Re: i3c: master: svc: IBI payload not bounded by max_payload_len

Next message: Uwe Kleine-K&#xF6;nig (The Capable Hub): "Re: [PATCH v1 0/3] thunderbold: A few cleanups"
Previous message: tarunsahu: "Re: [RFC PATCH v2 06/10] kvm: guest_memfd: Add support for freezing and unfreezing mappings"
In reply to: Maoyi Xie: "i3c: master: svc: IBI payload not bounded by max_payload_len"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Miquel Raynal

Date: Tue Jun 23 2026 - 10:37:01 EST

Hi,

On 23/06/2026 at 16:17:38 +08, Maoyi Xie <maoyixie.tju@xxxxxxxxx> wrote:

> Hi all,
>
> I think svc_i3c_master_handle_ibi() in drivers/i3c/master/svc-i3c-master.c
> can write past the IBI slot buffer when a device sends a large IBI payload.
> I would appreciate it if you could let me know whether you agree.
>
> The read loop bounds the slot only by the hardware FIFO size, not by the
> requested max_payload_len.
>
> slot->len = 0;
> buf = slot->data;
> while (SVC_I3C_MSTATUS_RXPEND(...) && slot->len < SVC_I3C_FIFO_SIZE) {
> mdatactrl = readl(master->regs + SVC_I3C_MDATACTRL);
> count = SVC_I3C_MDATACTRL_RXCOUNT(mdatactrl);
> readsb(master->regs + SVC_I3C_MRDATAB, buf, count);
> slot->len += count;
> buf += count;
> }
>
> slot->data points into the IBI pool. i3c_generic_ibi_alloc_pool() sizes each
> slot at max_payload_len. svc_i3c_master_request_ibi() only rejects a
> max_payload_len above SVC_I3C_FIFO_SIZE (16). So a driver can ask for a small
> window, and mctp-i3c asks for 1. count comes from the controller RXCOUNT
> field and can be up to 31. The loop stops at SVC_I3C_FIFO_SIZE, not at the
> window. A device that sends more bytes than the window overruns slot->data
> into the pool.

It is indeed possible. Please send a patch!

Thanks,
Miquèl