From: sashiko-bot@kernel.org
To: tze.yee.ng@altera.com
Cc: "Alexandre Belloni" <alexandre.belloni@bootlin.com>,
linux-i3c@lists.infradead.org, Frank.Li@kernel.org,
imx@lists.linux.dev
Subject: Re: [PATCH v6 2/5] i3c: master: Report actual GET CCC payload length on success
Date: Wed, 08 Jul 2026 09:44:28 +0000 [thread overview]
Message-ID: <20260708094428.A712F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <6c66571ae7166aa4b87616d900e6d643631ac355.1783493868.git.tze.yee.ng@altera.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
Pre-existing issues:
- [High] This problem wasn't introduced by this patch, but the Renesas I3C driver suffers from a KASAN out-of-bounds write and data corruption due to unbounded FIFO reads and missing buffer pointer accumulation.
- [High] This problem wasn't introduced by this patch, but the Silvaco I3C master driver mixes 32-bit register accessors (`readl`) and 8-bit stream accessors (`readsb`) on the same `SVC_I3C_MRDATAB` FIFO, causing endianness portability bugs.
- [High] This problem wasn't introduced by this patch, but the missing hardware abort on transfer timeout in the Renesas I3C driver leads to NULL pointer dereferences or cross-transfer state corruption.
--
--- Patch [2]: [PATCH v6 2/5] i3c: master: Report actual GET CCC payload length on success ---
commit fb225c2de835cd1f0fc73a0e9829ada753363f62
Author: Adrian Ng Ho Yin <adrian.ho.yin.ng@altera.com>
i3c: master: Report actual GET CCC payload length on success
Set dests[].payload.actual_len on successful GET CCC transfers in I3C
master drivers so the core can distinguish requested and received
buffer lengths. Switch core GET helpers to use actual_len instead of
len when interpreting GET CCC results.
> diff --git a/drivers/i3c/master/renesas-i3c.c b/drivers/i3c/master/renesas-i3c.c
> index f39c449922ca2..25a2b2ed618ed 100644
> --- a/drivers/i3c/master/renesas-i3c.c
> +++ b/drivers/i3c/master/renesas-i3c.c
[ ... ]
> @@ -1072,10 +1074,16 @@ static irqreturn_t renesas_i3c_resp_isr(int irq, void *data)
[Severity: High]
This isn't a bug introduced by this patch, but what happens if a transfer
times out and we later receive a delayed hardware completion in this ISR?
If a timeout occurs, renesas_i3c_dequeue_xfer_locked() removes the transfer
from the software queue:
if (i3c->xferqueue.cur == xfer)
i3c->xferqueue.cur = NULL;
If this happens without issuing an abort command to the hardware, when the
hardware eventually completes the timed-out transfer, wouldn't
renesas_i3c_resp_isr() blindly dereference the now-NULL i3c->xferqueue.cur
pointer when pulling the command state?
xfer = i3c->xferqueue.cur;
cmd = xfer->cmds;
...
cmd->rx_count = data_len;
Could this lead to a kernel panic or cross-transfer state corruption?
> break;
> case I3C_INTERNAL_STATE_CONTROLLER_READ:
> case I3C_INTERNAL_STATE_CONTROLLER_COMMAND_READ:
> - if (NDBSTLV0_RDBLV(renesas_readl(i3c->regs, NDBSTLV0)) && !cmd->err)
> - bytes_remaining = data_len - cmd->rx_count;
> -
> - i3c_readl_fifo(i3c->regs + NTDTBP0, cmd->rx_buf, bytes_remaining);
> + if (!cmd->err) {
> + u32 rx_count = min(cmd->rx_count, data_len);
[Severity: High]
This isn't a bug introduced by this patch, but while clamping rx_count
here to prevent unsigned underflows, is it possible we still have a memory
corruption issue originating in renesas_i3c_rx_isr()?
Currently, renesas_i3c_rx_isr() calculates read_bytes rounded up to a
4-byte multiple and reads into cmd->rx_buf:
read_bytes = NDBSTLV0_RDBLV(renesas_readl(i3c->regs, NDBSTLV0)) * sizeof(u32);
i3c_readl_fifo(i3c->regs + NTDTBP0, cmd->rx_buf, read_bytes);
cmd->rx_count = read_bytes;
Could this write past the end of the allocated payload buffer for small
unaligned GET CCCs?
Additionally, for large transfers triggering multiple interrupts, it looks
like rx_count is overwritten instead of accumulated, and the rx_buf pointer
is not advanced. Could this cause subsequent chunks to overwrite the
beginning of the buffer?
> +
> + bytes_remaining = data_len - rx_count;
> + if (bytes_remaining)
> + i3c_readl_fifo(i3c->regs + NTDTBP0,
> + cmd->rx_buf + rx_count,
> + bytes_remaining);
> + cmd->rx_count = data_len;
> + }
> renesas_clear_bit(i3c->regs, NTIE, NTIE_RDBFIE0);
> break;
> default:
[ ... ]
> diff --git a/drivers/i3c/master/svc-i3c-master.c b/drivers/i3c/master/svc-i3c-master.c
> index 486c22840ea9a..e700392f0801f 100644
> --- a/drivers/i3c/master/svc-i3c-master.c
> +++ b/drivers/i3c/master/svc-i3c-master.c
[ ... ]
> @@ -1725,8 +1725,8 @@ static int svc_i3c_master_send_direct_ccc_cmd(struct svc_i3c_master *master,
> svc_i3c_master_dequeue_xfer(master, xfer);
> mutex_unlock(&master->lock);
>
> - if (cmd->actual_len != xfer_len)
> - ccc->dests[0].payload.len = cmd->actual_len;
> + if (ccc->rnw)
> + ccc->dests[0].payload.actual_len = cmd->actual_len;
[Severity: High]
This isn't a bug introduced by this patch, but looking at the Silvaco driver
as a whole, is there an endianness portability issue with the FIFO reads?
In svc_i3c_master_read(), the 32-bit register accessor readl() is used
to read from the stream FIFO, which performs a CPU-to-LE byte-swap:
for (i = 0; i < count; i++)
in[offset + i] = readl(master->regs + SVC_I3C_MRDATAB);
However, svc_i3c_master_handle_ibi() accesses the exact same FIFO using
the 8-bit stream accessor readsb(), which does no byte-swapping:
readsb(master->regs + SVC_I3C_MRDATAB, buf, count);
Could mixing these accessor families cause data corruption on big-endian
architectures due to inconsistent byte-swapping behavior?
>
> ret = xfer->ret;
> svc_i3c_master_free_xfer(xfer);
--
Sashiko AI review · https://sashiko.dev/#/patchset/cover.1783493867.git.tze.yee.ng@altera.com?part=2
next prev parent reply other threads:[~2026-07-08 9:44 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-08 7:17 [PATCH v6 0/5] i3c: Improve CCC reliability with actual_len, validation, and Direct GET retry tze.yee.ng
2026-07-08 7:17 ` [PATCH v6 1/5] i3c: ccc: Add actual_len to struct i3c_ccc_cmd_payload tze.yee.ng
2026-07-08 13:11 ` Frank Li
2026-07-08 14:52 ` Alexandre Mergnat
2026-07-08 7:17 ` [PATCH v6 2/5] i3c: master: Report actual GET CCC payload length on success tze.yee.ng
2026-07-08 9:44 ` sashiko-bot [this message]
2026-07-08 13:16 ` Frank Li
2026-07-08 14:52 ` Alexandre Mergnat
2026-07-08 7:17 ` [PATCH v6 3/5] i3c: master: dw: Map CCC hardware errors to I3C M0/M2 tze.yee.ng
2026-07-08 13:20 ` Frank Li
2026-07-08 7:17 ` [PATCH v6 4/5] i3c: master: Validate GET CCC payload length and retry Direct GET once tze.yee.ng
2026-07-08 10:01 ` sashiko-bot
2026-07-08 14:53 ` Frank Li
2026-07-08 15:19 ` Alexandre Mergnat
2026-07-08 7:17 ` [PATCH v6 5/5] i3c: master: Add optional_bytes for variable-length GET CCC validation tze.yee.ng
2026-07-08 15:01 ` Frank Li
2026-07-09 2:56 ` NG, TZE YEE
2026-07-09 3:37 ` Frank Li
2026-07-09 11:32 ` Alexandre Mergnat
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260708094428.A712F1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=alexandre.belloni@bootlin.com \
--cc=imx@lists.linux.dev \
--cc=linux-i3c@lists.infradead.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=tze.yee.ng@altera.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox