From nobody Fri Dec 19 06:17:53 2025 Received: from mail-oa1-f42.google.com (mail-oa1-f42.google.com [209.85.160.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DE5311DC184 for ; Tue, 18 Feb 2025 23:17:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739920676; cv=none; b=n0+gOrkL1BuGmM4sZkOKPp38gIsarG659R8FiXsSMrEsW32m5HcCsFHjZsVWU9jXuoMRsC5DgtWU24Y6Ll5oG6iVaW4LN6ijuBKL/jGlmevf+brypWpDf8m+eWugDkXC57xviml+R7ACnmABXgFHWMyDmwcpEH6Clf2j2DZPxRE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739920676; c=relaxed/simple; bh=9nCO7nZLKNdiDn/v0csoc01tAaw2I1Nd3kyqboFCUAk=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=OgDjg1P1NKNqiyPdtyfw8ZuDDFt8Exosujz/b6sxd7nulQAG/YClCoYkPiknnsUU2xdJfzgNv+7I2/bS8BQaEtFUN3ZK/r5z3qMfOHkjxQjQntGiokegi1A6a2ofqWTuR22zLJnbT678dr8h525YVFpSoGcbN2vsyBEaLWW3j/o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=baylibre.com; spf=pass smtp.mailfrom=baylibre.com; dkim=pass (2048-bit key) header.d=baylibre-com.20230601.gappssmtp.com header.i=@baylibre-com.20230601.gappssmtp.com header.b=dbuC56dg; arc=none smtp.client-ip=209.85.160.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=baylibre.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=baylibre.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=baylibre-com.20230601.gappssmtp.com header.i=@baylibre-com.20230601.gappssmtp.com header.b="dbuC56dg" Received: by mail-oa1-f42.google.com with SMTP id 586e51a60fabf-29fe83208a4so190390fac.0 for ; Tue, 18 Feb 2025 15:17:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=baylibre-com.20230601.gappssmtp.com; s=20230601; t=1739920673; x=1740525473; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=nolGyY7FaUucKN7S8iQ8H4IDqpOVZJT/2gwczCi4r0I=; b=dbuC56dg55yyn16Rm73Olc050N/MqQzkw6zinFazALLNbMN373UzlvyljEKUcHlOgO CZvh4Er/wlFXZ7DkXhV/yKq10qQOM9Tk2FxzVtNj0Y+WgPGN9XUzS3i3KQORMW/ARYek WsSgA4YreltS6W/YI+1TzSlEfbZuAcPQLXO1iMq3piqGxu2FAc2SQwzx8Zjbsu1S/s/8 I0A8sTf2pHVzpMLj8h99h+fqANbjqD9W/Am4tpXgokV9fUVPon+nPQM8QgY4LWiByol1 rxeiRM6oEiSZoFbd3yw11WfRkrW1uEViRQK5TY/APiulC6fqQcKshsIAJMWaK4flLD2R Vsog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739920673; x=1740525473; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nolGyY7FaUucKN7S8iQ8H4IDqpOVZJT/2gwczCi4r0I=; b=atv1RwZJaAoazXZ6TubthWk19uLr25x3S7Y8hwEDU6OoRyqjBYLEC1AC7KX+K3QDt+ 9UEj6H6VVPL7jgUSsNkHQLBn1amEIgGFI1phBWKGU5uxYeP+HDVF869Uie0m9zQYaNp9 MDx37kFO3V5iP0EbovtuxQEMs7TImZ/ez7eA5vprK+bHz9NjvJJ64FKG2E6VusY1LWpM lsuBRzKuiAMFDraTxupZPI6XEQEHMnsj7hvCvTmweUf7YvNNoCldN9kVpsLhGEHNqd5Q 8tmZQIxutMFf4lVBIfadBWy+jWZ131oDfFRugQ0m+WZ5b2V2BL1YQGlzGN5QdZT2jU6p 4j0Q== X-Forwarded-Encrypted: i=1; AJvYcCWyA7Pdo2IPUWe+DawUCPCdb5uklAVBjz11nF5fboBhtJ05rt5PKuH9Pyv3hRohPl/F1l0Q/e6x6/phtsw=@vger.kernel.org X-Gm-Message-State: AOJu0YzePA5FmYmIaQkwLyFtsKT/KIt3OEBnzxXgU3TowiOYTBHQOe5M 5B86clSNG343d8PniYGiGicvfNAVkalEI81/vy99sW0d9fasqbSsr+lAv+l8DRI= X-Gm-Gg: ASbGnctB/y4Qst9ofxO/425rZow0jb/pGXsMrebZcFCM8K8I2vPH5p5HPc+YY+PPi3O 18V9fMke65wRWzp5h7XPmNrbz78HG2/P8QaTxrnkSH45Quce+mmBcNy7NwIufyoMcOyzZJBJ2w9 ppvqUrUayidtXeC9DpoXhVH8LVF8lhQDijB+C1HV+pxAqBDs17IGUeaeEAATAMf8NP7cAAVmZlg rzn4IHNDMRey/28eDM3FksVdExMGKhwjbcDpQNSKDgP/X+liUn/JLo2wBmkNbBQ1/DFBEP7T6iw DNid3hSh/7f1FX3ybdHXwVBuMIrRDcPJubIpM3QU0VwpAIk= X-Google-Smtp-Source: AGHT+IG2YgKjTkE825ZXpPLi2hzrtJ0Hq5GJ4kGNJKGqT9TWnzPIa1gRPXWVcRGRa4yjYFON4NsjQw== X-Received: by 2002:a05:6870:2046:b0:2b1:db0e:e22d with SMTP id 586e51a60fabf-2bd0f32bbd2mr1428134fac.0.1739920672901; Tue, 18 Feb 2025 15:17:52 -0800 (PST) Received: from [127.0.1.1] (ip98-183-112-25.ok.ok.cox.net. [98.183.112.25]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7271f7c5ba8sm1803129a34.32.2025.02.18.15.17.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 15:17:52 -0800 (PST) From: David Lechner Date: Tue, 18 Feb 2025 17:17:45 -0600 Subject: [PATCH 1/2] iio: adc: ad4695: fix out of bounds array access Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250218-iio-adc-ad4695-fix-out-of-bounds-array-access-v1-1-57fef8c7a3fd@baylibre.com> References: <20250218-iio-adc-ad4695-fix-out-of-bounds-array-access-v1-0-57fef8c7a3fd@baylibre.com> In-Reply-To: <20250218-iio-adc-ad4695-fix-out-of-bounds-array-access-v1-0-57fef8c7a3fd@baylibre.com> To: Michael Hennerich , =?utf-8?q?Nuno_S=C3=A1?= , Lars-Peter Clausen , Jonathan Cameron , Trevor Gamblin Cc: Jonathan Cameron , linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org, David Lechner X-Mailer: b4 0.14.2 Fix some out of bounds array access of st->channels_cfg in the ad4695 driver. This array only has elements for voltage channels, but it was also being accessed for the temperature channel in a few cases causing reading past the end of the array. In some cases, this was harmless because the value was read but not used. However, the in_temp_sampling_frequency attribute shares code with the in_voltageY_sampling_frequency attributes and was trying to read the oversampling ratio from the st->channels_cfg array. This resulted in a garbage value being used in the calculation and the resulting in_temp_sampling_frequency value was incorrect. To fix, make sure we always check that we are dealing with a voltage channel before accessing the st->channels_cfg array and use an oversampling ratio of 1 for the temperature channel (multiplicative identity value) since that channel doesn't support oversampling. Fixes: 67d63185db79 ("iio: adc: ad4695: add offload-based oversampling supp= ort") Signed-off-by: David Lechner Reviewed-by: Nuno S=C3=A1 Reviewed-by: Trevor Gamblin --- drivers/iio/adc/ad4695.c | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/drivers/iio/adc/ad4695.c b/drivers/iio/adc/ad4695.c index 3a1a6f96480fd383d32397f4d3c979069111c5c9..8721cbd2af34c53f0cea32e307b= 9ef2da46b0cfb 100644 --- a/drivers/iio/adc/ad4695.c +++ b/drivers/iio/adc/ad4695.c @@ -1035,12 +1035,14 @@ static int ad4695_read_raw(struct iio_dev *indio_de= v, { struct ad4695_state *st =3D iio_priv(indio_dev); const struct iio_scan_type *scan_type; - struct ad4695_channel_config *cfg =3D &st->channels_cfg[chan->scan_index]; - unsigned int osr =3D st->channels_cfg[chan->scan_index].oversampling_rati= o; + struct ad4695_channel_config *cfg; unsigned int reg_val; int ret, tmp; u8 realbits; =20 + if (chan->type =3D=3D IIO_VOLTAGE) + cfg =3D &st->channels_cfg[chan->scan_index]; + scan_type =3D iio_get_current_scan_type(indio_dev, chan); if (IS_ERR(scan_type)) return PTR_ERR(scan_type); @@ -1169,6 +1171,10 @@ static int ad4695_read_raw(struct iio_dev *indio_dev, } case IIO_CHAN_INFO_SAMP_FREQ: { struct pwm_state state; + unsigned int osr =3D 1; + + if (chan->type =3D=3D IIO_VOLTAGE) + osr =3D cfg->oversampling_ratio; =20 ret =3D pwm_get_state_hw(st->cnv_pwm, &state); if (ret) @@ -1261,7 +1267,10 @@ static int ad4695_write_raw(struct iio_dev *indio_de= v, { struct ad4695_state *st =3D iio_priv(indio_dev); unsigned int reg_val; - unsigned int osr =3D st->channels_cfg[chan->scan_index].oversampling_rati= o; + unsigned int osr =3D 1; + + if (chan->type =3D=3D IIO_VOLTAGE) + osr =3D st->channels_cfg[chan->scan_index].oversampling_ratio; =20 iio_device_claim_direct_scoped(return -EBUSY, indio_dev) { switch (mask) { @@ -1361,7 +1370,10 @@ static int ad4695_read_avail(struct iio_dev *indio_d= ev, }, }; struct ad4695_state *st =3D iio_priv(indio_dev); - unsigned int osr =3D st->channels_cfg[chan->scan_index].oversampling_rati= o; + unsigned int osr =3D 1; + + if (chan->type =3D=3D IIO_VOLTAGE) + osr =3D st->channels_cfg[chan->scan_index].oversampling_ratio; =20 switch (mask) { case IIO_CHAN_INFO_CALIBSCALE: @@ -1713,7 +1725,7 @@ static int ad4695_probe_spi_offload(struct iio_dev *i= ndio_dev, =20 for (i =3D 0; i < indio_dev->num_channels; i++) { struct iio_chan_spec *chan =3D &st->iio_chan[i]; - struct ad4695_channel_config *cfg =3D &st->channels_cfg[i]; + struct ad4695_channel_config *cfg; =20 /* * NB: When using offload support, all channels need to have the @@ -1734,6 +1746,8 @@ static int ad4695_probe_spi_offload(struct iio_dev *i= ndio_dev, if (chan->type !=3D IIO_VOLTAGE) continue; =20 + cfg =3D &st->channels_cfg[i]; + chan->info_mask_separate |=3D BIT(IIO_CHAN_INFO_OVERSAMPLING_RATIO); chan->info_mask_separate_available |=3D BIT(IIO_CHAN_INFO_OVERSAMPLING_RATIO); --=20 2.43.0 From nobody Fri Dec 19 06:17:53 2025 Received: from mail-ot1-f53.google.com (mail-ot1-f53.google.com [209.85.210.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 705491D86C7 for ; Tue, 18 Feb 2025 23:17:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739920678; cv=none; b=MdxnlsxCI1q6WPncWEklqWLnpj5n9QxWBot/hEEjsysTLQf4nCkLUb2xLZIqMudnhSk1QvzmXjVddk0Y1F2HWytZ1uDEv1UZ0ZeZZbGRDMmU8esPngbGfckVaajj/3O1/MAzjVnc83C6k6oGbffiGF/55RhIPvNjQoWM1BvhsnI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739920678; c=relaxed/simple; bh=Fc/KruNh8T4raL3lKWRskCYx+88ToxfZwIciprkAUJ8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=M5OO2TBkaCvsFIx7FPV6KqGRNCK99f26I1lafyD5fh0ND8cgrBOPjcb0N2S4/mh0yCwPJ/bfiPbr6QtDzlP30+2atd4EwvEqMrQRUqBSo4OJShMQkXThJzqckxyZxu4Nb4lOa+WjswcZFxO/ZxHQy8K1t+28VLBtsXBWRF6Br2k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=baylibre.com; spf=pass smtp.mailfrom=baylibre.com; dkim=pass (2048-bit key) header.d=baylibre-com.20230601.gappssmtp.com header.i=@baylibre-com.20230601.gappssmtp.com header.b=JFQ/ASxS; arc=none smtp.client-ip=209.85.210.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=baylibre.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=baylibre.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=baylibre-com.20230601.gappssmtp.com header.i=@baylibre-com.20230601.gappssmtp.com header.b="JFQ/ASxS" Received: by mail-ot1-f53.google.com with SMTP id 46e09a7af769-7271cc3d73eso1581849a34.1 for ; Tue, 18 Feb 2025 15:17:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=baylibre-com.20230601.gappssmtp.com; s=20230601; t=1739920674; x=1740525474; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=MdXXbz+KViDcJGlSldaRjqAtEQyfETaLwe7gw52hDjk=; b=JFQ/ASxSJSaOxKw9oLjiE9J34OqDlWUILHBtCVof9kDq8sAfdtvuj03phg+YLKzlI3 JRqQtoLQ0KxrI45wYFHHgN2b8esex6kDuD4qmeYqUhGGuS/TvTP//w5IqJGDtxHR+YZA FGii0c0mCP3wdPbPf4o26E3a3MRhi2tJW3vkaQah0E/1mISOH0z2OQWR0UFfK+EnkEEV mxr/1Ja9F2A2HdDBOULoU0YMb9G9kN9rucVzTqU7zHW7gaAM4BLu4NgsGSVbEqDXujWg 4W9cANZyDAZXoI8WDt/nY/OMoQ8eM7+73CQbtoPPnybvH5t/awToH9OZZOXVu2QWqiMU vQjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739920674; x=1740525474; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MdXXbz+KViDcJGlSldaRjqAtEQyfETaLwe7gw52hDjk=; b=qrpijnl4J7t86oKYmDSS9+pnSx6I8qAxA9UvjuWif1VvaGcL8B7g6koD4HYADPwmWX 7BchTZ5EW/okPibskUVJ64mLpMKHWvVeEmeVhtCcbuj3ATdOCWbHZG1Pz5xjgGHanRF2 tNj2XppEBRoFtVSpdim6/BLmpoZW87afXHZAN5D5maJgAaWAw1a2J9n0BxLeoHG3bCVj YGq8pTUrG1htZH/qaRVZef+k7kGWKJIZUF9h3vDrbqC20kzCFKp5hL+YIvkE/1aJIfYy gDid+LuZvIRhv3RYxSkox+MwoCKlKYqyT0RIkVvqQWmPNA99XaBVGVjFYKYRN2mjQPlG BCQA== X-Forwarded-Encrypted: i=1; AJvYcCUiMsaKM99WxUYvSD+OT3DCb5z9HYz0kKCoxGtP/0yMiOtA9e7hw3RZFpa2NjYSGAdcWBs2QhEYzIso2k8=@vger.kernel.org X-Gm-Message-State: AOJu0Yx58pc/MZNnzvBZJdOo62uGbXwK1UWcxinpM8tcSENzdZTp49Fa lzW3xC2KOqBQ57+5KpZGmXkrNnkZgqU1/dKm+MFmSCeAdjsbEtfKbv4R1c8d6kk= X-Gm-Gg: ASbGncuu276CqAojyAObggDrxpN2EUNRLWG9QLX680JY1+J6c9zKcaYrx+Kw2DdNwKr pXapex8eZrvuwANyAguVNXbvNE564jv3kXsqEj/DjufkI4YwSza/FjC9tP60WAk29FFplvCd/LX BvnkdkxeT0/OrU+RqnopZGnlcOEhCAGLWFpkxcV1RhKFRQQ6az00LLY4+RHxGChXZQ2q8TRHQpw l2L1eSDHuzII6QtO5Q5FymGwSPxBXTKvDISa4yGeHbQXRCxnZhyOAfZ/oBqguj8j35jHs147hwL 8hR3ilFlk6aPqXNJPsOvCIjKHipWC7DkwgZ2k6TUOayh8eY= X-Google-Smtp-Source: AGHT+IF7oRKpCGN6j69ZLc8G2JNQTQddNop9Dt1GJFV3FyCUOggPoz7eaolskYMdgMWyLlpjj5sgwg== X-Received: by 2002:a05:6830:6684:b0:727:3303:7ea8 with SMTP id 46e09a7af769-72733038088mr2860011a34.25.1739920674577; Tue, 18 Feb 2025 15:17:54 -0800 (PST) Received: from [127.0.1.1] (ip98-183-112-25.ok.ok.cox.net. [98.183.112.25]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7271f7c5ba8sm1803129a34.32.2025.02.18.15.17.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 15:17:53 -0800 (PST) From: David Lechner Date: Tue, 18 Feb 2025 17:17:46 -0600 Subject: [PATCH 2/2] iio: adc: ad4695: simplify getting oversampling_ratio Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250218-iio-adc-ad4695-fix-out-of-bounds-array-access-v1-2-57fef8c7a3fd@baylibre.com> References: <20250218-iio-adc-ad4695-fix-out-of-bounds-array-access-v1-0-57fef8c7a3fd@baylibre.com> In-Reply-To: <20250218-iio-adc-ad4695-fix-out-of-bounds-array-access-v1-0-57fef8c7a3fd@baylibre.com> To: Michael Hennerich , =?utf-8?q?Nuno_S=C3=A1?= , Lars-Peter Clausen , Jonathan Cameron , Trevor Gamblin Cc: Jonathan Cameron , linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org, David Lechner X-Mailer: b4 0.14.2 We already have a local variable that holds a pointer to st->channels_cfg[chan->scan_index]. Use that to simplify the code. Signed-off-by: David Lechner Reviewed-by: Nuno S=C3=A1 Reviewed-by: Trevor Gamblin --- drivers/iio/adc/ad4695.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iio/adc/ad4695.c b/drivers/iio/adc/ad4695.c index 8721cbd2af34c53f0cea32e307b9ef2da46b0cfb..b38d2b3ccbfca10dfe5b05c3a96= ba00f8838b89c 100644 --- a/drivers/iio/adc/ad4695.c +++ b/drivers/iio/adc/ad4695.c @@ -1164,7 +1164,7 @@ static int ad4695_read_raw(struct iio_dev *indio_dev, case IIO_CHAN_INFO_OVERSAMPLING_RATIO: switch (chan->type) { case IIO_VOLTAGE: - *val =3D st->channels_cfg[chan->scan_index].oversampling_ratio; + *val =3D cfg->oversampling_ratio; return IIO_VAL_INT; default: return -EINVAL; --=20 2.43.0