tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

hwmon: (w83791d) Convert macros to functions to avoid TOCTOU

The macro FAN_FROM_REG evaluates its arguments multiple times. When used
in lockless contexts involving shared driver data, this leads to
Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially
causing divide-by-zero errors.

Convert the macro to a static function. This guarantees that arguments
are evaluated only once (pass-by-value), preventing the race
conditions.

Additionally, in store_fan_div, move the calculation of the minimum
limit inside the update lock. This ensures that the read-modify-write
sequence operates on consistent data.

Adhere to the principle of minimal changes by only converting macros
that evaluate arguments multiple times and are used in lockless
contexts.

Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/
Fixes: 9873964d6eb2 ("[PATCH] HWMON: w83791d: New hardware monitoring driver for the Winbond W83791D")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://lore.kernel.org/r/20251202180105.12842-1-hanguidong02@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>

authored by

Gui-Dong Han and committed by
Guenter Roeck 670d7ef9 67a454e6

+12 -7
+12 -7
drivers/hwmon/w83791d.c
··· 218 218 return clamp_val((1350000 + rpm * div / 2) / (rpm * div), 1, 254); 219 219 } 220 220 221 - #define FAN_FROM_REG(val, div) ((val) == 0 ? -1 : \ 222 - ((val) == 255 ? 0 : \ 223 - 1350000 / ((val) * (div)))) 221 + static int fan_from_reg(int val, int div) 222 + { 223 + if (val == 0) 224 + return -1; 225 + if (val == 255) 226 + return 0; 227 + return 1350000 / (val * div); 228 + } 224 229 225 230 /* for temp1 which is 8-bit resolution, LSB = 1 degree Celsius */ 226 231 #define TEMP1_FROM_REG(val) ((val) * 1000) ··· 526 521 struct w83791d_data *data = w83791d_update_device(dev); \ 527 522 int nr = sensor_attr->index; \ 528 523 return sprintf(buf, "%d\n", \ 529 - FAN_FROM_REG(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \ 524 + fan_from_reg(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \ 530 525 } 531 526 532 527 show_fan_reg(fan); ··· 590 585 if (err) 591 586 return err; 592 587 593 - /* Save fan_min */ 594 - min = FAN_FROM_REG(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr])); 595 - 596 588 mutex_lock(&data->update_lock); 589 + /* Save fan_min */ 590 + min = fan_from_reg(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr])); 591 + 597 592 data->fan_div[nr] = div_to_reg(nr, val); 598 593 599 594 switch (nr) {