From: sashiko-bot@kernel.org
To: tze.yee.ng@altera.com
Cc: imx@lists.linux.dev, Frank.Li@kernel.org,
linux-i3c@lists.infradead.org,
"Alexandre Belloni" <alexandre.belloni@bootlin.com>
Subject: Re: [PATCH v5 2/5] i3c: master: Report actual GET CCC payload length on success
Date: Fri, 03 Jul 2026 11:06:38 +0000 [thread overview]
Message-ID: <20260703110639.748421F000E9@smtp.kernel.org> (raw)
In-Reply-To: <b5899827bdcf3f3097ef4cf5dae221cc5305337c.1783074850.git.tze.yee.ng@altera.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] ADI and Cadence I3C master drivers spoof actual_len, hiding short reads and bypassing core validation.
- [High] Renesas I3C master driver leaves rx_count at 0 for small transfers, breaking device enumeration.
--
commit bc63836138deed26f2a332a0c5e19f4ac088d4ab
Author: Adrian Ng Ho Yin <adrian.ho.yin.ng@altera.com>
i3c: master: Report actual GET CCC payload length on success
Set dests[].payload.actual_len on successful GET CCC transfers in I3C
master drivers so the core can distinguish requested and received
buffer lengths. Switch core GET helpers to use actual_len instead of
len when interpreting GET CCC results.
[ ... ]
> diff --git a/drivers/i3c/master/adi-i3c-master.c b/drivers/i3c/master/adi-i3c-master.c
> index 047081c9f0643..64735b4887261 100644
> --- a/drivers/i3c/master/adi-i3c-master.c
> +++ b/drivers/i3c/master/adi-i3c-master.c
[ ... ]
> @@ -360,6 +360,8 @@ static int adi_i3c_master_send_ccc_cmd(struct i3c_master_controller *m,
> adi_i3c_master_unqueue_xfer(master, xfer);
>
> cmd->err = adi_i3c_cmd_get_err(&xfer->cmds[0]);
> + if (!xfer->ret && cmd->rnw)
> + cmd->dests[0].payload.actual_len = cmd->dests[0].payload.len;
[Severity: High]
Does this unconditionally set actual_len to the requested length, discarding
the true hardware transfer size?
By blindly copying the requested length here, it seems this defeats the new GET
CCC validation logic. If a device returns 0 bytes or a short read, the core
validation could falsely pass, potentially causing the kernel to parse
uninitialized or zero-padded memory as valid device capabilities.
>
> return xfer->ret;
> }
[ ... ]
> diff --git a/drivers/i3c/master/i3c-master-cdns.c b/drivers/i3c/master/i3c-master-cdns.c
> index 6d221596ea357..36998ee4073d7 100644
> --- a/drivers/i3c/master/i3c-master-cdns.c
> +++ b/drivers/i3c/master/i3c-master-cdns.c
[ ... ]
> @@ -714,6 +714,8 @@ static int cdns_i3c_master_send_ccc_cmd(struct i3c_master_controller *m,
>
> ret = xfer->ret;
> cmd->err = cdns_i3c_cmd_get_err(&xfer->cmds[0]);
> + if (!ret && cmd->rnw)
> + cmd->dests[0].payload.actual_len = cmd->dests[0].payload.len;
[Severity: High]
Similar to the ADI driver, does this bypass the core validation by
unconditionally copying the requested length?
If a short read occurs, the driver will incorrectly report a full read instead
of the actual hardware byte count.
> cdns_i3c_master_free_xfer(xfer);
>
> return ret;
[ ... ]
> diff --git a/drivers/i3c/master/renesas-i3c.c b/drivers/i3c/master/renesas-i3c.c
> index f39c449922ca2..fec614700843f 100644
> --- a/drivers/i3c/master/renesas-i3c.c
> +++ b/drivers/i3c/master/renesas-i3c.c
[ ... ]
> @@ -805,6 +805,8 @@ static int renesas_i3c_send_ccc_cmd(struct i3c_master_controller *m,
> ret = xfer->ret;
> if (ret)
> ccc->err = I3C_ERROR_M2;
> + else if (ccc->rnw)
> + ccc->dests[0].payload.actual_len = cmd->rx_count;
[Severity: High]
Does this leave actual_len at 0 for small transfers, breaking device
enumeration?
For small GET CCC reads, if the read buffer full interrupt doesn't
trigger, the transfer completes in renesas_i3c_resp_isr() where it drains the
remaining bytes from the FIFO but doesn't accumulate bytes_remaining into
cmd->rx_count:
drivers/i3c/master/renesas-i3c.c:renesas_i3c_resp_isr() {
...
bytes_remaining = data_len - cmd->rx_count;
i3c_readl_fifo(i3c->regs + NTDTBP0, cmd->rx_buf, bytes_remaining);
...
}
Since cmd->rx_count remains 0, won't this propagate an actual_len of 0 to the
core, causing the core validation to reject the transfer with -EIO?
>
> return ret;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/cover.1783074850.git.tze.yee.ng@altera.com?part=2
next prev parent reply other threads:[~2026-07-03 11:06 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-03 10:51 [PATCH v5 0/5] i3c: Improve CCC reliability with actual_len, validation, and Direct GET retry tze.yee.ng
2026-07-03 10:51 ` [PATCH v5 1/5] i3c: ccc: Add actual_len to struct i3c_ccc_cmd_payload tze.yee.ng
2026-07-03 10:51 ` [PATCH v5 2/5] i3c: master: Report actual GET CCC payload length on success tze.yee.ng
2026-07-03 11:06 ` sashiko-bot [this message]
2026-07-03 10:51 ` [PATCH v5 3/5] i3c: master: dw: Map CCC hardware errors to I3C M0/M2 tze.yee.ng
2026-07-03 10:59 ` sashiko-bot
2026-07-03 10:51 ` [PATCH v5 4/5] i3c: master: Validate GET CCC payload length and retry Direct GET once tze.yee.ng
2026-07-03 10:51 ` [PATCH v5 5/5] i3c: master: Add optional_bytes for variable-length GET CCC validation tze.yee.ng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260703110639.748421F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=alexandre.belloni@bootlin.com \
--cc=imx@lists.linux.dev \
--cc=linux-i3c@lists.infradead.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=tze.yee.ng@altera.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox