From: sashiko-bot@kernel.org
To: tze.yee.ng@altera.com
Cc: imx@lists.linux.dev,
"Alexandre Belloni" <alexandre.belloni@bootlin.com>,
Frank.Li@kernel.org, linux-i3c@lists.infradead.org
Subject: Re: [PATCH v6 4/5] i3c: master: Validate GET CCC payload length and retry Direct GET once
Date: Wed, 08 Jul 2026 10:01:41 +0000 [thread overview]
Message-ID: <20260708100141.EAE5D1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <b467f01edfaaa0710f30e719ce7f2753b06c1a3f.1783493868.git.tze.yee.ng@altera.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [Medium] Indiscriminate retries of internal kernel software errors during I3C CCC GET commands.
Pre-existing issues:
- [High] renesas_i3c_rx_isr overwrites rather than appends to cmd->rx_buf, corrupting long read transfers and causing FIFO underflows.
--
--- Patch [4]: [PATCH v6 4/5] i3c: master: Validate GET CCC payload length and retry Direct GET once ---
commit 0493e80008c19d117849be20fe713d3e08ab598e
Author: Adrian Ng Ho Yin <adrian.ho.yin.ng@altera.com>
i3c: master: Validate GET CCC payload length and retry Direct GET once
This commit adds retry logic for Direct GET CCC commands and validates
the payload length of GET CCCs after a successful transfer. Failed Direct
GET CCCs are retried up to cmd->retries times when the driver reports
failure or an I3C error.
> diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
> index 3666d011f10ea..965d74e6bf166 100644
> --- a/drivers/i3c/master.c
> +++ b/drivers/i3c/master.c
[ ... ]
> @@ -1005,7 +1037,25 @@ static int i3c_master_send_ccc_cmd_locked(struct i3c_master_controller *master,
> !master->ops->supports_ccc_cmd(master, cmd))
> return -EOPNOTSUPP;
>
> - return master->ops->send_ccc_cmd(master, cmd);
> + max_attempts = cmd->retries + 1;
> + ret = -EIO;
> + for (attempt = 0; attempt < max_attempts; attempt++) {
> + unsigned int i;
> +
> + if (cmd->rnw)
> + for (i = 0; i < cmd->ndests; i++)
> + cmd->dests[i].payload.actual_len = 0;
> +
> + cmd->err = I3C_ERROR_UNKNOWN;
> + ret = master->ops->send_ccc_cmd(master, cmd);
> + if (!ret && cmd->err == I3C_ERROR_UNKNOWN)
> + break;
[Severity: Medium]
Does this loop also retry internal kernel software errors?
If a host software error occurs (for example, -ENOMEM during DMA descriptor
allocation, or -EOPNOTSUPP), master->ops->send_ccc_cmd() will return the
error code. This bypasses the !ret break condition, causing the loop to
retry indiscriminately.
Should the loop explicitly distinguish between bus-level I3C errors that
need retries and local software errors that should immediately abort?
> + }
> +
> + if (!ret)
> + ret = i3c_ccc_validate_payload_len(cmd);
> +
> + return ret;
> }
[ ... ]
While reviewing the retries for GET CCC commands, I noticed a separate issue
in the Renesas I3C driver's receive interrupt handler:
drivers/i3c/master/renesas-i3c.c:renesas_i3c_rx_isr() {
...
} else {
read_bytes = NDBSTLV0_RDBLV(renesas_readl(i3c->regs, NDBSTLV0)) * sizeof(u32);
i3c_readl_fifo(i3c->regs + NTDTBP0, cmd->rx_buf, read_bytes);
cmd->rx_count = read_bytes;
}
...
}
[Severity: High]
This isn't a bug introduced by this patch, but does this overwrite the
receive buffer rather than appending to it?
When an I3C read transfer exceeds the FIFO threshold, renesas_i3c_rx_isr()
fires multiple times. Instead of appending received bytes to
cmd->rx_buf + cmd->rx_count and accumulating cmd->rx_count += read_bytes, it
writes to the base address of cmd->rx_buf and resets cmd->rx_count.
Later, renesas_i3c_resp_isr() calculates bytes_remaining = data_len -
cmd->rx_count. Because rx_count only reflects the size of the last chunk,
bytes_remaining exceeds the actual data left in the FIFO, which could cause
an underflow and read garbage data.
--
Sashiko AI review · https://sashiko.dev/#/patchset/cover.1783493867.git.tze.yee.ng@altera.com?part=4
next prev parent reply other threads:[~2026-07-08 10:01 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-08 7:17 [PATCH v6 0/5] i3c: Improve CCC reliability with actual_len, validation, and Direct GET retry tze.yee.ng
2026-07-08 7:17 ` [PATCH v6 1/5] i3c: ccc: Add actual_len to struct i3c_ccc_cmd_payload tze.yee.ng
2026-07-08 13:11 ` Frank Li
2026-07-08 14:52 ` Alexandre Mergnat
2026-07-08 7:17 ` [PATCH v6 2/5] i3c: master: Report actual GET CCC payload length on success tze.yee.ng
2026-07-08 9:44 ` sashiko-bot
2026-07-08 13:16 ` Frank Li
2026-07-08 14:52 ` Alexandre Mergnat
2026-07-08 7:17 ` [PATCH v6 3/5] i3c: master: dw: Map CCC hardware errors to I3C M0/M2 tze.yee.ng
2026-07-08 13:20 ` Frank Li
2026-07-08 7:17 ` [PATCH v6 4/5] i3c: master: Validate GET CCC payload length and retry Direct GET once tze.yee.ng
2026-07-08 10:01 ` sashiko-bot [this message]
2026-07-08 14:53 ` Frank Li
2026-07-08 15:19 ` Alexandre Mergnat
2026-07-08 7:17 ` [PATCH v6 5/5] i3c: master: Add optional_bytes for variable-length GET CCC validation tze.yee.ng
2026-07-08 15:01 ` Frank Li
2026-07-09 2:56 ` NG, TZE YEE
2026-07-09 3:37 ` Frank Li
2026-07-09 11:32 ` Alexandre Mergnat
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260708100141.EAE5D1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=alexandre.belloni@bootlin.com \
--cc=imx@lists.linux.dev \
--cc=linux-i3c@lists.infradead.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=tze.yee.ng@altera.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox