Commit 670d7ef9 authored by Gui-Dong Han's avatar Gui-Dong Han Committed by Guenter Roeck
Browse files

hwmon: (w83791d) Convert macros to functions to avoid TOCTOU 

The macro FAN_FROM_REG evaluates its arguments multiple times. When used
in lockless contexts involving shared driver data, this leads to
Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially
causing divide-by-zero errors.

Convert the macro to a static function. This guarantees that arguments
are evaluated only once (pass-by-value), preventing the race
conditions.

Additionally, in store_fan_div, move the calculation of the minimum
limit inside the update lock. This ensures that the read-modify-write
sequence operates on consistent data.

Adhere to the principle of minimal changes by only converting macros
that evaluate arguments multiple times and are used in lockless
contexts.

Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/


Fixes: 9873964d ("[PATCH] HWMON: w83791d: New hardware monitoring driver for the Winbond W83791D")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarGui-Dong Han <hanguidong02@gmail.com>
Link: https://lore.kernel.org/r/20251202180105.12842-1-hanguidong02@gmail.com


Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
parent 67a454e6

drivers/hwmon/w83791d.c

+11 −6
Original line number Diff line number Diff line
@@ -218,9 +218,14 @@ static u8 fan_to_reg(long rpm, int div) 
	return clamp_val((1350000 + rpm * div / 2) / (rpm * div), 1, 254);

}



#define FAN_FROM_REG(val, div)	((val) == 0 ? -1 : \

				((val) == 255 ? 0 : \

					1350000 / ((val) * (div))))

static int fan_from_reg(int val, int div)

{

	if (val == 0)

		return -1;

	if (val == 255)

		return 0;

	return 1350000 / (val * div);

}



/* for temp1 which is 8-bit resolution, LSB = 1 degree Celsius */

#define TEMP1_FROM_REG(val)	((val) * 1000)
@@ -521,7 +526,7 @@ static ssize_t show_##reg(struct device *dev, struct device_attribute *attr, \ 
	struct w83791d_data *data = w83791d_update_device(dev); \

	int nr = sensor_attr->index; \

	return sprintf(buf, "%d\n", \

		FAN_FROM_REG(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \

		fan_from_reg(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \

}



show_fan_reg(fan);
@@ -585,10 +590,10 @@ static ssize_t store_fan_div(struct device *dev, struct device_attribute *attr, 
	if (err)

		return err;



	mutex_lock(&data->update_lock);

	/* Save fan_min */

	min = FAN_FROM_REG(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr]));

	min = fan_from_reg(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr]));



	mutex_lock(&data->update_lock);

	data->fan_div[nr] = div_to_reg(nr, val);



	switch (nr) {