[PATCH] i3c: master: svc: bound IBI payload to the requested max_payload

The Linux Kernel Mailing List
 help / color / mirror / Atom feed

* [PATCH] i3c: master: svc: bound IBI payload to the requested max_payload_len
@ 2026-06-23 15:51 Maoyi Xie
  2026-06-23 16:53 ` Frank Li
  0 siblings, 1 reply; 3+ messages in thread
From: Maoyi Xie @ 2026-06-23 15:51 UTC (permalink / raw)
  To: Miquel Raynal, Frank Li
  Cc: Alexandre Belloni, Kaixuan Li, linux-i3c, linux-kernel, stable

svc_i3c_master_handle_ibi() reads the IBI payload from the RX FIFO into
the IBI slot. The loop is bounded by the hardware FIFO size
(SVC_I3C_FIFO_SIZE), not by the slot size.

slot->data points into the IBI pool, which i3c_generic_ibi_alloc_pool()
sizes at max_payload_len per slot. svc_i3c_master_request_ibi() only
rejects a max_payload_len larger than SVC_I3C_FIFO_SIZE, so a driver can
request a smaller one. mctp-i3c requests 1. Each readsb() then copies the
controller RXCOUNT bytes (up to 31) with no check against the slot size.
A device that sends more bytes than the slot holds writes past
slot->data, an out-of-bounds write into the IBI pool.

Bound the loop by dev->ibi->max_payload_len and clamp each read to the
space left in the slot, the same way dw-i3c does.

Fixes: dd3c52846d59 ("i3c: master: svc: Add Silvaco I3C master driver")
Cc: stable@vger.kernel.org
Co-developed-by: Kaixuan Li <kaixuan.li@ntu.edu.sg>
Signed-off-by: Kaixuan Li <kaixuan.li@ntu.edu.sg>
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
---
 drivers/i3c/master/svc-i3c-master.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/i3c/master/svc-i3c-master.c b/drivers/i3c/master/svc-i3c-master.c
index e2d99a3ac07d..7420bfbdd259 100644
--- a/drivers/i3c/master/svc-i3c-master.c
+++ b/drivers/i3c/master/svc-i3c-master.c
@@ -465,9 +465,11 @@ static int svc_i3c_master_handle_ibi(struct svc_i3c_master *master,
 	buf = slot->data;

 	while (SVC_I3C_MSTATUS_RXPEND(readl(master->regs + SVC_I3C_MSTATUS))  &&
-	       slot->len < SVC_I3C_FIFO_SIZE) {
+	       slot->len < dev->ibi->max_payload_len) {
 		mdatactrl = readl(master->regs + SVC_I3C_MDATACTRL);
 		count = SVC_I3C_MDATACTRL_RXCOUNT(mdatactrl);
+		count = min_t(unsigned int, count,
+			      dev->ibi->max_payload_len - slot->len);
 		readsb(master->regs + SVC_I3C_MRDATAB, buf, count);
 		slot->len += count;
 		buf += count;

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] i3c: master: svc: bound IBI payload to the requested max_payload_len
  2026-06-23 15:51 [PATCH] i3c: master: svc: bound IBI payload to the requested max_payload_len Maoyi Xie
@ 2026-06-23 16:53 ` Frank Li
  2026-06-24  7:06   ` Miquel Raynal
  0 siblings, 1 reply; 3+ messages in thread
From: Frank Li @ 2026-06-23 16:53 UTC (permalink / raw)
  To: Maoyi Xie
  Cc: Miquel Raynal, Frank Li, Alexandre Belloni, Kaixuan Li, linux-i3c,
	linux-kernel, stable

On Tue, Jun 23, 2026 at 11:51:40PM +0800, Maoyi Xie wrote:
> svc_i3c_master_handle_ibi() reads the IBI payload from the RX FIFO into
> the IBI slot. The loop is bounded by the hardware FIFO size
> (SVC_I3C_FIFO_SIZE), not by the slot size.
>
> slot->data points into the IBI pool, which i3c_generic_ibi_alloc_pool()
> sizes at max_payload_len per slot. svc_i3c_master_request_ibi() only
> rejects a max_payload_len larger than SVC_I3C_FIFO_SIZE, so a driver can
> request a smaller one. mctp-i3c requests 1. Each readsb() then copies the
> controller RXCOUNT bytes (up to 31) with no check against the slot size.
> A device that sends more bytes than the slot holds writes past
> slot->data, an out-of-bounds write into the IBI pool.
>
> Bound the loop by dev->ibi->max_payload_len and clamp each read to the
> space left in the slot, the same way dw-i3c does.
>
> Fixes: dd3c52846d59 ("i3c: master: svc: Add Silvaco I3C master driver")
> Cc: stable@vger.kernel.org
> Co-developed-by: Kaixuan Li <kaixuan.li@ntu.edu.sg>
> Signed-off-by: Kaixuan Li <kaixuan.li@ntu.edu.sg>
> Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
> ---
>  drivers/i3c/master/svc-i3c-master.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/i3c/master/svc-i3c-master.c b/drivers/i3c/master/svc-i3c-master.c
> index e2d99a3ac07d..7420bfbdd259 100644
> --- a/drivers/i3c/master/svc-i3c-master.c
> +++ b/drivers/i3c/master/svc-i3c-master.c
> @@ -465,9 +465,11 @@ static int svc_i3c_master_handle_ibi(struct svc_i3c_master *master,
>  	buf = slot->data;
>
>  	while (SVC_I3C_MSTATUS_RXPEND(readl(master->regs + SVC_I3C_MSTATUS))  &&
> -	       slot->len < SVC_I3C_FIFO_SIZE) {
> +	       slot->len < dev->ibi->max_payload_len) {
>  		mdatactrl = readl(master->regs + SVC_I3C_MDATACTRL);
>  		count = SVC_I3C_MDATACTRL_RXCOUNT(mdatactrl);
> +		count = min_t(unsigned int, count,
> +			      dev->ibi->max_payload_len - slot->len);

now needn't min_t, only min() should be good
see:
https://lore.kernel.org/all/20251119224140.8616-1-david.laight.linux@gmail.com/

Frank
>  		readsb(master->regs + SVC_I3C_MRDATAB, buf, count);
>  		slot->len += count;
>  		buf += count;

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] i3c: master: svc: bound IBI payload to the requested max_payload_len
  2026-06-23 16:53 ` Frank Li
@ 2026-06-24  7:06   ` Miquel Raynal
  0 siblings, 0 replies; 3+ messages in thread
From: Miquel Raynal @ 2026-06-24  7:06 UTC (permalink / raw)
  To: Frank Li
  Cc: Maoyi Xie, Frank Li, Alexandre Belloni, Kaixuan Li, linux-i3c,
	linux-kernel, stable


>> diff --git a/drivers/i3c/master/svc-i3c-master.c b/drivers/i3c/master/svc-i3c-master.c
>> index e2d99a3ac07d..7420bfbdd259 100644
>> --- a/drivers/i3c/master/svc-i3c-master.c
>> +++ b/drivers/i3c/master/svc-i3c-master.c
>> @@ -465,9 +465,11 @@ static int svc_i3c_master_handle_ibi(struct svc_i3c_master *master,
>>  	buf = slot->data;
>>
>>  	while (SVC_I3C_MSTATUS_RXPEND(readl(master->regs + SVC_I3C_MSTATUS))  &&
>> -	       slot->len < SVC_I3C_FIFO_SIZE) {
>> +	       slot->len < dev->ibi->max_payload_len) {
>>  		mdatactrl = readl(master->regs + SVC_I3C_MDATACTRL);
>>  		count = SVC_I3C_MDATACTRL_RXCOUNT(mdatactrl);
>> +		count = min_t(unsigned int, count,
>> +			      dev->ibi->max_payload_len - slot->len);
>
> now needn't min_t, only min() should be good
> see:
> https://lore.kernel.org/all/20251119224140.8616-1-david.laight.linux@gmail.com/

TIL, thanks for the pointer Frank!

Miquèl

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-24  7:06 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-23 15:51 [PATCH] i3c: master: svc: bound IBI payload to the requested max_payload_len Maoyi Xie
2026-06-23 16:53 ` Frank Li
2026-06-24  7:06   ` Miquel Raynal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox