* i3c: master: svc: IBI payload not bounded by max_payload_len
@ 2026-06-23 8:17 ` Maoyi Xie
0 siblings, 0 replies; 4+ messages in thread
From: Maoyi Xie @ 2026-06-23 8:17 UTC (permalink / raw)
To: Miquel Raynal, Frank Li; +Cc: Alexandre Belloni, linux-i3c, linux-kernel
Hi all,
I think svc_i3c_master_handle_ibi() in drivers/i3c/master/svc-i3c-master.c
can write past the IBI slot buffer when a device sends a large IBI payload.
I would appreciate it if you could let me know whether you agree.
The read loop bounds the slot only by the hardware FIFO size, not by the
requested max_payload_len.
slot->len = 0;
buf = slot->data;
while (SVC_I3C_MSTATUS_RXPEND(...) && slot->len < SVC_I3C_FIFO_SIZE) {
mdatactrl = readl(master->regs + SVC_I3C_MDATACTRL);
count = SVC_I3C_MDATACTRL_RXCOUNT(mdatactrl);
readsb(master->regs + SVC_I3C_MRDATAB, buf, count);
slot->len += count;
buf += count;
}
slot->data points into the IBI pool. i3c_generic_ibi_alloc_pool() sizes each
slot at max_payload_len. svc_i3c_master_request_ibi() only rejects a
max_payload_len above SVC_I3C_FIFO_SIZE (16). So a driver can ask for a small
window, and mctp-i3c asks for 1. count comes from the controller RXCOUNT
field and can be up to 31. The loop stops at SVC_I3C_FIFO_SIZE, not at the
window. A device that sends more bytes than the window overruns slot->data
into the pool.
dw-i3c and mipi-i3c-hci bound this same read against max_payload_len. dw-i3c
has "if (dev->ibi->max_payload_len < len)". svc looks like the one that
bounds by the FIFO size instead.
I reproduced the write on 7.1-rc7 by running the same loop into a 2 byte
window.
BUG: KASAN: slab-out-of-bounds in ...
... located 0 bytes to the right of a 2-byte region ... Write
Bounding the drain by max_payload_len, like dw-i3c does, would close it.
Does this look like a real bug to you, and is that the right fix? I am happy
to send a proper patch once you confirm.
Kaixuan Li and I found this together.
Thanks,
Maoyi
https://maoyixie.com/
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
^ permalink raw reply [flat|nested] 4+ messages in thread* i3c: master: svc: IBI payload not bounded by max_payload_len
@ 2026-06-23 8:17 ` Maoyi Xie
0 siblings, 0 replies; 4+ messages in thread
From: Maoyi Xie @ 2026-06-23 8:17 UTC (permalink / raw)
To: Miquel Raynal, Frank Li; +Cc: Alexandre Belloni, linux-i3c, linux-kernel
Hi all,
I think svc_i3c_master_handle_ibi() in drivers/i3c/master/svc-i3c-master.c
can write past the IBI slot buffer when a device sends a large IBI payload.
I would appreciate it if you could let me know whether you agree.
The read loop bounds the slot only by the hardware FIFO size, not by the
requested max_payload_len.
slot->len = 0;
buf = slot->data;
while (SVC_I3C_MSTATUS_RXPEND(...) && slot->len < SVC_I3C_FIFO_SIZE) {
mdatactrl = readl(master->regs + SVC_I3C_MDATACTRL);
count = SVC_I3C_MDATACTRL_RXCOUNT(mdatactrl);
readsb(master->regs + SVC_I3C_MRDATAB, buf, count);
slot->len += count;
buf += count;
}
slot->data points into the IBI pool. i3c_generic_ibi_alloc_pool() sizes each
slot at max_payload_len. svc_i3c_master_request_ibi() only rejects a
max_payload_len above SVC_I3C_FIFO_SIZE (16). So a driver can ask for a small
window, and mctp-i3c asks for 1. count comes from the controller RXCOUNT
field and can be up to 31. The loop stops at SVC_I3C_FIFO_SIZE, not at the
window. A device that sends more bytes than the window overruns slot->data
into the pool.
dw-i3c and mipi-i3c-hci bound this same read against max_payload_len. dw-i3c
has "if (dev->ibi->max_payload_len < len)". svc looks like the one that
bounds by the FIFO size instead.
I reproduced the write on 7.1-rc7 by running the same loop into a 2 byte
window.
BUG: KASAN: slab-out-of-bounds in ...
... located 0 bytes to the right of a 2-byte region ... Write
Bounding the drain by max_payload_len, like dw-i3c does, would close it.
Does this look like a real bug to you, and is that the right fix? I am happy
to send a proper patch once you confirm.
Kaixuan Li and I found this together.
Thanks,
Maoyi
https://maoyixie.com/
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: i3c: master: svc: IBI payload not bounded by max_payload_len
2026-06-23 8:17 ` Maoyi Xie
@ 2026-06-23 14:36 ` Miquel Raynal
-1 siblings, 0 replies; 4+ messages in thread
From: Miquel Raynal @ 2026-06-23 14:36 UTC (permalink / raw)
To: Maoyi Xie; +Cc: Frank Li, Alexandre Belloni, linux-i3c, linux-kernel
Hi,
On 23/06/2026 at 16:17:38 +08, Maoyi Xie <maoyixie.tju@gmail.com> wrote:
> Hi all,
>
> I think svc_i3c_master_handle_ibi() in drivers/i3c/master/svc-i3c-master.c
> can write past the IBI slot buffer when a device sends a large IBI payload.
> I would appreciate it if you could let me know whether you agree.
>
> The read loop bounds the slot only by the hardware FIFO size, not by the
> requested max_payload_len.
>
> slot->len = 0;
> buf = slot->data;
> while (SVC_I3C_MSTATUS_RXPEND(...) && slot->len < SVC_I3C_FIFO_SIZE) {
> mdatactrl = readl(master->regs + SVC_I3C_MDATACTRL);
> count = SVC_I3C_MDATACTRL_RXCOUNT(mdatactrl);
> readsb(master->regs + SVC_I3C_MRDATAB, buf, count);
> slot->len += count;
> buf += count;
> }
>
> slot->data points into the IBI pool. i3c_generic_ibi_alloc_pool() sizes each
> slot at max_payload_len. svc_i3c_master_request_ibi() only rejects a
> max_payload_len above SVC_I3C_FIFO_SIZE (16). So a driver can ask for a small
> window, and mctp-i3c asks for 1. count comes from the controller RXCOUNT
> field and can be up to 31. The loop stops at SVC_I3C_FIFO_SIZE, not at the
> window. A device that sends more bytes than the window overruns slot->data
> into the pool.
It is indeed possible. Please send a patch!
Thanks,
Miquèl
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: i3c: master: svc: IBI payload not bounded by max_payload_len
@ 2026-06-23 14:36 ` Miquel Raynal
0 siblings, 0 replies; 4+ messages in thread
From: Miquel Raynal @ 2026-06-23 14:36 UTC (permalink / raw)
To: Maoyi Xie; +Cc: Frank Li, Alexandre Belloni, linux-i3c, linux-kernel
Hi,
On 23/06/2026 at 16:17:38 +08, Maoyi Xie <maoyixie.tju@gmail.com> wrote:
> Hi all,
>
> I think svc_i3c_master_handle_ibi() in drivers/i3c/master/svc-i3c-master.c
> can write past the IBI slot buffer when a device sends a large IBI payload.
> I would appreciate it if you could let me know whether you agree.
>
> The read loop bounds the slot only by the hardware FIFO size, not by the
> requested max_payload_len.
>
> slot->len = 0;
> buf = slot->data;
> while (SVC_I3C_MSTATUS_RXPEND(...) && slot->len < SVC_I3C_FIFO_SIZE) {
> mdatactrl = readl(master->regs + SVC_I3C_MDATACTRL);
> count = SVC_I3C_MDATACTRL_RXCOUNT(mdatactrl);
> readsb(master->regs + SVC_I3C_MRDATAB, buf, count);
> slot->len += count;
> buf += count;
> }
>
> slot->data points into the IBI pool. i3c_generic_ibi_alloc_pool() sizes each
> slot at max_payload_len. svc_i3c_master_request_ibi() only rejects a
> max_payload_len above SVC_I3C_FIFO_SIZE (16). So a driver can ask for a small
> window, and mctp-i3c asks for 1. count comes from the controller RXCOUNT
> field and can be up to 31. The loop stops at SVC_I3C_FIFO_SIZE, not at the
> window. A device that sends more bytes than the window overruns slot->data
> into the pool.
It is indeed possible. Please send a patch!
Thanks,
Miquèl
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-06-23 14:36 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-23 8:17 i3c: master: svc: IBI payload not bounded by max_payload_len Maoyi Xie
2026-06-23 8:17 ` Maoyi Xie
2026-06-23 14:36 ` Miquel Raynal
2026-06-23 14:36 ` Miquel Raynal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.