From: sashiko-bot@kernel.org
To: tze.yee.ng@altera.com
Cc: imx@lists.linux.dev,
"Alexandre Belloni" <alexandre.belloni@bootlin.com>,
Frank.Li@kernel.org, linux-i3c@lists.infradead.org
Subject: Re: [PATCH v6 4/5] i3c: master: Validate GET CCC payload length and retry Direct GET once
Date: Wed, 08 Jul 2026 10:01:41 +0000 [thread overview]
Message-ID: <20260708100141.EAE5D1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <b467f01edfaaa0710f30e719ce7f2753b06c1a3f.1783493868.git.tze.yee.ng@altera.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [Medium] Indiscriminate retries of internal kernel software errors during I3C CCC GET commands.
Pre-existing issues:
- [High] renesas_i3c_rx_isr overwrites rather than appends to cmd->rx_buf, corrupting long read transfers and causing FIFO underflows.
--
--- Patch [4]: [PATCH v6 4/5] i3c: master: Validate GET CCC payload length and retry Direct GET once ---
commit 0493e80008c19d117849be20fe713d3e08ab598e
Author: Adrian Ng Ho Yin <adrian.ho.yin.ng@altera.com>
i3c: master: Validate GET CCC payload length and retry Direct GET once
This commit adds retry logic for Direct GET CCC commands and validates
the payload length of GET CCCs after a successful transfer. Failed Direct
GET CCCs are retried up to cmd->retries times when the driver reports
failure or an I3C error.
> diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
> index 3666d011f10ea..965d74e6bf166 100644
> --- a/drivers/i3c/master.c
> +++ b/drivers/i3c/master.c
[ ... ]
> @@ -1005,7 +1037,25 @@ static int i3c_master_send_ccc_cmd_locked(struct i3c_master_controller *master,
> !master->ops->supports_ccc_cmd(master, cmd))
> return -EOPNOTSUPP;
>
> - return master->ops->send_ccc_cmd(master, cmd);
> + max_attempts = cmd->retries + 1;
> + ret = -EIO;
> + for (attempt = 0; attempt < max_attempts; attempt++) {
> + unsigned int i;
> +
> + if (cmd->rnw)
> + for (i = 0; i < cmd->ndests; i++)
> + cmd->dests[i].payload.actual_len = 0;
> +
> + cmd->err = I3C_ERROR_UNKNOWN;
> + ret = master->ops->send_ccc_cmd(master, cmd);
> + if (!ret && cmd->err == I3C_ERROR_UNKNOWN)
> + break;
[Severity: Medium]
Does this loop also retry internal kernel software errors?
If a host software error occurs (for example, -ENOMEM during DMA descriptor
allocation, or -EOPNOTSUPP), master->ops->send_ccc_cmd() will return the
error code. This bypasses the !ret break condition, causing the loop to
retry indiscriminately.
Should the loop explicitly distinguish between bus-level I3C errors that
need retries and local software errors that should immediately abort?
> + }
> +
> + if (!ret)
> + ret = i3c_ccc_validate_payload_len(cmd);
> +
> + return ret;
> }
[ ... ]
While reviewing the retries for GET CCC commands, I noticed a separate issue
in the Renesas I3C driver's receive interrupt handler:
drivers/i3c/master/renesas-i3c.c:renesas_i3c_rx_isr() {
...
} else {
read_bytes = NDBSTLV0_RDBLV(renesas_readl(i3c->regs, NDBSTLV0)) * sizeof(u32);
i3c_readl_fifo(i3c->regs + NTDTBP0, cmd->rx_buf, read_bytes);
cmd->rx_count = read_bytes;
}
...
}
[Severity: High]
This isn't a bug introduced by this patch, but does this overwrite the
receive buffer rather than appending to it?
When an I3C read transfer exceeds the FIFO threshold, renesas_i3c_rx_isr()
fires multiple times. Instead of appending received bytes to
cmd->rx_buf + cmd->rx_count and accumulating cmd->rx_count += read_bytes, it
writes to the base address of cmd->rx_buf and resets cmd->rx_count.
Later, renesas_i3c_resp_isr() calculates bytes_remaining = data_len -
cmd->rx_count. Because rx_count only reflects the size of the last chunk,
bytes_remaining exceeds the actual data left in the FIFO, which could cause
an underflow and read garbage data.
--
Sashiko AI review · https://sashiko.dev/#/patchset/cover.1783493867.git.tze.yee.ng@altera.com?part=4
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
WARNING: multiple messages have this Message-ID (diff)
From: sashiko-bot@kernel.org
To: tze.yee.ng@altera.com
Cc: imx@lists.linux.dev,
"Alexandre Belloni" <alexandre.belloni@bootlin.com>,
Frank.Li@kernel.org, linux-i3c@lists.infradead.org
Subject: Re: [PATCH v6 4/5] i3c: master: Validate GET CCC payload length and retry Direct GET once
Date: Wed, 08 Jul 2026 10:01:41 +0000 [thread overview]
Message-ID: <20260708100141.EAE5D1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <b467f01edfaaa0710f30e719ce7f2753b06c1a3f.1783493868.git.tze.yee.ng@altera.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [Medium] Indiscriminate retries of internal kernel software errors during I3C CCC GET commands.
Pre-existing issues:
- [High] renesas_i3c_rx_isr overwrites rather than appends to cmd->rx_buf, corrupting long read transfers and causing FIFO underflows.
--
--- Patch [4]: [PATCH v6 4/5] i3c: master: Validate GET CCC payload length and retry Direct GET once ---
commit 0493e80008c19d117849be20fe713d3e08ab598e
Author: Adrian Ng Ho Yin <adrian.ho.yin.ng@altera.com>
i3c: master: Validate GET CCC payload length and retry Direct GET once
This commit adds retry logic for Direct GET CCC commands and validates
the payload length of GET CCCs after a successful transfer. Failed Direct
GET CCCs are retried up to cmd->retries times when the driver reports
failure or an I3C error.
> diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
> index 3666d011f10ea..965d74e6bf166 100644
> --- a/drivers/i3c/master.c
> +++ b/drivers/i3c/master.c
[ ... ]
> @@ -1005,7 +1037,25 @@ static int i3c_master_send_ccc_cmd_locked(struct i3c_master_controller *master,
> !master->ops->supports_ccc_cmd(master, cmd))
> return -EOPNOTSUPP;
>
> - return master->ops->send_ccc_cmd(master, cmd);
> + max_attempts = cmd->retries + 1;
> + ret = -EIO;
> + for (attempt = 0; attempt < max_attempts; attempt++) {
> + unsigned int i;
> +
> + if (cmd->rnw)
> + for (i = 0; i < cmd->ndests; i++)
> + cmd->dests[i].payload.actual_len = 0;
> +
> + cmd->err = I3C_ERROR_UNKNOWN;
> + ret = master->ops->send_ccc_cmd(master, cmd);
> + if (!ret && cmd->err == I3C_ERROR_UNKNOWN)
> + break;
[Severity: Medium]
Does this loop also retry internal kernel software errors?
If a host software error occurs (for example, -ENOMEM during DMA descriptor
allocation, or -EOPNOTSUPP), master->ops->send_ccc_cmd() will return the
error code. This bypasses the !ret break condition, causing the loop to
retry indiscriminately.
Should the loop explicitly distinguish between bus-level I3C errors that
need retries and local software errors that should immediately abort?
> + }
> +
> + if (!ret)
> + ret = i3c_ccc_validate_payload_len(cmd);
> +
> + return ret;
> }
[ ... ]
While reviewing the retries for GET CCC commands, I noticed a separate issue
in the Renesas I3C driver's receive interrupt handler:
drivers/i3c/master/renesas-i3c.c:renesas_i3c_rx_isr() {
...
} else {
read_bytes = NDBSTLV0_RDBLV(renesas_readl(i3c->regs, NDBSTLV0)) * sizeof(u32);
i3c_readl_fifo(i3c->regs + NTDTBP0, cmd->rx_buf, read_bytes);
cmd->rx_count = read_bytes;
}
...
}
[Severity: High]
This isn't a bug introduced by this patch, but does this overwrite the
receive buffer rather than appending to it?
When an I3C read transfer exceeds the FIFO threshold, renesas_i3c_rx_isr()
fires multiple times. Instead of appending received bytes to
cmd->rx_buf + cmd->rx_count and accumulating cmd->rx_count += read_bytes, it
writes to the base address of cmd->rx_buf and resets cmd->rx_count.
Later, renesas_i3c_resp_isr() calculates bytes_remaining = data_len -
cmd->rx_count. Because rx_count only reflects the size of the last chunk,
bytes_remaining exceeds the actual data left in the FIFO, which could cause
an underflow and read garbage data.
--
Sashiko AI review · https://sashiko.dev/#/patchset/cover.1783493867.git.tze.yee.ng@altera.com?part=4
next prev parent reply other threads:[~2026-07-08 10:01 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-08 7:17 [PATCH v6 0/5] i3c: Improve CCC reliability with actual_len, validation, and Direct GET retry tze.yee.ng
2026-07-08 7:17 ` tze.yee.ng
2026-07-08 7:17 ` [PATCH v6 1/5] i3c: ccc: Add actual_len to struct i3c_ccc_cmd_payload tze.yee.ng
2026-07-08 7:17 ` tze.yee.ng
2026-07-08 13:11 ` Frank Li
2026-07-08 13:11 ` Frank Li
2026-07-08 14:52 ` Alexandre Mergnat
2026-07-08 14:52 ` Alexandre Mergnat
2026-07-08 7:17 ` [PATCH v6 2/5] i3c: master: Report actual GET CCC payload length on success tze.yee.ng
2026-07-08 7:17 ` tze.yee.ng
2026-07-08 9:44 ` sashiko-bot
2026-07-08 9:44 ` sashiko-bot
2026-07-08 13:16 ` Frank Li
2026-07-08 13:16 ` Frank Li
2026-07-08 14:52 ` Alexandre Mergnat
2026-07-08 14:52 ` Alexandre Mergnat
2026-07-08 7:17 ` [PATCH v6 3/5] i3c: master: dw: Map CCC hardware errors to I3C M0/M2 tze.yee.ng
2026-07-08 7:17 ` tze.yee.ng
2026-07-08 13:20 ` Frank Li
2026-07-08 13:20 ` Frank Li
2026-07-08 7:17 ` [PATCH v6 4/5] i3c: master: Validate GET CCC payload length and retry Direct GET once tze.yee.ng
2026-07-08 7:17 ` tze.yee.ng
2026-07-08 10:01 ` sashiko-bot [this message]
2026-07-08 10:01 ` sashiko-bot
2026-07-08 14:53 ` Frank Li
2026-07-08 14:53 ` Frank Li
2026-07-08 15:19 ` Alexandre Mergnat
2026-07-08 15:19 ` Alexandre Mergnat
2026-07-08 7:17 ` [PATCH v6 5/5] i3c: master: Add optional_bytes for variable-length GET CCC validation tze.yee.ng
2026-07-08 7:17 ` tze.yee.ng
2026-07-08 15:01 ` Frank Li
2026-07-08 15:01 ` Frank Li
2026-07-09 2:56 ` NG, TZE YEE
2026-07-09 2:56 ` NG, TZE YEE
2026-07-09 3:37 ` Frank Li
2026-07-09 3:37 ` Frank Li
2026-07-09 11:32 ` Alexandre Mergnat
2026-07-09 11:32 ` Alexandre Mergnat
2026-07-13 13:58 ` [PATCH v6 0/5] i3c: Improve CCC reliability with actual_len, validation, and Direct GET retry claudiu beznea
2026-07-13 13:58 ` claudiu beznea
2026-07-13 17:27 ` Tommaso Merciai
2026-07-13 17:27 ` Tommaso Merciai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260708100141.EAE5D1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=alexandre.belloni@bootlin.com \
--cc=imx@lists.linux.dev \
--cc=linux-i3c@lists.infradead.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=tze.yee.ng@altera.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.