Linux kernel and device drivers for NXP i.MX platforms
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: tze.yee.ng@altera.com
Cc: imx@lists.linux.dev,
	"Alexandre Belloni" <alexandre.belloni@bootlin.com>,
	Frank.Li@kernel.org, linux-i3c@lists.infradead.org
Subject: Re: [PATCH v6 4/5] i3c: master: Validate GET CCC payload length and retry Direct GET once
Date: Wed, 08 Jul 2026 10:01:41 +0000	[thread overview]
Message-ID: <20260708100141.EAE5D1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <b467f01edfaaa0710f30e719ce7f2753b06c1a3f.1783493868.git.tze.yee.ng@altera.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

New issues:
- [Medium] Indiscriminate retries of internal kernel software errors during I3C CCC GET commands.

Pre-existing issues:
- [High] renesas_i3c_rx_isr overwrites rather than appends to cmd->rx_buf, corrupting long read transfers and causing FIFO underflows.
--

--- Patch [4]: [PATCH v6 4/5] i3c: master: Validate GET CCC payload length and retry Direct GET once ---
commit 0493e80008c19d117849be20fe713d3e08ab598e
Author: Adrian Ng Ho Yin <adrian.ho.yin.ng@altera.com>

i3c: master: Validate GET CCC payload length and retry Direct GET once

This commit adds retry logic for Direct GET CCC commands and validates
the payload length of GET CCCs after a successful transfer. Failed Direct
GET CCCs are retried up to cmd->retries times when the driver reports
failure or an I3C error.

> diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
> index 3666d011f10ea..965d74e6bf166 100644
> --- a/drivers/i3c/master.c
> +++ b/drivers/i3c/master.c

[ ... ]

> @@ -1005,7 +1037,25 @@ static int i3c_master_send_ccc_cmd_locked(struct i3c_master_controller *master,
>  	    !master->ops->supports_ccc_cmd(master, cmd))
>  		return -EOPNOTSUPP;
>  
> -	return master->ops->send_ccc_cmd(master, cmd);
> +	max_attempts = cmd->retries + 1;
> +	ret = -EIO;
> +	for (attempt = 0; attempt < max_attempts; attempt++) {
> +		unsigned int i;
> +
> +		if (cmd->rnw)
> +			for (i = 0; i < cmd->ndests; i++)
> +				cmd->dests[i].payload.actual_len = 0;
> +
> +		cmd->err = I3C_ERROR_UNKNOWN;
> +		ret = master->ops->send_ccc_cmd(master, cmd);
> +		if (!ret && cmd->err == I3C_ERROR_UNKNOWN)
> +			break;

[Severity: Medium]
Does this loop also retry internal kernel software errors?

If a host software error occurs (for example, -ENOMEM during DMA descriptor
allocation, or -EOPNOTSUPP), master->ops->send_ccc_cmd() will return the
error code. This bypasses the !ret break condition, causing the loop to
retry indiscriminately.

Should the loop explicitly distinguish between bus-level I3C errors that
need retries and local software errors that should immediately abort?

> +	}
> +
> +	if (!ret)
> +		ret = i3c_ccc_validate_payload_len(cmd);
> +
> +	return ret;
>  }

[ ... ]

While reviewing the retries for GET CCC commands, I noticed a separate issue
in the Renesas I3C driver's receive interrupt handler:

drivers/i3c/master/renesas-i3c.c:renesas_i3c_rx_isr() {
    ...
    } else {
        read_bytes = NDBSTLV0_RDBLV(renesas_readl(i3c->regs, NDBSTLV0)) * sizeof(u32);
        i3c_readl_fifo(i3c->regs + NTDTBP0, cmd->rx_buf, read_bytes);
        cmd->rx_count = read_bytes;
    }
    ...
}

[Severity: High]
This isn't a bug introduced by this patch, but does this overwrite the
receive buffer rather than appending to it?

When an I3C read transfer exceeds the FIFO threshold, renesas_i3c_rx_isr()
fires multiple times. Instead of appending received bytes to
cmd->rx_buf + cmd->rx_count and accumulating cmd->rx_count += read_bytes, it
writes to the base address of cmd->rx_buf and resets cmd->rx_count.

Later, renesas_i3c_resp_isr() calculates bytes_remaining = data_len -
cmd->rx_count. Because rx_count only reflects the size of the last chunk,
bytes_remaining exceeds the actual data left in the FIFO, which could cause
an underflow and read garbage data.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/cover.1783493867.git.tze.yee.ng@altera.com?part=4

  reply	other threads:[~2026-07-08 10:01 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-08  7:17 [PATCH v6 0/5] i3c: Improve CCC reliability with actual_len, validation, and Direct GET retry tze.yee.ng
2026-07-08  7:17 ` [PATCH v6 1/5] i3c: ccc: Add actual_len to struct i3c_ccc_cmd_payload tze.yee.ng
2026-07-08 13:11   ` Frank Li
2026-07-08 14:52   ` Alexandre Mergnat
2026-07-08  7:17 ` [PATCH v6 2/5] i3c: master: Report actual GET CCC payload length on success tze.yee.ng
2026-07-08  9:44   ` sashiko-bot
2026-07-08 13:16   ` Frank Li
2026-07-08 14:52   ` Alexandre Mergnat
2026-07-08  7:17 ` [PATCH v6 3/5] i3c: master: dw: Map CCC hardware errors to I3C M0/M2 tze.yee.ng
2026-07-08 13:20   ` Frank Li
2026-07-08  7:17 ` [PATCH v6 4/5] i3c: master: Validate GET CCC payload length and retry Direct GET once tze.yee.ng
2026-07-08 10:01   ` sashiko-bot [this message]
2026-07-08 14:53   ` Frank Li
2026-07-08 15:19   ` Alexandre Mergnat
2026-07-08  7:17 ` [PATCH v6 5/5] i3c: master: Add optional_bytes for variable-length GET CCC validation tze.yee.ng
2026-07-08 15:01   ` Frank Li
2026-07-09  2:56     ` NG, TZE YEE
2026-07-09  3:37       ` Frank Li
2026-07-09 11:32   ` Alexandre Mergnat

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260708100141.EAE5D1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=Frank.Li@kernel.org \
    --cc=alexandre.belloni@bootlin.com \
    --cc=imx@lists.linux.dev \
    --cc=linux-i3c@lists.infradead.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=tze.yee.ng@altera.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox