From: sashiko-bot@kernel.org
To: "Abdurrahman Hussain via B4 Relay"
<devnull+abdurrahman.nexthop.ai@kernel.org>
Cc: linux-hwmon@vger.kernel.org
Subject: Re: [PATCH 5/7] hwmon: (pmbus/adm1266) add powerup_counter debugfs entry
Date: Sat, 09 May 2026 01:48:20 +0000 [thread overview]
Message-ID: <20260509014820.AD84FC2BCB4@smtp.kernel.org> (raw)
In-Reply-To: <20260508-adm1266-v1-5-ec08bf29e0ce@nexthop.ai>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Critical] Use-after-free (UAF) during device removal due to conflicting devm and I2C core debugfs cleanup.
- [High] The debugfs attribute read function does not use hwmon_lock() to protect the hardware transaction.
--
commit b318aa9245d6d04f4ea8a9408b54190c4f30c67d
Author: Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) add powerup_counter debugfs entry
The ADM1266 maintains a 16-bit non-volatile POWERUP_COUNTER register
that increments on every power cycle and cannot be reset by the host.
This patch exposes it as a read-only debugfs file.
> diff --git a/drivers/hwmon/pmbus/adm1266.c b/drivers/hwmon/pmbus/adm1266.c
> --- a/drivers/hwmon/pmbus/adm1266.c
> +++ b/drivers/hwmon/pmbus/adm1266.c
[ ... ]
> +static int adm1266_powerup_counter_read(struct seq_file *s, void *pdata)
> +{
> + struct device *dev = s->private;
> + struct i2c_client *client = to_i2c_client(dev);
> + u8 buf[I2C_SMBUS_BLOCK_MAX];
> + int ret;
> +
> + ret = i2c_smbus_read_block_data(client, ADM1266_POWERUP_COUNTER, buf);
The hwmon subsystem guidelines mention that drivers should use hwmon_lock()
and hwmon_unlock() for attributes registered outside of the core hwmon sysfs
operations.
Since this debugfs read issues an I2C transaction, should hwmon_lock() be
acquired before calling i2c_smbus_read_block_data() to avoid racing with
concurrent sysfs or internal device operations?
> + if (ret < 0)
> + return ret;
> + if (ret != 2)
> + return -EIO;
> +
> + seq_printf(s, "%u\n", buf[0] | (buf[1] << 8));
> +
> + return 0;
> +}
[ ... ]
> @@ -400,6 +426,8 @@ static void adm1266_init_debugfs(struct adm1266_data *data)
> adm1266_state_read);
> debugfs_create_devm_seqfile(&data->client->dev, "firmware_revision", data->debugfs_dir,
> adm1266_firmware_revision_read);
> + debugfs_create_devm_seqfile(&data->client->dev, "powerup_counter", data->debugfs_dir,
> + adm1266_powerup_counter_read);
Can this sequence lead to a use-after-free during device removal?
According to the I2C subsystem rules, the I2C core cleans up debugfs entries
attached to the client after the driver's remove function finishes, but
before releasing devres resources.
If the I2C core removes the debugfs tree and frees the dentries first,
wouldn't the subsequent devm cleanup for this seqfile try to call
debugfs_remove() using an already-freed dentry pointer?
> debugfs_create_file("clear_blackbox", 0200, data->debugfs_dir, data->client,
> &adm1266_clear_blackbox_fops);
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260508-adm1266-v1-0-ec08bf29e0ce@nexthop.ai?part=5
next prev parent reply other threads:[~2026-05-09 1:48 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-08 23:33 [PATCH 0/7] hwmon: (pmbus/adm1266) RTC fix, blackbox, FW rev, rtc_class Abdurrahman Hussain via B4 Relay
2026-05-08 23:33 ` [PATCH 1/7] hwmon: (pmbus/adm1266) use wall-clock seconds for SET_RTC Abdurrahman Hussain via B4 Relay
2026-05-08 23:48 ` sashiko-bot
2026-05-08 23:33 ` [PATCH 2/7] hwmon: (pmbus/adm1266) write fractional-seconds field of SET_RTC Abdurrahman Hussain via B4 Relay
2026-05-09 0:06 ` sashiko-bot
2026-05-08 23:33 ` [PATCH 3/7] hwmon: (pmbus/adm1266) add firmware_revision debugfs entry Abdurrahman Hussain via B4 Relay
2026-05-09 0:38 ` sashiko-bot
2026-05-08 23:33 ` [PATCH 4/7] hwmon: (pmbus/adm1266) add clear_blackbox " Abdurrahman Hussain via B4 Relay
2026-05-09 1:10 ` sashiko-bot
2026-05-08 23:33 ` [PATCH 5/7] hwmon: (pmbus/adm1266) add powerup_counter " Abdurrahman Hussain via B4 Relay
2026-05-09 1:48 ` sashiko-bot [this message]
2026-05-08 23:33 ` [PATCH 6/7] hwmon: (pmbus/adm1266) register rtc_class device backed by SET_RTC Abdurrahman Hussain via B4 Relay
2026-05-09 2:26 ` sashiko-bot
2026-05-08 23:33 ` [PATCH 7/7] hwmon: (pmbus/adm1266) include adapter number in GPIO line label Abdurrahman Hussain via B4 Relay
2026-05-09 2:39 ` sashiko-bot
2026-05-09 14:14 ` [PATCH 0/7] hwmon: (pmbus/adm1266) RTC fix, blackbox, FW rev, rtc_class Guenter Roeck
2026-05-09 21:58 ` Abdurrahman Hussain
2026-05-09 23:49 ` Guenter Roeck
2026-05-11 3:46 ` Abdurrahman Hussain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260509014820.AD84FC2BCB4@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=devnull+abdurrahman.nexthop.ai@kernel.org \
--cc=linux-hwmon@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox