Re: [PATCH v3 2/3] hwmon: pmbus: Add support for Silergy SQ24860

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Missing signedness check on PMBus limits causes negative inputs to silently set maximum hardware limits.
- [Medium] Returns -EINVAL instead of clamping for out-of-bounds lower limits in PMBUS_IIN_OC_FAULT_LIMIT.
--

commit 1edf6322da1b629fce9b16a96496a18863aacef8
Author: Ziming Zhu <ziming.zhu@silergycorp.com>

hwmon: pmbus: Add support for Silergy SQ24860
    
Add PMBus hwmon support for the Silergy SQ24860 eFuse. The driver reports
voltage, current, power, and temperature, along with history attributes
and over-current fault limits.

> diff --git a/drivers/hwmon/pmbus/sq24860.c b/drivers/hwmon/pmbus/sq24860.c
> new file mode 100644
> index 0000000000000..f16f650ff7ba2
> --- /dev/null
> +++ b/drivers/hwmon/pmbus/sq24860.c
[ ... ]
> +static int sq24860_write_word_data(struct i2c_client *client,
> +				    int page, int reg, u16 value)
> +{
> +	int ret;
> +
> +	switch (reg) {
> +	case PMBUS_VIN_UV_WARN_LIMIT:
> +	case PMBUS_VIN_UV_FAULT_LIMIT:
> +	case PMBUS_VIN_OV_WARN_LIMIT:
> +	case PMBUS_VIN_OV_FAULT_LIMIT:
> +	case PMBUS_VOUT_UV_WARN_LIMIT:
> +	case PMBUS_IIN_OC_WARN_LIMIT:
> +	case PMBUS_OT_WARN_LIMIT:
> +	case PMBUS_OT_FAULT_LIMIT:
> +	case PMBUS_PIN_OP_WARN_LIMIT:
> +		value >>= SQ24860_8B_SHIFT;
> +		value = clamp_val(value, 0, 0xff);

[Severity: High]
Does this handle negative user inputs correctly?

The PMBus core converts limit values into 16-bit 2's complement integers
(s16), but passes them as u16 to sq24860_write_word_data(). Because this
driver treats value as an unsigned u16, a negative user limit written via
sysfs will become a large positive value (e.g., 0xFFFF).

When this large value is logically right-shifted and clamped here, it
results in setting the maximum possible hardware limit (0xff) instead of
clamping to the minimum limit (0).

> +		ret = pmbus_write_word_data(client, page, reg, value);
> +		break;
> +
> +	case PMBUS_IIN_OC_FAULT_LIMIT:
> +		if (value < SQ24860_IIN_OCF_OFF)
> +			return -EINVAL;

[Severity: High]
Could a negative user limit bypass this bounds check?

Since value is unsigned, a negative limit (e.g., 0xFFFF) will evaluate
as greater than SQ24860_IIN_OCF_OFF (165). This bypasses the check below
and overflows the 32-bit unsigned calculation, effectively disabling
over-current protection by incorrectly setting the hardware limit to its
maximum.

[Severity: Medium]
Should this clamp the value instead of returning an error?

The hwmon sysfs ABI convention requires drivers to silently clamp
out-of-range user limits to the nearest supported hardware value rather
than returning an error.

If the requested limit translates to a value below SQ24860_IIN_OCF_OFF,
returning -EINVAL violates this convention. Would it be better to clamp
the limit to SQ24860_IIN_OCF_OFF so the underlying register is set to 0?

> +		value -= SQ24860_IIN_OCF_OFF;
> +		value = DIV_ROUND_CLOSEST(((unsigned int)value) * SQ24860_IIN_OCF_DIV,
> +					  SQ24860_IIN_OCF_NUM);
> +		value = clamp_val(value, 0, 0x3f);
> +		ret = pmbus_write_byte_data(client, page, SQ24860_VIREF, value);
> +		break;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260611074335.4415-1-zmzhu0630@163.com?part=2