iio: inv_mpu6050: Fully validate gyro and accel scale writes

commit e09fe9135399807b8397798a53160e055dc6c29f upstream.

When setting the gyro or accelerometer scale the inv_mpu6050 driver ignores
the integer part of the value. As a result e.g. all of 0.13309, 1.13309,
12345.13309, ... are accepted as a valid gyro scale and 0.13309 is the
scale that gets set in all those cases.

Make sure to check that the integer part of the scale value is 0 and reject
it otherwise.

Fixes: 09a642b78523 ("Invensense MPU6050 Device Driver.")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jean-Baptiste Maneyrol <jmaneyrol@invensense.com>
Link: https://lore.kernel.org/r/20210405114441.24167-1-lars@metafoo.de
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
index 18a1898..ae391ec 100644 (file)
--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
+++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
@@ -723,12 +723,16 @@ inv_mpu6050_read_raw(struct iio_dev *indio_dev,
        }
 }
 
-static int inv_mpu6050_write_gyro_scale(struct inv_mpu6050_state *st, int val)
+static int inv_mpu6050_write_gyro_scale(struct inv_mpu6050_state *st, int val,
+                                       int val2)
 {
        int result, i;
 
+       if (val != 0)
+               return -EINVAL;
+
        for (i = 0; i < ARRAY_SIZE(gyro_scale_6050); ++i) {
-               if (gyro_scale_6050[i] == val) {
+               if (gyro_scale_6050[i] == val2) {
                        result = inv_mpu6050_set_gyro_fsr(st, i);
                        if (result)
                                return result;
@@ -759,13 +763,17 @@ static int inv_write_raw_get_fmt(struct iio_dev *indio_dev,
        return -EINVAL;
 }
 
-static int inv_mpu6050_write_accel_scale(struct inv_mpu6050_state *st, int val)
+static int inv_mpu6050_write_accel_scale(struct inv_mpu6050_state *st, int val,
+                                        int val2)
 {
        int result, i;
        u8 d;
 
+       if (val != 0)
+               return -EINVAL;
+
        for (i = 0; i < ARRAY_SIZE(accel_scale); ++i) {
-               if (accel_scale[i] == val) {
+               if (accel_scale[i] == val2) {
                        d = (i << INV_MPU6050_ACCL_CONFIG_FSR_SHIFT);
                        result = regmap_write(st->map, st->reg->accl_config, d);
                        if (result)
@@ -806,10 +814,10 @@ static int inv_mpu6050_write_raw(struct iio_dev *indio_dev,
        case IIO_CHAN_INFO_SCALE:
                switch (chan->type) {
                case IIO_ANGL_VEL:
-                       result = inv_mpu6050_write_gyro_scale(st, val2);
+                       result = inv_mpu6050_write_gyro_scale(st, val, val2);
                        break;
                case IIO_ACCEL:
-                       result = inv_mpu6050_write_accel_scale(st, val2);
+                       result = inv_mpu6050_write_accel_scale(st, val, val2);
                        break;
                default:
                        result = -EINVAL;