[PATCH RFC RESEND 4/7] i3c: master: Reject IBI requests from non-IBI-capable devices
sashiko-bot at kernel.org
sashiko-bot at kernel.org
Wed Jul 1 13:29:04 PDT 2026
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Lockless access to `dev->ibi` from interrupt context races with non-atomic pointer clearing, causing a potential Use-After-Free.
- [High] Recursive read lock acquisition of `bus->lock` leading to potential AB-BA deadlock with writers.
- [High] Memory and resource leak of the IBI workqueue on the error path of `i3c_dev_request_ibi_locked`.
--
commit f69cfae3be2eea35641a7d0435a4171201d362ea
Author: Adrian Hunter <adrian.hunter at intel.com>
i3c: master: Reject IBI requests from non-IBI-capable devices
i3c_device_request_ibi() does not verify that a device advertises IBI
support before attempting to set up IBI handling. Add a check for
I3C_BCR_IBI_REQ_CAP and fail with -EOPNOTSUPP when IBI support is not
reported by the device.
> diff --git a/drivers/i3c/device.c b/drivers/i3c/device.c
> index 101eaa77de686..307ca6dc04ca0 100644
> --- a/drivers/i3c/device.c
> +++ b/drivers/i3c/device.c
> @@ -205,12 +205,14 @@ int i3c_device_request_ibi(struct i3c_device *dev,
> return ret;
>
> i3c_bus_normaluse_lock(dev->bus);
[Severity: High]
This is a pre-existing issue, but can this cause a deadlock with writers
if a writer arrives between two down_read() calls?
In drivers/i3c/master.c:i3c_master_reg_work_fn(), the first read lock is
acquired before triggering synchronous device registration:
i3c_bus_normaluse_lock(&master->bus);
if (!master->shutting_down)
i3c_master_register_new_i3c_devs(master);
This synchronous probe path then calls i3c_device_request_ibi(), which
recursively attempts to acquire the same lock. If a writer such as
i3c_bus_maintenance_lock() (which takes down_write) arrives between the
two down_read() calls, the second down_read() blocks to prevent writer
starvation, while the writer blocks waiting for the first reader.
> - if (dev->desc) {
> + if (!dev->desc) {
> + ret = -ENOENT;
> + } else if (!(dev->desc->info.bcr & I3C_BCR_IBI_REQ_CAP)) {
> + ret = -EOPNOTSUPP;
> + } else {
> mutex_lock(&dev->desc->ibi_lock);
> ret = i3c_dev_request_ibi_locked(dev->desc, req);
[Severity: High]
This is a pre-existing issue, but does this code leak the workqueue on
the error path?
Looking at drivers/i3c/master.c:i3c_dev_request_ibi_locked():
ibi->wq = alloc_ordered_workqueue(dev_name(i3cdev_to_dev(dev->dev)), WQ_MEM_RECLAIM);
...
ret = master->ops->request_ibi(dev, req);
if (ret) {
kfree(ibi);
dev->ibi = NULL;
}
If master->ops->request_ibi() fails, the ibi struct is freed but there
is no call to destroy_workqueue(ibi->wq), permanently leaking the memory
and associated kernel thread resources.
[Severity: High]
This is a pre-existing issue, but could this lead to a use-after-free
if an interrupt handler accesses dev->ibi concurrently?
In drivers/i3c/master.c:i3c_master_queue_ibi(), the hardware interrupt
handler reads dev->ibi locklessly to queue incoming IBIs:
if (!dev->ibi || !slot)
return;
...
atomic_inc(&dev->ibi->pending_ibis);
queue_work(dev->ibi->wq, &slot->work);
However, in the error path of i3c_dev_request_ibi_locked() shown above,
and in i3c_dev_free_ibi_locked(), the memory is freed before the pointer
is cleared:
kfree(ibi);
dev->ibi = NULL;
Because there is no synchronization, a concurrent interrupt on another
CPU can read the pointer, get delayed, and then dereference it after it
has been freed.
> mutex_unlock(&dev->desc->ibi_lock);
> - } else {
> - ret = -ENOENT;
> }
> i3c_bus_normaluse_unlock(dev->bus);
>
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260701201533.220818-1-adrian.hunter@intel.com?part=4
More information about the linux-i3c
mailing list