From: sashiko-bot@kernel.org
To: "Adrian Hunter" <adrian.hunter@intel.com>
Cc: linux-i3c@lists.infradead.org,
"Alexandre Belloni" <alexandre.belloni@bootlin.com>,
linux-pci@vger.kernel.org, Frank.Li@kernel.org
Subject: Re: [PATCH RFC RESEND 4/7] i3c: master: Reject IBI requests from non-IBI-capable devices
Date: Wed, 01 Jul 2026 20:29:04 +0000 [thread overview]
Message-ID: <20260701202905.779531F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701201533.220818-5-adrian.hunter@intel.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Lockless access to `dev->ibi` from interrupt context races with non-atomic pointer clearing, causing a potential Use-After-Free.
- [High] Recursive read lock acquisition of `bus->lock` leading to potential AB-BA deadlock with writers.
- [High] Memory and resource leak of the IBI workqueue on the error path of `i3c_dev_request_ibi_locked`.
--
commit f69cfae3be2eea35641a7d0435a4171201d362ea
Author: Adrian Hunter <adrian.hunter@intel.com>
i3c: master: Reject IBI requests from non-IBI-capable devices
i3c_device_request_ibi() does not verify that a device advertises IBI
support before attempting to set up IBI handling. Add a check for
I3C_BCR_IBI_REQ_CAP and fail with -EOPNOTSUPP when IBI support is not
reported by the device.
> diff --git a/drivers/i3c/device.c b/drivers/i3c/device.c
> index 101eaa77de686..307ca6dc04ca0 100644
> --- a/drivers/i3c/device.c
> +++ b/drivers/i3c/device.c
> @@ -205,12 +205,14 @@ int i3c_device_request_ibi(struct i3c_device *dev,
> return ret;
>
> i3c_bus_normaluse_lock(dev->bus);
[Severity: High]
This is a pre-existing issue, but can this cause a deadlock with writers
if a writer arrives between two down_read() calls?
In drivers/i3c/master.c:i3c_master_reg_work_fn(), the first read lock is
acquired before triggering synchronous device registration:
i3c_bus_normaluse_lock(&master->bus);
if (!master->shutting_down)
i3c_master_register_new_i3c_devs(master);
This synchronous probe path then calls i3c_device_request_ibi(), which
recursively attempts to acquire the same lock. If a writer such as
i3c_bus_maintenance_lock() (which takes down_write) arrives between the
two down_read() calls, the second down_read() blocks to prevent writer
starvation, while the writer blocks waiting for the first reader.
> - if (dev->desc) {
> + if (!dev->desc) {
> + ret = -ENOENT;
> + } else if (!(dev->desc->info.bcr & I3C_BCR_IBI_REQ_CAP)) {
> + ret = -EOPNOTSUPP;
> + } else {
> mutex_lock(&dev->desc->ibi_lock);
> ret = i3c_dev_request_ibi_locked(dev->desc, req);
[Severity: High]
This is a pre-existing issue, but does this code leak the workqueue on
the error path?
Looking at drivers/i3c/master.c:i3c_dev_request_ibi_locked():
ibi->wq = alloc_ordered_workqueue(dev_name(i3cdev_to_dev(dev->dev)), WQ_MEM_RECLAIM);
...
ret = master->ops->request_ibi(dev, req);
if (ret) {
kfree(ibi);
dev->ibi = NULL;
}
If master->ops->request_ibi() fails, the ibi struct is freed but there
is no call to destroy_workqueue(ibi->wq), permanently leaking the memory
and associated kernel thread resources.
[Severity: High]
This is a pre-existing issue, but could this lead to a use-after-free
if an interrupt handler accesses dev->ibi concurrently?
In drivers/i3c/master.c:i3c_master_queue_ibi(), the hardware interrupt
handler reads dev->ibi locklessly to queue incoming IBIs:
if (!dev->ibi || !slot)
return;
...
atomic_inc(&dev->ibi->pending_ibis);
queue_work(dev->ibi->wq, &slot->work);
However, in the error path of i3c_dev_request_ibi_locked() shown above,
and in i3c_dev_free_ibi_locked(), the memory is freed before the pointer
is cleared:
kfree(ibi);
dev->ibi = NULL;
Because there is no synchronization, a concurrent interrupt on another
CPU can read the pointer, get delayed, and then dereference it after it
has been freed.
> mutex_unlock(&dev->desc->ibi_lock);
> - } else {
> - ret = -ENOENT;
> }
> i3c_bus_normaluse_unlock(dev->bus);
>
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260701201533.220818-1-adrian.hunter@intel.com?part=4
next prev parent reply other threads:[~2026-07-01 20:29 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-01 20:15 [PATCH RFC RESEND 0/7] i3c: Support IBI-based system wakeup Adrian Hunter
2026-07-01 20:15 ` [PATCH RFC RESEND 1/7] i3c: master: Support IBI-based wakeup capability Adrian Hunter
2026-07-01 20:30 ` sashiko-bot
2026-07-02 14:10 ` Frank Li
2026-07-01 20:15 ` [PATCH RFC RESEND 2/7] i3c: master: Report wakeup events for IBIs Adrian Hunter
2026-07-01 20:33 ` sashiko-bot
2026-07-02 10:38 ` Adrian Hunter
2026-07-01 20:15 ` [PATCH RFC RESEND 3/7] i3c: master: Add helper to query bus wakeup requirements Adrian Hunter
2026-07-01 20:33 ` sashiko-bot
2026-07-01 20:15 ` [PATCH RFC RESEND 4/7] i3c: master: Reject IBI requests from non-IBI-capable devices Adrian Hunter
2026-07-01 20:29 ` sashiko-bot [this message]
2026-07-01 20:15 ` [PATCH RFC RESEND 5/7] i3c: mipi-i3c-hci-pci: Propagate I3C wakeup requirements to PCI Adrian Hunter
2026-07-01 20:33 ` sashiko-bot
2026-07-01 20:15 ` [PATCH RFC RESEND 6/7] i3c: mipi-i3c-hci: Factor out i3c_hci_sysdev() Adrian Hunter
2026-07-01 20:23 ` sashiko-bot
2026-07-01 20:15 ` [PATCH RFC RESEND 7/7] i3c: mipi-i3c-hci: Advertise IBI wakeup capability Adrian Hunter
2026-07-01 20:22 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260701202905.779531F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=alexandre.belloni@bootlin.com \
--cc=linux-i3c@lists.infradead.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox