If the DTS contains 'assigned-address', a dynamic address leak occurs
during hotjoin events.
Assume a device have assigned-address 0xb.
- Device issue Hotjoin
- Call i3c_master_do_daa()
- Call driver xxx_do_daa()
- Call i3c_master_get_free_addr() to get dynamic address 0x9
- i3c_master_add_i3c_dev_locked(0x9)
- expected_dyn_addr = newdev->boardinfo->init_dyn_addr (0xb);
- i3c_master_reattach_i3c_dev(newdev(0xb), old_dyn_addr(0x9));
- if (dev->info.dyn_addr != old_dyn_addr &&
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 0xb != 0x9 -> TRUE
(!dev->boardinfo ||
^^^^^^^^^^^^^^^ -> FALSE
dev->info.dyn_addr != dev->boardinfo->init_dyn_addr)) {
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
0xb != 0xb -> FALSE
...
i3c_bus_set_addr_slot_status(&master->bus, old_dyn_addr,
I3C_ADDR_SLOT_FREE);
^^^
This will be skipped. So old_dyn_addr never free
}
- i3c_master_get_free_addr() will return increased sequence number.
Remove dev->info.dyn_addr != dev->boardinfo->init_dyn_addr condition check.
dev->info.dyn_addr should be checked before calling this function because
i3c_master_setnewda_locked() has already been called and the target device
has already accepted dyn_addr. It is too late to check if dyn_addr is free
in i3c_master_reattach_i3c_dev().
Add check to ensure expected_dyn_addr is free before
i3c_master_setnewda_locked().
Fixes: cc3a392d69b6 ("i3c: master: fix for SETDASA and DAA process")
Cc: stable@kernel.org
Signed-off-by: Frank Li <Frank.Li@nxp.com>
---
Chagne v6 to v7
- none
Chagne v5 to v6
- fixed version number to v5
- fix merge conflict because change function name and macro name.
Change v3 to v4
- none
---
drivers/i3c/master.c | 15 +++++----------
1 file changed, 5 insertions(+), 10 deletions(-)
diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
index e0962a17de7f0..9ccfabf849c42 100644
--- a/drivers/i3c/master.c
+++ b/drivers/i3c/master.c
@@ -1548,16 +1548,9 @@ static int i3c_master_reattach_i3c_dev(struct i3c_dev_desc *dev,
u8 old_dyn_addr)
{
struct i3c_master_controller *master = i3c_dev_get_master(dev);
- enum i3c_addr_slot_status status;
int ret;
- if (dev->info.dyn_addr != old_dyn_addr &&
- (!dev->boardinfo ||
- dev->info.dyn_addr != dev->boardinfo->init_dyn_addr)) {
- status = i3c_bus_get_addr_slot_status(&master->bus,
- dev->info.dyn_addr);
- if (status != I3C_ADDR_SLOT_FREE)
- return -EBUSY;
+ if (dev->info.dyn_addr != old_dyn_addr) {
i3c_bus_set_addr_slot_status(&master->bus,
dev->info.dyn_addr,
I3C_ADDR_SLOT_I3C_DEV);
@@ -1960,9 +1953,10 @@ static int i3c_master_bus_init(struct i3c_master_controller *master)
goto err_rstdaa;
}
+ /* Not mark as occupied until real device exist in bus */
i3c_bus_set_addr_slot_status_mask(&master->bus,
i3cboardinfo->init_dyn_addr,
- I3C_ADDR_SLOT_I3C_DEV | I3C_ADDR_SLOT_EXT_DESIRED,
+ I3C_ADDR_SLOT_EXT_DESIRED,
I3C_ADDR_SLOT_EXT_STATUS_MASK);
/*
@@ -2126,7 +2120,8 @@ int i3c_master_add_i3c_dev_locked(struct i3c_master_controller *master,
else
expected_dyn_addr = newdev->info.dyn_addr;
- if (newdev->info.dyn_addr != expected_dyn_addr) {
+ if (newdev->info.dyn_addr != expected_dyn_addr &&
+ i3c_bus_get_addr_slot_status(&master->bus, expected_dyn_addr) == I3C_ADDR_SLOT_FREE) {
/*
* Try to apply the expected dynamic address. If it fails, keep
* the address assigned by the master.
--
2.34.1Hi Frank,
Frank.Li@nxp.com wrote on Tue, 08 Oct 2024 11:18:26 -0400:
> If the DTS contains 'assigned-address', a dynamic address leak occurs
> during hotjoin events.
>
> Assume a device have assigned-address 0xb.
> - Device issue Hotjoin
> - Call i3c_master_do_daa()
> - Call driver xxx_do_daa()
> - Call i3c_master_get_free_addr() to get dynamic address 0x9
> - i3c_master_add_i3c_dev_locked(0x9)
> - expected_dyn_addr = newdev->boardinfo->init_dyn_addr (0xb);
> - i3c_master_reattach_i3c_dev(newdev(0xb), old_dyn_addr(0x9));
> - if (dev->info.dyn_addr != old_dyn_addr &&
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 0xb != 0x9 -> TRUE
> (!dev->boardinfo ||
> ^^^^^^^^^^^^^^^ -> FALSE
> dev->info.dyn_addr != dev->boardinfo->init_dyn_addr)) {
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 0xb != 0xb -> FALSE
> ...
> i3c_bus_set_addr_slot_status(&master->bus, old_dyn_addr,
> I3C_ADDR_SLOT_FREE);
> ^^^
> This will be skipped. So old_dyn_addr never free
> }
>
> - i3c_master_get_free_addr() will return increased sequence number.
>
> Remove dev->info.dyn_addr != dev->boardinfo->init_dyn_addr condition check.
> dev->info.dyn_addr should be checked before calling this function because
> i3c_master_setnewda_locked() has already been called and the target device
> has already accepted dyn_addr. It is too late to check if dyn_addr is free
> in i3c_master_reattach_i3c_dev().
>
> Add check to ensure expected_dyn_addr is free before
> i3c_master_setnewda_locked().
>
> Fixes: cc3a392d69b6 ("i3c: master: fix for SETDASA and DAA process")
> Cc: stable@kernel.org
> Signed-off-by: Frank Li <Frank.Li@nxp.com>
> ---
> Chagne v6 to v7
> - none
>
> Chagne v5 to v6
> - fixed version number to v5
> - fix merge conflict because change function name and macro name.
>
> Change v3 to v4
> - none
> ---
> drivers/i3c/master.c | 15 +++++----------
> 1 file changed, 5 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
> index e0962a17de7f0..9ccfabf849c42 100644
> --- a/drivers/i3c/master.c
> +++ b/drivers/i3c/master.c
> @@ -1548,16 +1548,9 @@ static int i3c_master_reattach_i3c_dev(struct i3c_dev_desc *dev,
> u8 old_dyn_addr)
> {
> struct i3c_master_controller *master = i3c_dev_get_master(dev);
> - enum i3c_addr_slot_status status;
> int ret;
>
> - if (dev->info.dyn_addr != old_dyn_addr &&
> - (!dev->boardinfo ||
> - dev->info.dyn_addr != dev->boardinfo->init_dyn_addr)) {
> - status = i3c_bus_get_addr_slot_status(&master->bus,
> - dev->info.dyn_addr);
> - if (status != I3C_ADDR_SLOT_FREE)
> - return -EBUSY;
> + if (dev->info.dyn_addr != old_dyn_addr) {
> i3c_bus_set_addr_slot_status(&master->bus,
> dev->info.dyn_addr,
> I3C_ADDR_SLOT_I3C_DEV);
> @@ -1960,9 +1953,10 @@ static int i3c_master_bus_init(struct i3c_master_controller *master)
> goto err_rstdaa;
> }
>
> + /* Not mark as occupied until real device exist in bus */
/* Do not mark
But with this changed,
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Thanks,
Miquèl
© 2016 - 2024 Red Hat, Inc.