From: sashiko-bot@kernel.org
To: "Lakshay Piplani" <lakshay.piplani@nxp.com>
Cc: Frank.Li@kernel.org, conor+dt@kernel.org,
devicetree@vger.kernel.org, linux-i3c@lists.infradead.org,
robh@kernel.org
Subject: Re: [PATCH v11 1/9] i3c: master: rename i3c_master_reattach_i3c_dev() to *_locked
Date: Fri, 12 Jun 2026 11:41:48 +0000 [thread overview]
Message-ID: <20260612114149.2C2CD1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260612111816.3688240-2-lakshay.piplani@nxp.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
Pre-existing issues:
- [High] The return value of `i3c_master_reattach_i3c_dev_locked()` is ignored in `i3c_master_add_i3c_dev_locked()`, leading to bus state corruption if reattachment fails.
- [High] Aggressive cleanup in `i3c_master_reattach_i3c_dev_locked()` sabotages the caller's hardware rollback path (`RSTDAA`) in `i3c_master_early_i3c_dev_add()`.
- [High] `i3c_device_uevent()` accesses `i3cdev->desc` without acquiring `bus->lock`, leading to a Use-After-Free if a hot-join device replacement occurs concurrently.
--
commit 8a7af37c292c3791d232cdb1c2f37ae5aba2ca10
Author: Lakshay Piplani <lakshay.piplani@nxp.com>
i3c: master: rename i3c_master_reattach_i3c_dev() to *_locked
Rename i3c_master_reattach_i3c_dev() to *_locked() to make the locking
requirement explicit and consistent with other I3C core helpers that
require the bus lock to be held by the caller.
> diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
> index 6b8df8089a357..c45b450af319d 100644
> --- a/drivers/i3c/master.c
> +++ b/drivers/i3c/master.c
[ ... ]
> @@ -1742,7 +1742,7 @@ static int i3c_master_early_i3c_dev_add(struct i3c_master_controller *master,
> goto err_detach_dev;
>
> i3cdev->info.dyn_addr = i3cdev->boardinfo->init_dyn_addr;
> - ret = i3c_master_reattach_i3c_dev(i3cdev, 0);
> + ret = i3c_master_reattach_i3c_dev_locked(i3cdev, 0);
[Severity: High]
This isn't a bug introduced by this patch, but doesn't the error path
here break if the reattach fails?
If master->ops->reattach_i3c_dev() fails,
i3c_master_reattach_i3c_dev_locked() immediately marks the
dev->info.dyn_addr slot as I3C_ADDR_SLOT_FREE via i3c_master_put_i3c_addrs().
This seems to sabotage the fallback path at err_rstdaa:
drivers/i3c/master.c:i3c_master_early_i3c_dev_add() {
...
err_rstdaa:
i3c_master_rstdaa_locked(master, i3cdev->boardinfo->init_dyn_addr);
...
}
Since the address slot is now marked free, i3c_master_rstdaa_locked()
will instantly abort with -EINVAL because the slot status is no longer
I3C_ADDR_SLOT_I3C_DEV. Will this leave the physical device retaining
the dynamic address while the master controller incorrectly considers it free?
> if (ret)
> goto err_rstdaa;
>
[ ... ]
> @@ -2358,7 +2358,7 @@ int i3c_master_add_i3c_dev_locked(struct i3c_master_controller *master,
> if (!ret) {
> old_dyn_addr = newdev->info.dyn_addr;
> newdev->info.dyn_addr = expected_dyn_addr;
> - i3c_master_reattach_i3c_dev(newdev, old_dyn_addr);
> + i3c_master_reattach_i3c_dev_locked(newdev, old_dyn_addr);
[Severity: High]
This is a pre-existing issue, but is it safe to ignore the return
value of i3c_master_reattach_i3c_dev_locked() here?
If the underlying master->ops->reattach_i3c_dev() fails, the reattach
function calls i3c_master_put_i3c_addrs(), marking the device's assigned
dynamic address slot as I3C_ADDR_SLOT_FREE in the bus bitmask.
Since this failure is completely ignored and the caller returns success,
the hardware remains configured to listen on the new dynamic address, but
the software allocator considers the slot free. Could a subsequent
hot-join or device addition be assigned this exact same dynamic address,
leading to unrecoverable bus collisions?
[Severity: High]
Additionally, this isn't a bug introduced by this patch, but does
i3c_master_add_i3c_dev_locked() race with userspace uevents during a
hot-join device replacement?
Later in this function, it identifies duplicate devices, migrates
the generic struct device from the old descriptor to the new one, and
eventually frees the old descriptor via i3c_master_free_i3c_dev(olddev).
This process is protected by the bus maintenance lock.
However, i3c_device_uevent() is triggered by sysfs and directly
dereferences i3cdev->desc without acquiring the bus lock or employing RCU:
drivers/i3c/master.c:i3c_device_uevent() {
...
if (i3cdev->desc)
devinfo = i3cdev->desc->info;
manuf = I3C_PID_MANUF_ID(devinfo.pid);
...
}
If a thread executing i3c_device_uevent() evaluates i3cdev->desc, gets
preempted while i3c_master_add_i3c_dev_locked() frees olddev, and then
resumes, will this trigger a use-after-free during the structure copy?
> } else {
> dev_err(&master->dev,
> "Failed to assign reserved/old address to device %d%llx",
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260612111816.3688240-1-lakshay.piplani@nxp.com?part=1
next prev parent reply other threads:[~2026-06-12 11:41 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 11:18 [PATCH v11 0/9] Add support for NXP P3H2x4x I3C hub driver Lakshay Piplani
2026-06-12 11:18 ` [PATCH v11 1/9] i3c: master: rename i3c_master_reattach_i3c_dev() to *_locked Lakshay Piplani
2026-06-12 11:41 ` sashiko-bot [this message]
2026-06-12 11:18 ` [PATCH v11 2/9] i3c: master: Expose the APIs to support I3C hub Lakshay Piplani
2026-06-12 11:44 ` sashiko-bot
2026-06-12 11:18 ` [PATCH v11 3/9] i3c: master: Add APIs for I3C hub support Lakshay Piplani
2026-06-12 11:48 ` sashiko-bot
2026-06-12 11:18 ` [PATCH v11 4/9] dt-bindings: i3c: Add NXP P3H2x4x i3c-hub support Lakshay Piplani
2026-06-12 11:33 ` sashiko-bot
2026-06-12 11:18 ` [PATCH v11 5/9] mfd: p3h2x4x: Add driver for NXP P3H2x4x i3c hub and on-die regulator Lakshay Piplani
2026-06-12 11:41 ` sashiko-bot
2026-06-12 11:18 ` [PATCH v11 6/9] regulator: p3h2x4x: Add driver for on-die regulators in NXP P3H2x4x i3c hub Lakshay Piplani
2026-06-12 11:37 ` sashiko-bot
2026-06-12 11:18 ` [PATCH v11 7/9] i3c: hub: Add support for the I3C interface in the I3C hub Lakshay Piplani
2026-06-12 11:41 ` sashiko-bot
2026-06-12 12:09 ` Julian Braha
2026-06-12 11:18 ` [PATCH v11 8/9] i3c: hub: p3h2x4x: Add support for NXP P3H2x4x I3C hub functionality Lakshay Piplani
2026-06-12 11:39 ` sashiko-bot
2026-06-12 11:18 ` [PATCH v11 9/9] i3c: hub: p3h2x4x: Add SMBus slave mode support Lakshay Piplani
2026-06-12 11:41 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260612114149.2C2CD1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=lakshay.piplani@nxp.com \
--cc=linux-i3c@lists.infradead.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox