When device_property_read_string() fails, str is left uninitialized
but the code falls through to strcmp(str, ...), dereferencing a garbage
pointer. Replace manual read/strcmp with
device_property_match_property_string() which reads the property as a
single string value and matches it against an array of known valid
strings, handling the missing property case internally.

Fixes: da35a7b526d9 ("iio: frequency: admv1013: add support for ADMV1013")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
---
Changes in v3:
 - add enum for quad SE mode indices to avoid magic numbers
 - use designated initializers for string arrays
 - replace switch with a lookup table for quad SE register values

 drivers/iio/frequency/admv1013.c | 55 +++++++++++++++++++-------------
 1 file changed, 33 insertions(+), 22 deletions(-)

diff --git a/drivers/iio/frequency/admv1013.c b/drivers/iio/frequency/admv1013.c
index 9202443ef445..afdf06a0de43 100644
--- a/drivers/iio/frequency/admv1013.c
+++ b/drivers/iio/frequency/admv1013.c
@@ -90,6 +90,12 @@ enum {
 	ADMV1013_SE_MODE_DIFF = 12
 };
 
+enum {
+	ADMV1013_QUAD_SE_DIFF,
+	ADMV1013_QUAD_SE_POS,
+	ADMV1013_QUAD_SE_NEG,
+};
+
 struct admv1013_state {
 	struct spi_device	*spi;
 	struct clk		*clkin;
@@ -512,37 +518,42 @@ static void admv1013_powerdown(void *data)
 	admv1013_spi_update_bits(data, ADMV1013_REG_ENABLE, enable_reg_msk, enable_reg);
 }
 
+static const char * const admv1013_input_modes[] = {
+	[ADMV1013_IQ_MODE] = "iq",
+	[ADMV1013_IF_MODE] = "if",
+};
+
+static const char * const admv1013_quad_se_modes[] = {
+	[ADMV1013_QUAD_SE_DIFF] = "diff",
+	[ADMV1013_QUAD_SE_POS] = "se-pos",
+	[ADMV1013_QUAD_SE_NEG] = "se-neg",
+};
+
+static const unsigned int admv1013_quad_se_regvals[] = {
+	[ADMV1013_QUAD_SE_DIFF] = ADMV1013_SE_MODE_DIFF,
+	[ADMV1013_QUAD_SE_POS] = ADMV1013_SE_MODE_POS,
+	[ADMV1013_QUAD_SE_NEG] = ADMV1013_SE_MODE_NEG,
+};
+
 static int admv1013_properties_parse(struct admv1013_state *st)
 {
 	int ret;
-	const char *str;
 	struct device *dev = &st->spi->dev;
 
 	st->det_en = device_property_read_bool(dev, "adi,detector-enable");
 
-	ret = device_property_read_string(dev, "adi,input-mode", &str);
-	if (ret)
-		st->input_mode = ADMV1013_IQ_MODE;
+	ret = device_property_match_property_string(dev, "adi,input-mode",
+						    admv1013_input_modes,
+						    ARRAY_SIZE(admv1013_input_modes));
+	st->input_mode = ret >= 0 ? ret : ADMV1013_IQ_MODE;
 
-	if (!strcmp(str, "iq"))
-		st->input_mode = ADMV1013_IQ_MODE;
-	else if (!strcmp(str, "if"))
-		st->input_mode = ADMV1013_IF_MODE;
-	else
-		return -EINVAL;
+	ret = device_property_match_property_string(dev, "adi,quad-se-mode",
+						    admv1013_quad_se_modes,
+						    ARRAY_SIZE(admv1013_quad_se_modes));
+	if (ret < 0)
+		ret = ADMV1013_QUAD_SE_DIFF;
 
