The "val->intval" variable is an integer which comes from the user.  This
code has an upper bounds check but the lower bounds check was
accidentally omitted.  The write_to_ec() take a u8 value as a parameter
so negative values would be truncated to positive values in the 0-255
range.

Return -EINVAL if the user passes a negative value.

Fixes: 202593d1e86b ("platform/x86: oxpec: Add charge threshold and behaviour to OneXPlayer")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/platform/x86/oxpec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/platform/x86/oxpec.c b/drivers/platform/x86/oxpec.c
index 4b48f4571b09..de70ca7e8493 100644
--- a/drivers/platform/x86/oxpec.c
+++ b/drivers/platform/x86/oxpec.c
@@ -582,7 +582,7 @@ static int oxp_psy_ext_set_prop(struct power_supply *psy,
 
 	switch (psp) {
 	case POWER_SUPPLY_PROP_CHARGE_CONTROL_END_THRESHOLD:
-		if (val->intval > 100)
+		if (val->intval < 0 || val->intval > 100)
 			return -EINVAL;
 		return write_to_ec(OXP_X1_CHARGE_LIMIT_REG, val->intval);
 	case POWER_SUPPLY_PROP_CHARGE_BEHAVIOUR:
-- 
2.47.2

On Fri, 02 May 2025 11:40:15 +0300, Dan Carpenter wrote:

> The "val->intval" variable is an integer which comes from the user.  This
> code has an upper bounds check but the lower bounds check was
> accidentally omitted.  The write_to_ec() take a u8 value as a parameter
> so negative values would be truncated to positive values in the 0-255
> range.
> 
> Return -EINVAL if the user passes a negative value.
> 
> [...]


Thank you for your contribution, it has been applied to my local
review-ilpo-next branch. Note it will show up in the public
platform-drivers-x86/review-ilpo-next branch only once I've pushed my
local branch there, which might take a while.

The list of commits applied:
[1/1] platform/x86: oxpec: Add a lower bounds check in oxp_psy_ext_set_prop()
      commit: 55cd5e760618b3bca5b8ab63fe65ab78a753adf8

--
 i.