On 1/20/22 9:39 PM, Dan Carpenter wrote:
The "val" variable is controlled by the user and comes from
hwmon_attr_store(). The FAN_RPM_TO_PERIOD() macro divides by "val"
so a zero will crash the system. Check for that and return -EINVAL.
Fixes: fc958a61ff6d ("hwmon: (adt7470) Convert to devm_hwmon_device_register_with_info API")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
drivers/hwmon/adt7470.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/hwmon/adt7470.c b/drivers/hwmon/adt7470.c
index d519aca4a9d6..cd474584dc0b 100644
--- a/drivers/hwmon/adt7470.c
+++ b/drivers/hwmon/adt7470.c
@@ -662,6 +662,9 @@ static int adt7470_fan_write(struct device *dev, u32 attr, int channel, long val
struct adt7470_data *data = dev_get_drvdata(dev);
int err;
+ if (!val)
+ return -EINVAL;
+
Technically that restores old (pre-fc958a61ff6d) behavior, but it is still bad:
Userspace can provide a value of -1 (or any other negative number), and it will
translate to 5400000 RPM. So it should either be
if (val <= 0)
return -EINVAL;
or
if (val <= 0)
val = 1;
Thanks,
Guenter
