Commit e108b0a5 authored Jul 16, 2025 by Akshay Gupta Committed by Greg Kroah-Hartman Jul 16, 2025

misc: amd-sbi: Address potential integer overflow issue reported in smatch

Smatch warnings are reported for below commit,

Commit bb13a84e ("misc: amd-sbi: Add support for CPUID protocol")
from Apr 28, 2025 (linux-next), leads to the following Smatch static
checker warning:

drivers/misc/amd-sbi/rmi-core.c:132 rmi_cpuid_read() warn: bitwise OR is zero '0xffffffff00000000 & 0xffff'
drivers/misc/amd-sbi/rmi-core.c:132 rmi_cpuid_read() warn: potential integer overflow from user 'msg->cpu_in_out << 32'
drivers/misc/amd-sbi/rmi-core.c:213 rmi_mca_msr_read() warn: bitwise OR is zero '0xffffffff00000000 & 0xffff'
drivers/misc/amd-sbi/rmi-core.c:213 rmi_mca_msr_read() warn: potential integer overflow from user 'msg->mcamsr_in_out << 32'

CPUID & MCAMSR thread data from input is available at byte 4 & 5, this
patch fixes to copy the user data correctly in the argument.
Previously, CPUID and MCAMSR data is return only for thread 0.

Fixes: bb13a84e ("misc: amd-sbi: Add support for CPUID protocol")
Fixes: 69b1ba83 ("misc: amd-sbi: Add support for read MCA register protocol")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/all/aDVyO8ByVsceybk9@stanley.mountain/

Reviewed-by: Naveen Krishna Chatradhi <naveenkrishna.chatradhi@amd.com>
Signed-off-by: Akshay Gupta <akshay.gupta@amd.com>
Link: https://lore.kernel.org/r/20250716110729.2193725-1-akshay.gupta@amd.com

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 1b98304c

drivers/misc/amd-sbi/rmi-core.c

+2 −3

Original line number	Diff line number	Diff line
		@@ -42,7 +42,6 @@
		#define RD_MCA_CMD 0x86

		/* CPUID MCAMSR mask & index */
		#define CPUID_MCA_THRD_MASK GENMASK(15, 0)
		#define CPUID_MCA_THRD_INDEX 32
		#define CPUID_MCA_FUNC_MASK GENMASK(31, 0)
		#define CPUID_EXT_FUNC_INDEX 56
		@@ -129,7 +128,7 @@ static int rmi_cpuid_read(struct sbrmi_data *data,
		goto exit_unlock;
		}

		thread = msg->cpu_in_out << CPUID_MCA_THRD_INDEX & CPUID_MCA_THRD_MASK;
		thread = msg->cpu_in_out >> CPUID_MCA_THRD_INDEX;

		/* Thread > 127, Thread128 CS register, 1'b1 needs to be set to 1 */
		if (thread > 127) {
		@@ -210,7 +209,7 @@ static int rmi_mca_msr_read(struct sbrmi_data *data,
		goto exit_unlock;
		}

		thread = msg->mcamsr_in_out << CPUID_MCA_THRD_INDEX & CPUID_MCA_THRD_MASK;
		thread = msg->mcamsr_in_out >> CPUID_MCA_THRD_INDEX;

		/* Thread > 127, Thread128 CS register, 1'b1 needs to be set to 1 */
		if (thread > 127) {