From: sashiko-bot@kernel.org
To: "Akhil R" <akhilrajeev@nvidia.com>
Cc: robh@kernel.org, conor+dt@kernel.org, Frank.Li@kernel.org,
linux-i3c@lists.infradead.org, linux-hwmon@vger.kernel.org,
devicetree@vger.kernel.org
Subject: Re: [PATCH v5 06/12] i3c: master: match I3C device through DT and ACPI
Date: Wed, 24 Jun 2026 10:42:49 +0000 [thread overview]
Message-ID: <20260624104250.2B70F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260624102153.1770072-7-akhilrajeev@nvidia.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [High] Suppressing the native I3C modalias breaks module autoloading for standard (non-SETAASA) I3C devices that possess an OF or ACPI node.
Pre-existing issues:
- [Critical] Kernel stack memory disclosure in `i3c_device_uevent`, `modalias_show`, and `i3c_device_match_id` when `i3cdev->desc` is NULL.
- [High] Lockless access to `i3cdev->desc` in `i3c_device_match()` can lead to a Use-After-Free during concurrent DAA or Hot-Join operations.
--
commit 027ebb9082e984584613be936bd42a0829ebd9c6
Author: Akhil R <akhilrajeev@nvidia.com>
i3c: master: match I3C device through DT and ACPI
This patch allows SETAASA-based I3C devices to match through Device Tree
or ACPI when they cannot be identified by PID or DCR. It emits OF and ACPI
modaliases so firmware-matched devices can autoload their drivers.
> diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
> --- a/drivers/i3c/master.c
> +++ b/drivers/i3c/master.c
> @@ -320,6 +321,15 @@ static int i3c_device_uevent(const struct device *dev, struct kobj_uevent_env *e
> const struct i3c_device *i3cdev = dev_to_i3cdev(dev);
> struct i3c_device_info devinfo;
> u16 manuf, part, ext;
> + int rc;
> +
> + rc = of_device_uevent_modalias(dev, env);
> + if (rc != -ENODEV)
> + return rc;
[Severity: High]
Does returning early here break module autoloading for standard I3C devices
that have an OF or ACPI node?
If a standard non-SETAASA device has an OF node, it will only emit the
of: modalias and skip generating the standard i3c: modalias.
If the device's driver only provides an I3C id_table, udev might fail to
find a matching module. Furthermore, since i3c_device_match() restricts
of_driver_match_device() strictly to devices with the
I3C_ADDR_METHOD_SETAASA flag, standard I3C devices wouldn't be able to match
via Device Tree either.
> +
> + rc = acpi_device_uevent_modalias(dev, env);
> + if (rc != -ENODEV)
> + return rc;
>
> if (i3cdev->desc)
> devinfo = i3cdev->desc->info;
[Severity: Critical]
This is a pre-existing issue, but can this leak uninitialized stack memory
to userspace?
When a device is unregistered, i3c_master_unregister_i3c_devs() sets
i3cdev->dev->desc = NULL before calling device_unregister(). This triggers
a uevent that calls i3c_device_uevent().
If i3cdev->desc is NULL, the devinfo stack variable is never initialized,
but its contents (like devinfo.pid and devinfo.dcr) are still used to
construct the modalias string right below this block.
Could this expose kernel stack memory via netlink messages, or via sysfs
reads in modalias_show()? A similar uninitialized read also occurs in
i3c_device_match_id() when i3c_device_get_info() is called with a NULL
descriptor.
[ ... ]
> @@ -345,15 +355,32 @@ static int i3c_device_match(struct device *dev, const struct device_driver *drv)
> {
> struct i3c_device *i3cdev;
> const struct i3c_driver *i3cdrv;
> + u8 static_addr_method = 0;
>
> if (dev->type != &i3c_device_type)
> return 0;
>
> i3cdev = dev_to_i3cdev(dev);
> i3cdrv = drv_to_i3cdrv(drv);
> - if (i3c_device_match_id(i3cdev, i3cdrv->id_table))
> +
> + if (i3cdev->desc && i3cdev->desc->boardinfo)
> + static_addr_method = i3cdev->desc->boardinfo->static_addr_method;
[Severity: High]
This is a pre-existing issue, but is it safe to access i3cdev->desc here
without holding the bus read lock?
During dynamic address assignment or hot-join operations,
__i3c_master_add_i3c_dev_locked() may find a duplicate device, reassign
a new descriptor, and free the old descriptor.
Since i3c_device_match() is called by the driver core without acquiring
the bus lock, might a concurrent hot-join thread free i3cdev->desc while
it is being dereferenced here, leading to a use-after-free? This same race
could happen when i3cdev->desc->info is accessed by i3c_device_get_info()
during matching.
> +
> + /*
> + * SETAASA-based devices need not always have a matching ID since
> + * it is not mandatory for such devices to implement deviceinfo
> + * CCC commands. Allow them to register through DT or ACPI.
> + */
> + if (i3cdrv->id_table && i3c_device_match_id(i3cdev, i3cdrv->id_table))
> return 1;
>
> + if (static_addr_method & I3C_ADDR_METHOD_SETAASA) {
> + if (of_driver_match_device(dev, drv))
> + return 1;
> + if (acpi_driver_match_device(dev, drv))
> + return 1;
> + }
> +
> return 0;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260624102153.1770072-1-akhilrajeev@nvidia.com?part=6
WARNING: multiple messages have this Message-ID (diff)
From: sashiko-bot@kernel.org
To: "Akhil R" <akhilrajeev@nvidia.com>
Cc: robh@kernel.org, conor+dt@kernel.org, Frank.Li@kernel.org,
linux-i3c@lists.infradead.org, linux-hwmon@vger.kernel.org,
devicetree@vger.kernel.org
Subject: Re: [PATCH v5 06/12] i3c: master: match I3C device through DT and ACPI
Date: Wed, 24 Jun 2026 10:42:49 +0000 [thread overview]
Message-ID: <20260624104250.2B70F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260624102153.1770072-7-akhilrajeev@nvidia.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [High] Suppressing the native I3C modalias breaks module autoloading for standard (non-SETAASA) I3C devices that possess an OF or ACPI node.
Pre-existing issues:
- [Critical] Kernel stack memory disclosure in `i3c_device_uevent`, `modalias_show`, and `i3c_device_match_id` when `i3cdev->desc` is NULL.
- [High] Lockless access to `i3cdev->desc` in `i3c_device_match()` can lead to a Use-After-Free during concurrent DAA or Hot-Join operations.
--
commit 027ebb9082e984584613be936bd42a0829ebd9c6
Author: Akhil R <akhilrajeev@nvidia.com>
i3c: master: match I3C device through DT and ACPI
This patch allows SETAASA-based I3C devices to match through Device Tree
or ACPI when they cannot be identified by PID or DCR. It emits OF and ACPI
modaliases so firmware-matched devices can autoload their drivers.
> diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
> --- a/drivers/i3c/master.c
> +++ b/drivers/i3c/master.c
> @@ -320,6 +321,15 @@ static int i3c_device_uevent(const struct device *dev, struct kobj_uevent_env *e
> const struct i3c_device *i3cdev = dev_to_i3cdev(dev);
> struct i3c_device_info devinfo;
> u16 manuf, part, ext;
> + int rc;
> +
> + rc = of_device_uevent_modalias(dev, env);
> + if (rc != -ENODEV)
> + return rc;
[Severity: High]
Does returning early here break module autoloading for standard I3C devices
that have an OF or ACPI node?
If a standard non-SETAASA device has an OF node, it will only emit the
of: modalias and skip generating the standard i3c: modalias.
If the device's driver only provides an I3C id_table, udev might fail to
find a matching module. Furthermore, since i3c_device_match() restricts
of_driver_match_device() strictly to devices with the
I3C_ADDR_METHOD_SETAASA flag, standard I3C devices wouldn't be able to match
via Device Tree either.
> +
> + rc = acpi_device_uevent_modalias(dev, env);
> + if (rc != -ENODEV)
> + return rc;
>
> if (i3cdev->desc)
> devinfo = i3cdev->desc->info;
[Severity: Critical]
This is a pre-existing issue, but can this leak uninitialized stack memory
to userspace?
When a device is unregistered, i3c_master_unregister_i3c_devs() sets
i3cdev->dev->desc = NULL before calling device_unregister(). This triggers
a uevent that calls i3c_device_uevent().
If i3cdev->desc is NULL, the devinfo stack variable is never initialized,
but its contents (like devinfo.pid and devinfo.dcr) are still used to
construct the modalias string right below this block.
Could this expose kernel stack memory via netlink messages, or via sysfs
reads in modalias_show()? A similar uninitialized read also occurs in
i3c_device_match_id() when i3c_device_get_info() is called with a NULL
descriptor.
[ ... ]
> @@ -345,15 +355,32 @@ static int i3c_device_match(struct device *dev, const struct device_driver *drv)
> {
> struct i3c_device *i3cdev;
> const struct i3c_driver *i3cdrv;
> + u8 static_addr_method = 0;
>
> if (dev->type != &i3c_device_type)
> return 0;
>
> i3cdev = dev_to_i3cdev(dev);
> i3cdrv = drv_to_i3cdrv(drv);
> - if (i3c_device_match_id(i3cdev, i3cdrv->id_table))
> +
> + if (i3cdev->desc && i3cdev->desc->boardinfo)
> + static_addr_method = i3cdev->desc->boardinfo->static_addr_method;
[Severity: High]
This is a pre-existing issue, but is it safe to access i3cdev->desc here
without holding the bus read lock?
During dynamic address assignment or hot-join operations,
__i3c_master_add_i3c_dev_locked() may find a duplicate device, reassign
a new descriptor, and free the old descriptor.
Since i3c_device_match() is called by the driver core without acquiring
the bus lock, might a concurrent hot-join thread free i3cdev->desc while
it is being dereferenced here, leading to a use-after-free? This same race
could happen when i3cdev->desc->info is accessed by i3c_device_get_info()
during matching.
> +
> + /*
> + * SETAASA-based devices need not always have a matching ID since
> + * it is not mandatory for such devices to implement deviceinfo
> + * CCC commands. Allow them to register through DT or ACPI.
> + */
> + if (i3cdrv->id_table && i3c_device_match_id(i3cdev, i3cdrv->id_table))
> return 1;
>
> + if (static_addr_method & I3C_ADDR_METHOD_SETAASA) {
> + if (of_driver_match_device(dev, drv))
> + return 1;
> + if (acpi_driver_match_device(dev, drv))
> + return 1;
> + }
> +
> return 0;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260624102153.1770072-1-akhilrajeev@nvidia.com?part=6
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
next prev parent reply other threads:[~2026-06-24 10:42 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-24 10:20 [PATCH v5 00/12] Support ACPI and SETAASA device discovery Akhil R
2026-06-24 10:20 ` Akhil R
2026-06-24 10:20 ` [PATCH v5 01/12] dt-bindings: i3c: Add mipi-i3c-static-method to support SETAASA Akhil R
2026-06-24 10:20 ` Akhil R
2026-06-24 10:30 ` sashiko-bot
2026-06-24 10:30 ` sashiko-bot
2026-06-24 10:20 ` [PATCH v5 02/12] i3c: master: Use unified device property interface Akhil R
2026-06-24 10:20 ` Akhil R
2026-06-24 10:48 ` sashiko-bot
2026-06-24 10:48 ` sashiko-bot
2026-06-24 10:20 ` [PATCH v5 03/12] i3c: master: Support ACPI enumeration of child devices Akhil R
2026-06-24 10:20 ` Akhil R
2026-06-24 10:38 ` sashiko-bot
2026-06-24 10:38 ` sashiko-bot
2026-06-24 10:20 ` [PATCH v5 04/12] i3c: master: Add support for devices using SETAASA Akhil R
2026-06-24 10:20 ` Akhil R
2026-06-24 10:43 ` sashiko-bot
2026-06-24 10:43 ` sashiko-bot
2026-06-24 17:57 ` Frank Li
2026-06-24 17:57 ` Frank Li
2026-06-24 10:20 ` [PATCH v5 05/12] i3c: master: Add support for devices without PID Akhil R
2026-06-24 10:20 ` Akhil R
2026-06-24 10:45 ` sashiko-bot
2026-06-24 10:45 ` sashiko-bot
2026-06-24 10:21 ` [PATCH v5 06/12] i3c: master: match I3C device through DT and ACPI Akhil R
2026-06-24 10:21 ` Akhil R
2026-06-24 10:42 ` sashiko-bot [this message]
2026-06-24 10:42 ` sashiko-bot
2026-06-24 10:21 ` [PATCH v5 07/12] i3c: dw-i3c-master: Add SETAASA as supported CCC Akhil R
2026-06-24 10:21 ` Akhil R
2026-06-24 10:34 ` sashiko-bot
2026-06-24 10:34 ` sashiko-bot
2026-06-24 10:21 ` [PATCH v5 08/12] i3c: dw-i3c-master: Add ACPI core clock frequency quirk Akhil R
2026-06-24 10:21 ` Akhil R
2026-06-24 10:45 ` sashiko-bot
2026-06-24 10:45 ` sashiko-bot
2026-06-24 10:21 ` [PATCH v5 09/12] i3c: dw-i3c-master: Add ACPI ID for Tegra410 Akhil R
2026-06-24 10:21 ` Akhil R
2026-06-24 10:32 ` sashiko-bot
2026-06-24 10:32 ` sashiko-bot
2026-06-24 10:21 ` [PATCH v5 10/12] hwmon: spd5118: Remove 16-bit addressing Akhil R
2026-06-24 10:21 ` Akhil R
2026-06-24 10:33 ` sashiko-bot
2026-06-24 10:33 ` sashiko-bot
2026-06-24 10:21 ` [PATCH v5 11/12] hwmon: spd5118: Add I3C support Akhil R
2026-06-24 10:21 ` Akhil R
2026-06-24 10:49 ` sashiko-bot
2026-06-24 10:49 ` sashiko-bot
2026-06-24 10:21 ` [PATCH v5 12/12] arm64: defconfig: Enable I3C and SPD5118 hwmon Akhil R
2026-06-24 10:21 ` Akhil R
2026-06-24 10:40 ` sashiko-bot
2026-06-24 10:40 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260624104250.2B70F1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=akhilrajeev@nvidia.com \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=linux-hwmon@vger.kernel.org \
--cc=linux-i3c@lists.infradead.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.