1. Patchew
  2. linux
  3. View series

[PATCH] iio: adc: ad7768-1: Fix ERR_PTR dereference in ad7768_fill_scale_tbl

Ethan Tidmore posted 1 patch 1 month, 2 weeks ago
There is a newer version of this series
drivers/iio/adc/ad7768-1.c | 5 +++++
1 file changed, 5 insertions(+)
[PATCH] iio: adc: ad7768-1: Fix ERR_PTR dereference in ad7768_fill_scale_tbl
Posted by Ethan Tidmore 1 month, 2 weeks ago 
The function iio_get_current_scan_type() can return ERR_PTR, the return
value scan_type is not checked for this and immediately dereferenced
which can cause a kernel panic.

Add check for IS_ERR() and return early to avoid crash.

Fixes: ff085189cb17 ("iio: adc: ad7768-1: add support for ADAQ776x-1 ADC Family")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
---
 drivers/iio/adc/ad7768-1.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/iio/adc/ad7768-1.c b/drivers/iio/adc/ad7768-1.c
index fcd8aea7152e..f45a09e39367 100644
--- a/drivers/iio/adc/ad7768-1.c
+++ b/drivers/iio/adc/ad7768-1.c
@@ -541,6 +541,11 @@ static void ad7768_fill_scale_tbl(struct iio_dev *dev)
 	u64 tmp2;
 
 	scan_type = iio_get_current_scan_type(dev, &dev->channels[0]);
+	if (IS_ERR(scan_type)) {
+		dev_err(&st->spi->dev, "Failed to get scan type.\n");
+		return;
+	}
+
 	if (scan_type->sign == 's')
 		val2 = scan_type->realbits - 1;
 	else
-- 
2.53.0
Re: [PATCH] iio: adc: ad7768-1: Fix ERR_PTR dereference in ad7768_fill_scale_tbl
Posted by Nuno Sá 1 month, 2 weeks ago 
On Thu, 2026-02-12 at 21:12 -0600, Ethan Tidmore wrote:
> The function iio_get_current_scan_type() can return ERR_PTR, the return
> value scan_type is not checked for this and immediately dereferenced
> which can cause a kernel panic.
> 
> Add check for IS_ERR() and return early to avoid crash.
> 
> Fixes: ff085189cb17 ("iio: adc: ad7768-1: add support for ADAQ776x-1 ADC Family")
> Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
> ---
>  drivers/iio/adc/ad7768-1.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/iio/adc/ad7768-1.c b/drivers/iio/adc/ad7768-1.c
> index fcd8aea7152e..f45a09e39367 100644
> --- a/drivers/iio/adc/ad7768-1.c
> +++ b/drivers/iio/adc/ad7768-1.c
> @@ -541,6 +541,11 @@ static void ad7768_fill_scale_tbl(struct iio_dev *dev)
>  	u64 tmp2;
>  
>  	scan_type = iio_get_current_scan_type(dev, &dev->channels[0]);
> +	if (IS_ERR(scan_type)) {
> +		dev_err(&st->spi->dev, "Failed to get scan type.\n");
> +		return;
> +	}
> +

With the above, it could make sense to change the function to propagate the error back...

- Nuno Sá

>  	if (scan_type->sign == 's')
>  		val2 = scan_type->realbits - 1;
>  	else
Re: [PATCH] iio: adc: ad7768-1: Fix ERR_PTR dereference in ad7768_fill_scale_tbl
Posted by Andy Shevchenko 1 month, 2 weeks ago 
On Thu, Feb 12, 2026 at 09:12:07PM -0600, Ethan Tidmore wrote:
> The function iio_get_current_scan_type() can return ERR_PTR, the return

ERR_PTR --> error pointer

> value scan_type is not checked for this and immediately dereferenced
> which can cause a kernel panic.
> 
> Add check for IS_ERR() and return early to avoid crash.

Also check lore.kernel.org archive, I believe there were reports from CI and
bots on this issue already (hence might need Reported-by & Closed-by tags).

-- 
With Best Regards,
Andy Shevchenko

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.