From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-dy1-f170.google.com (mail-dy1-f170.google.com [74.125.82.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6916927470 for ; Thu, 23 Apr 2026 00:15:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.170 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776903324; cv=none; b=Z4bNE1FcmXNFUd6UJOLXHZ2MhnKlRB3Yuq7ebVyhV/Z5NNCwvcHYgcB85cfG7PTcRMPIR4mrnLptdc+ZvYmKJdacPI/QzJljEvvWdk8U9o9GOA9XJnCP3ZKdWnUeAvbx7QZijxX3xivBS1W9qLrFOo5pxtFoCgh/4Tvr6DNsJt4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776903324; c=relaxed/simple; bh=jp9CEU89ZmdSMHOWmRuDngKDB51xhhKtL0O6EGKdmGA=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=QP7xfLC+LmE3B7kCKFkD2eUV2k6NtJJy1sSsE7bwTDg1u9KbYMJ/Aq5wKkn9EZGdzxoEOCjOts0HSYSgVoqJkTjh8lK8KfSL1h/X5rY/OBhV57g9vva8a1uWZVvezuy+QwBPgmhJ5n3QoD5LVjRNdz5uMimLCW84VivBpgLqiVE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=wkennington.com; spf=none smtp.mailfrom=wkennington.com; dkim=pass (2048-bit key) header.d=wkennington-com.20251104.gappssmtp.com header.i=@wkennington-com.20251104.gappssmtp.com header.b=z0aqwLsD; arc=none smtp.client-ip=74.125.82.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=wkennington.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=wkennington.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=wkennington-com.20251104.gappssmtp.com header.i=@wkennington-com.20251104.gappssmtp.com header.b="z0aqwLsD" Received: by mail-dy1-f170.google.com with SMTP id 5a478bee46e88-2ba895adfeaso6717012eec.0 for ; Wed, 22 Apr 2026 17:15:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wkennington-com.20251104.gappssmtp.com; s=20251104; t=1776903321; x=1777508121; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Dh15s1AFnKOilgQy5qcHn4N2o/PIT2Eni/ByWpA0f/8=; b=z0aqwLsD0KEIgExUHFNpkIWNMSka1ShlnCMm29Cmmb1e/qY+KxSkR9A50AZL+SGclj XPw565dGIahIINR/5zHNRD7mNQUk5sDIVgkIOob5WP/WWksPXplyApwTojIqOYXkGBKW DEXx1Sb3xUzqxWCFBZxzHLNg5qOR4BvTmreqrF2olm5gxRF7172adie6ZQGPq62nV7e5 1uGhx53btsXtiXTIcajgnyB+7aa8Y5wbQOBjwJm5lyhwZqIChnZpxV5jBogPGtD6QDpg X7HKHsYD103EIAHO2pX6U8TzwwrBnEZJdRsv93N3pAG+OKURzSw4bJ5FWMC3GKKYvBje MGmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776903321; x=1777508121; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Dh15s1AFnKOilgQy5qcHn4N2o/PIT2Eni/ByWpA0f/8=; b=AK4UCPV5KDaUssanVx1LXeKHFc4+h2WfuDO9vl8qiW3Qjchflyvlt5x0C/hij5lIXv xWacNmRyg66BsWKe2vq4mE2GtLLJ+OnC9LxJ3GBHeCqB7LTz77mfXmzo5A02jcSHZ65L 8K9bJEOQhnzUtcq1CIQfufSv0uuea4hLoFzTZw4/S28l/uVL5GK7VbVovoa0iVPTeoyM 8+pC3avqdk80i7hgWBpB4k4scWrC+AdtnTGAg7atjHKe68cLWgT1SMz8/Dm+8D8TZZQv kumGqsV0OZSuamPil1lrscwUynAZob8UXF1if8TElQAUjo6M6a08TVr1GFGj84FWT6JI Y+JQ== X-Forwarded-Encrypted: i=1; AFNElJ/cwnS0/+L6DzOGktydLcixS8z2rmoS+MVMWpz86icq5qRRZBExir66BTg3EvcxxkgyhB6ylcvSkdEPF8Q=@vger.kernel.org X-Gm-Message-State: AOJu0YysltkmZaCON1M0HJHDtvJzccuAFIw7Jv4gQOVRfBP5y+FpcS7/ 3DdxzmkKpQjo9IoboTA3ySsFvz9ZzrJPNBT1WvVuWmBa2UgC4eK3LiN9/4R5cLf4atQ= X-Gm-Gg: AeBDievz0v3iwXKwD6siYIWZLRN9f557nOh/5a2v+TlxSidIjkl+uEGZV6NLn1HomsD g2zDkuuiCatUkS28lKogXsqPUVu7PqyxKmTcriT/D9aaUKjO5p0j1QCc++/ncOsK3leF9xmBK6T fadFCnbc2fIPlu4WT12LL7ZoA2JP3OLQ+6TZVL02irMHSHRywmR/ayZwKr5bhZyZDZqYoyzPZp/ zHPxy092p+Lahqb9UCrMyvu6+s88pwdc48/ZpQBZCOGLrEjrhDlvwMLvhbYtNsHT6wIJtjZJwz3 KArjozyTOyirZXXgnx9UG+w52UscVhSz7hQFipSfxPXhS3z3z8J3wQscidr7iXux6zKzxL+6oRC 8+83XMkfystRUrsR0p3ek2yEBCsWQFSGJEnyQPQQb7E+XVFIKaikyBW7gr3VkrukBDJI4X/9ARd wYZ0/U4+T2RVgG2+8fZ20UzMLnwUcGKIKklqdIdxC7kIlUusSWGdMNJPnSzICdIUlPNr5P5Kw2X l2YQIpMbrTrqnTArR5RmcHWNA== X-Received: by 2002:a05:7301:2b07:b0:2cf:3de7:22ad with SMTP id 5a478bee46e88-2e47901764fmr13702340eec.27.1776903321251; Wed, 22 Apr 2026 17:15:21 -0700 (PDT) Received: from wak-linux.svl.corp.google.com ([2a00:79e0:2ed2:c:c318:833d:66c6:43a0]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2e53d8b944bsm25628068eec.28.2026.04.22.17.15.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Apr 2026 17:15:20 -0700 (PDT) From: "William A. Kennington III" To: Jeremy Kerr , Matt Johnston , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Wolfram Sang Cc: "William A. Kennington III" , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] mctp i2c: check packet length before marking flow active Date: Wed, 22 Apr 2026 17:15:15 -0700 Message-ID: <20260423001517.79219-1-william@wkennington.com> X-Mailer: git-send-email 2.54.0.545.g6539524ca2-goog Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Currently, mctp_i2c_get_tx_flow_state() is called before the packet length sanity check. This function marks a new flow as active in the MCTP core. If the sanity check fails, mctp_i2c_xmit() returns early without calling mctp_i2c_lock_nest(). This results in a mismatched locking state: the flow is active, but the I2C bus lock was never acquired for it. When the flow is later released, mctp_i2c_release_flow() will see the active state and queue an unlock marker. The TX thread will then decrement midev->i2c_lock_count from 0, causing it to underflow to -1. This underflow permanently breaks the driver's locking logic, allowing future transmissions to occur without holding the I2C bus lock, leading to bus collisions and potential hardware hangs. Move the mctp_i2c_get_tx_flow_state() call to after the length sanity check to ensure we only transition the flow state if we are actually going to proceed with the transmission and locking. Fixes: f5b8abf9fc3d ("mctp i2c: MCTP I2C binding driver") Signed-off-by: William A. Kennington III --- drivers/net/mctp/mctp-i2c.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/mctp/mctp-i2c.c b/drivers/net/mctp/mctp-i2c.c index 15fe4d1163c1..ee2913758e54 100644 --- a/drivers/net/mctp/mctp-i2c.c +++ b/drivers/net/mctp/mctp-i2c.c @@ -496,8 +496,6 @@ static void mctp_i2c_xmit(struct mctp_i2c_dev *midev, struct sk_buff *skb) u8 *pecp; int rc; - fs = mctp_i2c_get_tx_flow_state(midev, skb); - hdr = (void *)skb_mac_header(skb); /* Sanity check that packet contents matches skb length, * and can't exceed MCTP_I2C_BUFSZ @@ -509,6 +507,8 @@ static void mctp_i2c_xmit(struct mctp_i2c_dev *midev, struct sk_buff *skb) return; } + fs = mctp_i2c_get_tx_flow_state(midev, skb); + if (skb_tailroom(skb) >= 1) { /* Linear case with space, we can just append the PEC */ skb_put(skb, 1); -- 2.54.0.rc2.533.g4f5dca5207-goog