the driver based on the DT compatible string or ACPI
HID, which breaks module autoloading for SETAASA-based devices.
> + }
> +
> return 0;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260616095429.3947205-1-akhilrajeev@nvidia.com?part=6
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
WARNING: multiple messages have this Message-ID (diff)
From: sashiko-bot@kernel.org
To: "Akhil R" <akhilrajeev@nvidia.com>
Cc: Frank.Li@kernel.org, linux-hwmon@vger.kernel.org,
robh@kernel.org, devicetree@vger.kernel.org,
linux-i3c@lists.infradead.org, conor+dt@kernel.org
Subject: Re: [PATCH v4 06/12] i3c: master: match I3C device through DT and ACPI
Date: Tue, 16 Jun 2026 10:12:30 +0000 [thread overview]
Message-ID: <20260616101231.3A93B1F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260616095429.3947205-7-akhilrajeev@nvidia.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [High] Lockless access to `i3cdev->desc` introduces a Time-of-Check to Time-of-Use (TOCTOU) race, Use-After-Free (UAF), and NULL pointer dereference when a device is concurrently matched and unregistered.
- [Medium] Missing OF and ACPI modalias generation in `i3c_device_uevent` breaks module autoloading for SETAASA-based I3C devices.
Pre-existing issues:
- [High] Matching logic reads uninitialized stack memory when i3cdev->desc is NULL.
--
commit 3dbcf3bf72698f3de90e327e59cfb2913ecd7503
Author: Akhil R <akhilrajeev@nvidia.com>
i3c: master: match I3C device through DT and ACPI
SETAASA-based devices cannot always be identified by PID or DCR; the
standard I3C id_table matching may not be applicable. Allow such devices
to be matched through Device Tree or ACPI.
> diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
> index bcc9c2d29c342..1bd545447b817 100644
> --- a/drivers/i3c/master.c
> +++ b/drivers/i3c/master.c
[ ... ]
> @@ -345,15 +346,32 @@ static int i3c_device_match(struct device *dev, const struct device_driver *drv)
> {
> struct i3c_device *i3cdev;
> const struct i3c_driver *i3cdrv;
> + u8 static_addr_method = 0;
>
> if (dev->type != &i3c_device_type)
> return 0;
>
> i3cdev = dev_to_i3cdev(dev);
> i3cdrv = drv_to_i3cdrv(drv);
> - if (i3c_device_match_id(i3cdev, i3cdrv->id_table))
> +
> + if (i3cdev->desc && i3cdev->desc->boardinfo)
> + static_addr_method = i3cdev->desc->boardinfo->static_addr_method;
[Severity: High]
Can this lockless access to i3cdev->desc cause a Use-After-Free or NULL
pointer dereference?
If the I3C master is unbound or unregistered concurrently,
i3c_master_unregister_i3c_devs() sets i3cdev->dev->desc = NULL locklessly and
calls device_unregister().
Since i3c_device_match() is called from bus_for_each_dev() without taking the
device lock, if the thread is preempted between checking i3cdev->desc and
reading desc->boardinfo, desc could be freed by i3c_master_bus_cleanup(),
causing a Use-After-Free.
Alternatively, without READ_ONCE(), could the compiler reload i3cdev->desc as
NULL, causing a direct NULL pointer dereference?
> +
> + /*
> + * SETAASA-based devices need not always have a matching ID since
> + * it is not mandatory for such devices to implement deviceinfo
> + * CCC commands. Allow them to register through DT or ACPI.
> + */
> + if (i3cdrv->id_table && i3c_device_match_id(i3cdev, i3cdrv->id_table))
[Severity: High]
This is a pre-existing issue, but can i3c_device_match_id() operate on
uninitialized stack memory here?
If i3cdev->desc is NULL (which can happen concurrently during device teardown
via i3c_master_unregister_i3c_devs()), i3c_device_get_info() returns early
without modifying the devinfo output buffer:
drivers/i3c/device.c:i3c_device_match_id() {
struct i3c_device_info devinfo;
...
i3c_device_get_info(i3cdev, &devinfo);
manuf = I3C_PID_MANUF_ID(devinfo.pid);
...
}
This leaves devinfo uninitialized, causing the matching logic to extract
the manufacturer and part IDs from stack garbage.
> return 1;
>
> + if (static_addr_method & I3C_ADDR_METHOD_SETAASA) {
> + if (of_driver_match_device(dev, drv))
> + return 1;
> + if (acpi_driver_match_device(dev, drv))
> + return 1;
[Severity: Medium]
Since this patch enables Device Tree and ACPI matching, does the bus uevent
callback (i3c_device_uevent()) also need to generate OF and ACPI modaliases?
Without of_device_uevent_modalias() or acpi_device_uevent_modalias(), udev
cannot automatically load the driver based on the DT compatible string or ACPI
HID, which breaks module autoloading for SETAASA-based devices.
> + }
> +
> return 0;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260616095429.3947205-1-akhilrajeev@nvidia.com?part=6
next prev parent reply other threads:[~2026-06-16 10:12 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 9:54 [PATCH v4 00/12] Support ACPI and SETAASA device discovery Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 9:54 ` [PATCH v4 01/12] dt-bindings: i3c: Add mipi-i3c-static-method to support SETAASA Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:04 ` sashiko-bot
2026-06-16 10:04 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 02/12] i3c: master: Use unified device property interface Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:17 ` sashiko-bot
2026-06-16 10:17 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 03/12] i3c: master: Support ACPI enumeration of child devices Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:15 ` sashiko-bot
2026-06-16 10:15 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 04/12] i3c: master: Add support for devices using SETAASA Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:19 ` sashiko-bot
2026-06-16 10:19 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 05/12] i3c: master: Add support for devices without PID Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:17 ` sashiko-bot
2026-06-16 10:17 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 06/12] i3c: master: match I3C device through DT and ACPI Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:12 ` sashiko-bot [this message]
2026-06-16 10:12 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 07/12] i3c: dw-i3c-master: Add SETAASA as supported CCC Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:13 ` sashiko-bot
2026-06-16 10:13 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 08/12] i3c: dw-i3c-master: Add a quirk to skip clock and reset Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:14 ` sashiko-bot
2026-06-16 10:14 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 09/12] i3c: dw-i3c-master: Add ACPI ID for Tegra410 Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:09 ` sashiko-bot
2026-06-16 10:09 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 10/12] hwmon: spd5118: Remove 16-bit addressing Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:09 ` sashiko-bot
2026-06-16 10:09 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 11/12] hwmon: spd5118: Add I3C support Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:30 ` sashiko-bot
2026-06-16 10:30 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 12/12] arm64: defconfig: Enable I3C and SPD5118 hwmon Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:10 ` sashiko-bot
2026-06-16 10:10 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260616101231.3A93B1F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=akhilrajeev@nvidia.com \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=linux-hwmon@vger.kernel.org \
--cc=linux-i3c@lists.infradead.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.