From: sashiko-bot@kernel.org
To: "Zaixiang Xu" <zaixiang.xu.dev@gmail.com>
Cc: devicetree@vger.kernel.org, conor+dt@kernel.org, robh@kernel.org,
linux-hwmon@vger.kernel.org
Subject: Re: [PATCH v7 3/4] hwmon: (sht3x) Add devicetree support
Date: Mon, 13 Jul 2026 08:01:29 +0000 [thread overview]
Message-ID: <20260713080129.D8A8E1F00A3D@smtp.kernel.org> (raw)
In-Reply-To: <20260713074559.12196-4-zaixiang.xu.dev@gmail.com>
Thank you for your contribution! Sashiko AI review found 5 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Unaligned memory access when extracting the humidity value causes a kernel panic on strict-alignment architectures.
- [High] Integer overflow in `limit_write()` calculating raw limit values for temperature and humidity, resulting in limits wrapping around to 0.
- [High] Missing `hwmon_lock()` synchronization for extra sysfs attributes (`heater_enable_store`, `repeatability_store`).
- [High] Changing the 'repeatability' sysfs attribute fails to update the active measurement command, rendering the change ineffective until the update interval is toggled.
- [High] `heater_enable_store()` returns the I2C transfer length instead of the consumed buffer length, breaking sysfs writes.
--
--- Patch [3]: [PATCH v7 3/4] hwmon: (sht3x) Add devicetree support ---
commit 3205e8775fc638eb1ac86ddf6feacc8304401779
Author: Zaixiang Xu <zaixiang.xu.dev@gmail.com>
hwmon: (sht3x) Add devicetree support
Add an of_device_id table to support devicetree based instantiation of the
supported sensors. The match data distinguishes the humidity and temperature
parts (SHT3x) from the temperature-only parts (STS3x). Enum sht3x_chips is
started at 1 to prevent i2c_get_match_data() from falling back to device
id matching on devicetree names.
> diff --git a/drivers/hwmon/sht3x.c b/drivers/hwmon/sht3x.c
> index c2f6b73aa7f34..6d47cfd340f83 100644
> --- a/drivers/hwmon/sht3x.c
> +++ b/drivers/hwmon/sht3x.c
> @@ -61,7 +61,7 @@ static const unsigned char sht3x_cmd_read_serial_number[] = { 0x37, 0x80 };
> #define SHT3X_MAX_HUMIDITY 100000
>
> enum sht3x_chips {
> - sht3x,
> + sht3x = 1,
> sts3x,
> };
[ ... ]
> @@ -939,8 +939,19 @@ static const struct i2c_device_id sht3x_ids[] = {
>
> MODULE_DEVICE_TABLE(i2c, sht3x_ids);
>
> +static const struct of_device_id sht3x_of_match[] = {
> + { .compatible = "sensirion,sht30", .data = (void *)(uintptr_t)sht3x },
> + { .compatible = "sensirion,sts30", .data = (void *)(uintptr_t)sts3x },
> + { }
> +};
> +
> +MODULE_DEVICE_TABLE(of, sht3x_of_match);
While reviewing this patch, I noticed a few pre-existing regressions in this
file that might be worth addressing.
[Severity: Critical]
This is a pre-existing issue, but does this unaligned memory access crash
strict-alignment architectures?
drivers/hwmon/sht3x.c:sht3x_update_client() {
...
val = be16_to_cpup((__be16 *)buf);
data->temperature = sht3x_extract_temperature(val);
val = be16_to_cpup((__be16 *)(buf + 3));
data->humidity = sht3x_extract_humidity(val);
data->last_update = jiffies;
}
...
}
Since buf is a stack-allocated byte array, buf + 3 is at an unaligned odd
offset. Dereferencing this pointer triggers an alignment fault on strict
alignment architectures like ARMv5 or SPARC.
Since these sysfs attributes are world-readable, could an unprivileged local
user repeatedly read them to trigger a denial of service?
[Severity: High]
This isn't a bug introduced by this patch, but does this integer arithmetic
overflow?
drivers/hwmon/sht3x.c:limit_write() {
...
/*
* ST = (T + 45) / 175 * 2^16
* SRH = RH / 100 * 2^16
* adapted for fixed point arithmetic and packed the same as
* in limit_read()
*/
raw = ((u32)(temperature + 45000) * 24543) >> (16 + 7);
raw |= ((humidity * 42950) >> 16) & 0xfe00;
...
}
Writing the maximum allowed temperature or humidity limits, such as 130000
for temp1_max, causes the expression ((u32)(temperature + 45000) * 24543)
to become 175000 * 24543 = 4295025000.
This overflows the 32-bit unsigned integer maximum. Does this result in a
calculated raw limit of 0, corresponding to the hardware's minimum bounds,
and incorrectly trigger a spurious hardware alert?
[Severity: High]
This is a pre-existing issue, but do these attributes violate the hwmon core
locking rules?
drivers/hwmon/sht3x.c:heater_enable_store() {
...
mutex_lock(&data->i2c_lock);
if (status)
ret = i2c_master_send(client, (char *)&sht3x_cmd_heater_on,
SHT3X_CMD_LENGTH);
...
}
drivers/hwmon/sht3x.c:repeatability_store() {
...
if (val > 2)
return -EINVAL;
data->repeatability = val;
return count;
}
Attributes registered via the extra_groups parameter, such as heater_enable
and repeatability, do not have automatic hwmon core serialization.
The hwmon subsystem guidelines explicitly require drivers to implement
locking for extra attributes using hwmon_lock(). Should these functions use
hwmon_lock() to prevent concurrent state modifications?
[Severity: High]
This isn't a bug introduced by this patch, but does repeatability_store()
fail to update the active measurement command?
drivers/hwmon/sht3x.c:repeatability_store() {
...
if (val > 2)
return -EINVAL;
data->repeatability = val;
return count;
}
When a user writes to the repeatability attribute, this updates the internal
data->repeatability variable but fails to call sht3x_select_command() or
send the required I2C commands to the device.
Does the driver continue to use the old command and wait time for all
subsequent measurements in single-shot mode, rendering the change
ineffective?
[Severity: High]
This is a pre-existing issue, but does heater_enable_store() break sysfs
writes by returning the I2C transfer length?
drivers/hwmon/sht3x.c:heater_enable_store() {
...
if (status)
ret = i2c_master_send(client, (char *)&sht3x_cmd_heater_on,
SHT3X_CMD_LENGTH);
else
ret = i2c_master_send(client, (char *)&sht3x_cmd_heater_off,
SHT3X_CMD_LENGTH);
mutex_unlock(&data->i2c_lock);
return ret;
}
This returns the result of i2c_master_send(), which is 2 (the length of the
I2C command) instead of the consumed buffer length expected by sysfs.
If a user writes a string longer than 2 bytes, such as 'echo true', does
the sysfs core assume a partial write and invoke the store function again
with the remaining bytes, resulting in a spurious -EINVAL error?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260713074559.12196-1-zaixiang.xu.dev@gmail.com?part=3
next prev parent reply other threads:[~2026-07-13 8:01 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-13 7:45 [PATCH v7 0/4] hwmon: (sht3x) Add support for GXCAS GXHT30 Zaixiang Xu
2026-07-13 7:45 ` [PATCH v7 1/4] dt-bindings: vendor-prefixes: Add GXCAS Technology Zaixiang Xu
2026-07-13 7:47 ` sashiko-bot
2026-07-13 7:45 ` [PATCH v7 2/4] dt-bindings: hwmon: Add Sensirion SHT30 series Zaixiang Xu
2026-07-13 7:55 ` sashiko-bot
2026-07-13 8:27 ` Zaixiang Xu
2026-07-13 7:45 ` [PATCH v7 3/4] hwmon: (sht3x) Add devicetree support Zaixiang Xu
2026-07-13 8:01 ` sashiko-bot [this message]
2026-07-13 8:28 ` Zaixiang Xu
2026-07-13 7:45 ` [PATCH v7 4/4] hwmon: (sht3x) Document support for GXCAS GXHT30 Zaixiang Xu
2026-07-13 7:48 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260713080129.D8A8E1F00A3D@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=linux-hwmon@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=zaixiang.xu.dev@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox