Linux kernel and device drivers for NXP i.MX platforms
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: tze.yee.ng@altera.com
Cc: "Alexandre Belloni" <alexandre.belloni@bootlin.com>,
	linux-i3c@lists.infradead.org, Frank.Li@kernel.org,
	imx@lists.linux.dev
Subject: Re: [PATCH v6 2/5] i3c: master: Report actual GET CCC payload length on success
Date: Wed, 08 Jul 2026 09:44:28 +0000	[thread overview]
Message-ID: <20260708094428.A712F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <6c66571ae7166aa4b87616d900e6d643631ac355.1783493868.git.tze.yee.ng@altera.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:

Pre-existing issues:
- [High] This problem wasn't introduced by this patch, but the Renesas I3C driver suffers from a KASAN out-of-bounds write and data corruption due to unbounded FIFO reads and missing buffer pointer accumulation.
- [High] This problem wasn't introduced by this patch, but the Silvaco I3C master driver mixes 32-bit register accessors (`readl`) and 8-bit stream accessors (`readsb`) on the same `SVC_I3C_MRDATAB` FIFO, causing endianness portability bugs.
- [High] This problem wasn't introduced by this patch, but the missing hardware abort on transfer timeout in the Renesas I3C driver leads to NULL pointer dereferences or cross-transfer state corruption.
--

--- Patch [2]: [PATCH v6 2/5] i3c: master: Report actual GET CCC payload length on success ---
commit fb225c2de835cd1f0fc73a0e9829ada753363f62
Author: Adrian Ng Ho Yin <adrian.ho.yin.ng@altera.com>

i3c: master: Report actual GET CCC payload length on success

Set dests[].payload.actual_len on successful GET CCC transfers in I3C
master drivers so the core can distinguish requested and received
buffer lengths. Switch core GET helpers to use actual_len instead of
len when interpreting GET CCC results.

> diff --git a/drivers/i3c/master/renesas-i3c.c b/drivers/i3c/master/renesas-i3c.c
> index f39c449922ca2..25a2b2ed618ed 100644
> --- a/drivers/i3c/master/renesas-i3c.c
> +++ b/drivers/i3c/master/renesas-i3c.c

[ ... ]

> @@ -1072,10 +1074,16 @@ static irqreturn_t renesas_i3c_resp_isr(int irq, void *data)

[Severity: High]
This isn't a bug introduced by this patch, but what happens if a transfer
times out and we later receive a delayed hardware completion in this ISR?

If a timeout occurs, renesas_i3c_dequeue_xfer_locked() removes the transfer
from the software queue:

    if (i3c->xferqueue.cur == xfer)
        i3c->xferqueue.cur = NULL;

If this happens without issuing an abort command to the hardware, when the
hardware eventually completes the timed-out transfer, wouldn't
renesas_i3c_resp_isr() blindly dereference the now-NULL i3c->xferqueue.cur
pointer when pulling the command state?

    xfer = i3c->xferqueue.cur;
    cmd = xfer->cmds;
    ...
    cmd->rx_count = data_len;

Could this lead to a kernel panic or cross-transfer state corruption?

>  			break;
>  		case I3C_INTERNAL_STATE_CONTROLLER_READ:
>  		case I3C_INTERNAL_STATE_CONTROLLER_COMMAND_READ:
> -			if (NDBSTLV0_RDBLV(renesas_readl(i3c->regs, NDBSTLV0)) && !cmd->err)
> -				bytes_remaining = data_len - cmd->rx_count;
> -
> -			i3c_readl_fifo(i3c->regs + NTDTBP0, cmd->rx_buf, bytes_remaining);
> +			if (!cmd->err) {
> +				u32 rx_count = min(cmd->rx_count, data_len);

[Severity: High]
This isn't a bug introduced by this patch, but while clamping rx_count
here to prevent unsigned underflows, is it possible we still have a memory
corruption issue originating in renesas_i3c_rx_isr()?

Currently, renesas_i3c_rx_isr() calculates read_bytes rounded up to a
4-byte multiple and reads into cmd->rx_buf:

    read_bytes = NDBSTLV0_RDBLV(renesas_readl(i3c->regs, NDBSTLV0)) * sizeof(u32);
    i3c_readl_fifo(i3c->regs + NTDTBP0, cmd->rx_buf, read_bytes);
    cmd->rx_count = read_bytes;

Could this write past the end of the allocated payload buffer for small
unaligned GET CCCs?

Additionally, for large transfers triggering multiple interrupts, it looks
like rx_count is overwritten instead of accumulated, and the rx_buf pointer
is not advanced. Could this cause subsequent chunks to overwrite the
beginning of the buffer?

> +
> +				bytes_remaining = data_len - rx_count;
> +				if (bytes_remaining)
> +					i3c_readl_fifo(i3c->regs + NTDTBP0,
> +						       cmd->rx_buf + rx_count,
> +						       bytes_remaining);
> +				cmd->rx_count = data_len;
> +			}
>  			renesas_clear_bit(i3c->regs, NTIE, NTIE_RDBFIE0);
>  			break;
>  		default:

[ ... ]

> diff --git a/drivers/i3c/master/svc-i3c-master.c b/drivers/i3c/master/svc-i3c-master.c
> index 486c22840ea9a..e700392f0801f 100644
> --- a/drivers/i3c/master/svc-i3c-master.c
> +++ b/drivers/i3c/master/svc-i3c-master.c

[ ... ]

> @@ -1725,8 +1725,8 @@ static int svc_i3c_master_send_direct_ccc_cmd(struct svc_i3c_master *master,
>  		svc_i3c_master_dequeue_xfer(master, xfer);
>  	mutex_unlock(&master->lock);
>  
> -	if (cmd->actual_len != xfer_len)
> -		ccc->dests[0].payload.len = cmd->actual_len;
> +	if (ccc->rnw)
> +		ccc->dests[0].payload.actual_len = cmd->actual_len;

[Severity: High]
This isn't a bug introduced by this patch, but looking at the Silvaco driver
as a whole, is there an endianness portability issue with the FIFO reads?

In svc_i3c_master_read(), the 32-bit register accessor readl() is used
to read from the stream FIFO, which performs a CPU-to-LE byte-swap:

    for (i = 0; i < count; i++)
        in[offset + i] = readl(master->regs + SVC_I3C_MRDATAB);

However, svc_i3c_master_handle_ibi() accesses the exact same FIFO using
the 8-bit stream accessor readsb(), which does no byte-swapping:

    readsb(master->regs + SVC_I3C_MRDATAB, buf, count);

Could mixing these accessor families cause data corruption on big-endian
architectures due to inconsistent byte-swapping behavior?

>  
>  	ret = xfer->ret;
>  	svc_i3c_master_free_xfer(xfer);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/cover.1783493867.git.tze.yee.ng@altera.com?part=2

  reply	other threads:[~2026-07-08  9:44 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-08  7:17 [PATCH v6 0/5] i3c: Improve CCC reliability with actual_len, validation, and Direct GET retry tze.yee.ng
2026-07-08  7:17 ` [PATCH v6 1/5] i3c: ccc: Add actual_len to struct i3c_ccc_cmd_payload tze.yee.ng
2026-07-08 13:11   ` Frank Li
2026-07-08 14:52   ` Alexandre Mergnat
2026-07-08  7:17 ` [PATCH v6 2/5] i3c: master: Report actual GET CCC payload length on success tze.yee.ng
2026-07-08  9:44   ` sashiko-bot [this message]
2026-07-08 13:16   ` Frank Li
2026-07-08 14:52   ` Alexandre Mergnat
2026-07-08  7:17 ` [PATCH v6 3/5] i3c: master: dw: Map CCC hardware errors to I3C M0/M2 tze.yee.ng
2026-07-08 13:20   ` Frank Li
2026-07-08  7:17 ` [PATCH v6 4/5] i3c: master: Validate GET CCC payload length and retry Direct GET once tze.yee.ng
2026-07-08 10:01   ` sashiko-bot
2026-07-08 14:53   ` Frank Li
2026-07-08 15:19   ` Alexandre Mergnat
2026-07-08  7:17 ` [PATCH v6 5/5] i3c: master: Add optional_bytes for variable-length GET CCC validation tze.yee.ng
2026-07-08 15:01   ` Frank Li
2026-07-09  2:56     ` NG, TZE YEE
2026-07-09  3:37       ` Frank Li
2026-07-09 11:32   ` Alexandre Mergnat

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260708094428.A712F1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=Frank.Li@kernel.org \
    --cc=alexandre.belloni@bootlin.com \
    --cc=imx@lists.linux.dev \
    --cc=linux-i3c@lists.infradead.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=tze.yee.ng@altera.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox