From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Zicheng Qu <quzicheng@huawei.com>,
Nuno Sa <nuno.sa@analog.com>,
Dan Carpenter <dan.carpenter@linaro.org>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>
Subject: [PATCH 5.15 47/73] staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg()
Date: Wed, 6 Nov 2024 13:05:51 +0100 [thread overview]
Message-ID: <20241106120301.371711869@linuxfoundation.org> (raw)
In-Reply-To: <20241106120259.955073160@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zicheng Qu <quzicheng@huawei.com>
commit 6bd301819f8f69331a55ae2336c8b111fc933f3d upstream.
In the ad9832_write_frequency() function, clk_get_rate() might return 0.
This can lead to a division by zero when calling ad9832_calc_freqreg().
The check if (fout > (clk_get_rate(st->mclk) / 2)) does not protect
against the case when fout is 0. The ad9832_write_frequency() function
is called from ad9832_write(), and fout is derived from a text buffer,
which can contain any value.
Link: https://lore.kernel.org/all/2024100904-CVE-2024-47663-9bdc@gregkh/
Fixes: ea707584bac1 ("Staging: IIO: DDS: AD9832 / AD9835 driver")
Cc: stable@vger.kernel.org
Signed-off-by: Zicheng Qu <quzicheng@huawei.com>
Reviewed-by: Nuno Sa <nuno.sa@analog.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/20241022134354.574614-1-quzicheng@huawei.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/iio/frequency/ad9832.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/staging/iio/frequency/ad9832.c
+++ b/drivers/staging/iio/frequency/ad9832.c
@@ -129,12 +129,15 @@ static unsigned long ad9832_calc_freqreg
static int ad9832_write_frequency(struct ad9832_state *st,
unsigned int addr, unsigned long fout)
{
+ unsigned long clk_freq;
unsigned long regval;
- if (fout > (clk_get_rate(st->mclk) / 2))
+ clk_freq = clk_get_rate(st->mclk);
+
+ if (!clk_freq || fout > (clk_freq / 2))
return -EINVAL;
- regval = ad9832_calc_freqreg(clk_get_rate(st->mclk), fout);
+ regval = ad9832_calc_freqreg(clk_freq, fout);
st->freq_data[0] = cpu_to_be16((AD9832_CMD_FRE8BITSW << CMD_SHIFT) |
(addr << ADD_SHIFT) |
next prev parent reply other threads:[~2024-11-06 13:20 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-06 12:05 [PATCH 5.15 00/73] 5.15.171-rc1 review Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 01/73] selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 02/73] ksmbd: fix user-after-free from session log off Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 03/73] ACPI: PRM: Remove unnecessary blank lines Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 04/73] ACPI: PRM: Change handler_addr type to void pointer Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 05/73] ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 06/73] cgroup: Fix potential overflow issue when checking max_depth Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 07/73] mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 08/73] wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 09/73] wifi: brcm80211: BRCM_TRACING should depend on TRACING Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 10/73] RDMA/cxgb4: Dump vendor specific QP details Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 11/73] RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 12/73] RDMA/bnxt_re: synchronize the qp-handle table array Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 13/73] mac80211: do drv_reconfig_complete() before restarting all Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 14/73] mac80211: Add support to trigger sta disconnect on hardware restart Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 15/73] wifi: iwlwifi: mvm: disconnect station vifs if recovery failed Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 16/73] wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 17/73] ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 18/73] net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 19/73] igb: Disable threaded IRQ for igb_msix_other Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 20/73] ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 21/73] gtp: allow -1 to be specified as file description from userspace Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 22/73] net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 23/73] netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 24/73] bpf: Fix out-of-bounds write in trie_get_next_key() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 25/73] netfilter: Fix use-after-free in get_info() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 26/73] net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 27/73] netfilter: nft_payload: sanitize offset and length before calling skb_checksum() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 28/73] firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 29/73] ACPI: CPPC: Make rmw_lock a raw_spin_lock Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 30/73] fs/ntfs3: Check if more than chunk-size bytes are written Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 31/73] fs/ntfs3: Fix warning possible deadlock in ntfs_set_state Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 32/73] fs/ntfs3: Fix possible deadlock in mi_read Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 33/73] fs/ntfs3: Additional check in ni_clear() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 34/73] scsi: scsi_transport_fc: Allow setting rport state to current state Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 35/73] net: amd: mvme147: Fix probe banner message Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 36/73] NFS: remove revoked delegation from servers delegation list Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 37/73] misc: sgi-gru: Dont disable preemption in GRU driver Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 38/73] usbip: tools: Fix detach_port() invalid port error path Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 39/73] usb: phy: Fix API devm_usb_put_phy() can not release the phy Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 40/73] usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 41/73] xhci: Fix Link TRB DMA in command ring stopped completion event Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 42/73] xhci: Use pm_runtime_get to prevent RPM on unsupported systems Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 43/73] Revert "driver core: Fix uevent_show() vs driver detach race" Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 44/73] wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 45/73] wifi: ath10k: Fix memory leak in management tx Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 46/73] wifi: iwlegacy: Clear stale interrupts before resuming device Greg Kroah-Hartman
2024-11-06 12:05 ` Greg Kroah-Hartman [this message]
2024-11-06 12:05 ` [PATCH 5.15 48/73] iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 49/73] iio: light: veml6030: fix microlux value calculation Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 50/73] nilfs2: fix potential deadlock with newly created symlinks Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 51/73] riscv: vdso: Prevent the compiler from inserting calls to memset() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 52/73] riscv: efi: Set NX compat flag in PE/COFF header Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 53/73] riscv: Use %u to format the output of cpu Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 54/73] riscv: Remove unused GENERATING_ASM_OFFSETS Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 55/73] riscv: Remove duplicated GET_RM Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 56/73] mm/page_alloc: call check_new_pages() while zone spinlock is not held Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 57/73] mm/page_alloc: fix tracepoint mm_page_alloc_zone_locked() Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 58/73] mm/page_alloc: split out buddy removal code from rmqueue into separate helper Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 59/73] mm/page_alloc: rename ALLOC_HIGH to ALLOC_MIN_RESERVE Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 60/73] mm/page_alloc: treat RT tasks similar to __GFP_HIGH Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 61/73] mm/page_alloc: explicitly record high-order atomic allocations in alloc_flags Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 62/73] mm/page_alloc: explicitly define what alloc flags deplete min reserves Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 63/73] mm/page_alloc: explicitly define how __GFP_HIGH non-blocking allocations accesses reserves Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 64/73] mm/page_alloc: let GFP_ATOMIC order-0 allocs access highatomic reserves Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 65/73] ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 66/73] x86/bugs: Use code segment selector for VERW operand Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 67/73] nilfs2: fix kernel bug due to missing clearing of checked flag Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 68/73] wifi: iwlwifi: mvm: fix 6 GHz scan construction Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 69/73] mm: shmem: fix data-race in shmem_getattr() Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 70/73] Revert "drm/mipi-dsi: Set the fwnode for mipi_dsi_device" Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 71/73] drm/i915: Fix potential context UAFs Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 72/73] vt: prevent kernel-infoleak in con_font_get() Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 73/73] mac80211: always have ieee80211_sta_restart() Greg Kroah-Hartman
2024-11-06 16:53 ` [PATCH 5.15 00/73] 5.15.171-rc1 review SeongJae Park
2024-11-07 2:50 ` Shuah Khan
2024-11-07 2:56 ` Shuah Khan
2024-11-07 12:03 ` Naresh Kamboju
2024-11-07 13:42 ` Jon Hunter
2024-11-07 19:29 ` Florian Fainelli
2024-11-08 2:31 ` Ron Economos
2024-11-08 7:06 ` [PATCH 5.15] " Hardik Garg
2024-11-08 15:46 ` [PATCH 5.15 00/73] " Mark Brown
2024-11-09 16:05 ` Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241106120301.371711869@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=Jonathan.Cameron@huawei.com \
--cc=dan.carpenter@linaro.org \
--cc=nuno.sa@analog.com \
--cc=patches@lists.linux.dev \
--cc=quzicheng@huawei.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox