Re: [PATCH 3/5] hwmon: (pmbus/adm1266) reject implausible blackbox record_count

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] The driver fails to use `hwmon_lock()` to serialize access to the nvmem cell, violating hardware monitoring subsystem architectural rules.
--

commit 82b651c5cd300cad751f056cdcdf20bb2cbb18c7
Author: Abdurrahman Hussain <abdurrahman@nexthop.ai>

hwmon: (pmbus/adm1266) reject implausible blackbox record_count

This commit adds a bounds check to adm1266_nvmem_read_blackbox() to ensure
the record_count does not exceed the maximum capacity of the device memory
buffer. It caps the record count at 32 and returns an error if exceeded.

> diff --git a/drivers/hwmon/pmbus/adm1266.c b/drivers/hwmon/pmbus/adm1266.c
> index 94691dec13599..43d9e74077954 100644
> --- a/drivers/hwmon/pmbus/adm1266.c
> +++ b/drivers/hwmon/pmbus/adm1266.c
[ ... ]
> @@ -360,6 +361,8 @@ static int adm1266_nvmem_read_blackbox(struct adm1266_data *data, u8 *read_buff)
>  		return -EIO;
>  
>  	record_count = buf[3];
> +	if (record_count > ADM1266_BLACKBOX_MAX_RECORDS)
> +		return -EIO;
>  
>  	for (index = 0; index < record_count; index++) {
>  		ret = adm1266_pmbus_block_xfer(data, ADM1266_READ_BLACKBOX, 1, &index, read_buff);

This isn't a bug introduced by this patch, but while reviewing the blackbox
read path, is there a missing lock to serialize access to the nvmem cell?

According to the hardware monitoring subsystem guidelines, drivers must
implement locking for attributes registered outside the hwmon core, and should
use hwmon_lock() and hwmon_unlock() for this purpose.

If multiple user space threads concurrently access the nvmem attribute, could
this lead to a race condition where one thread clears or populates the shared
buffer while another thread copies that partially modified buffer to userspace?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260515-adm1266-fixes-v1-0-1c1ea1349cfe@nexthop.ai?part=3