From: Nikita Zhandarovich Date: Fri, 29 May 2026 14:18:36 +0000 (+0300) Subject: hwmon: (it87) Clamp negative values to zero in set_fan() X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=7f8581c70a3bd50a932d3d2d253e99c5ec3eda74;p=thirdparty%2Flinux.git hwmon: (it87) Clamp negative values to zero in set_fan() set_fan() parses user input with kstrtol() and passes the resulting value to FAN16_TO_REG() on chips with 16-bit fan support. Negative fan speeds are not meaningful and should be rejected before conversion. Worst scenario, one may be able to abuse undefined behaviour of signed overflow to possibly induce rpm * 2 == 0 in FAN16_TO_REG(), thus causing a division by zero. Instead, clamp val < 0 to zero and keep the conversion in its valid input domain, avoiding unsafe arithmetic in the register conversion path. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: 17d648bf5786 ("it87: Add support for the IT8716F") Signed-off-by: Nikita Zhandarovich Link: https://lore.kernel.org/r/20260529141839.1639287-1-n.zhandarovich@fintech.ru Signed-off-by: Guenter Roeck --- diff --git a/drivers/hwmon/it87.c b/drivers/hwmon/it87.c index 5fd310662ee43..87edb1b6048bb 100644 --- a/drivers/hwmon/it87.c +++ b/drivers/hwmon/it87.c @@ -1412,6 +1412,9 @@ static ssize_t set_fan(struct device *dev, struct device_attribute *attr, if (kstrtol(buf, 10, &val) < 0) return -EINVAL; + if (val < 0) + val = 0; + err = it87_lock(data); if (err) return err;