-	ret = device_property_read_string(dev, "adi,quad-se-mode", &str);
-	if (ret)
-		st->quad_se_mode = ADMV1013_SE_MODE_DIFF;
-
-	if (!strcmp(str, "diff"))
-		st->quad_se_mode = ADMV1013_SE_MODE_DIFF;
-	else if (!strcmp(str, "se-pos"))
-		st->quad_se_mode = ADMV1013_SE_MODE_POS;
-	else if (!strcmp(str, "se-neg"))
-		st->quad_se_mode = ADMV1013_SE_MODE_NEG;
-	else
-		return -EINVAL;
+	st->quad_se_mode = admv1013_quad_se_regvals[ret];
 
 	ret = devm_regulator_bulk_get_enable(dev,
 					     ARRAY_SIZE(admv1013_vcc_regs),
-- 
2.43.0

On Wed, Mar 04, 2026 at 11:58:18AM +0200, Antoniu Miclaus wrote:
> When device_property_read_string() fails, str is left uninitialized
> but the code falls through to strcmp(str, ...), dereferencing a garbage
> pointer. Replace manual read/strcmp with
> device_property_match_property_string() which reads the property as a
> single string value and matches it against an array of known valid
> strings, handling the missing property case internally.

Same comment applies as per v2.

TL;DR: We may reuse the original enum. See there how.

-- 
With Best Regards,
Andy Shevchenko

On Wed, 2026-03-04 at 11:58 +0200, Antoniu Miclaus wrote:
> When device_property_read_string() fails, str is left uninitialized
> but the code falls through to strcmp(str, ...), dereferencing a garbage
> pointer. Replace manual read/strcmp with
> device_property_match_property_string() which reads the property as a
> single string value and matches it against an array of known valid
> strings, handling the missing property case internally.
> 
> Fixes: da35a7b526d9 ("iio: frequency: admv1013: add support for ADMV1013")
> Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
> ---

One nit below but no need to re-spin just for that:

Reviewed-by: Nuno Sá <nuno.sa@analog.com>

> Changes in v3:
>  - add enum for quad SE mode indices to avoid magic numbers
>  - use designated initializers for string arrays
>  - replace switch with a lookup table for quad SE register values
> 
>  drivers/iio/frequency/admv1013.c | 55 +++++++++++++++++++-------------
>  1 file changed, 33 insertions(+), 22 deletions(-)
> 
> diff --git a/drivers/iio/frequency/admv1013.c b/drivers/iio/frequency/admv1013.c
> index 9202443ef445..afdf06a0de43 100644
> --- a/drivers/iio/frequency/admv1013.c
> +++ b/drivers/iio/frequency/admv1013.c
> @@ -90,6 +90,12 @@ enum {
>  	ADMV1013_SE_MODE_DIFF = 12
>  };
>  
> +enum {
> +	ADMV1013_QUAD_SE_DIFF,
> +	ADMV1013_QUAD_SE_POS,
> +	ADMV1013_QUAD_SE_NEG,
> +};
> +
>  struct admv1013_state {
>  	struct spi_device	*spi;
>  	struct clk		*clkin;
> @@ -512,37 +518,42 @@ static void admv1013_powerdown(void *data)
>  	admv1013_spi_update_bits(data, ADMV1013_REG_ENABLE, enable_reg_msk, enable_reg);
>  }
>  
> +static const char * const admv1013_input_modes[] = {
> +	[ADMV1013_IQ_MODE] = "iq",
> +	[ADMV1013_IF_MODE] = "if",
> +};
> +
> +static const char * const admv1013_quad_se_modes[] = {
> +	[ADMV1013_QUAD_SE_DIFF] = "diff",
> +	[ADMV1013_QUAD_SE_POS] = "se-pos",
> +	[ADMV1013_QUAD_SE_NEG] = "se-neg",
> +};
> +
> +static const unsigned int admv1013_quad_se_regvals[] = {
> +	[ADMV1013_QUAD_SE_DIFF] = ADMV1013_SE_MODE_DIFF,
> +	[ADMV1013_QUAD_SE_POS] = ADMV1013_SE_MODE_POS,
> +	[ADMV1013_QUAD_SE_NEG] = ADMV1013_SE_MODE_NEG,
> +};
> +
>  static int admv1013_properties_parse(struct admv1013_state *st)
>  {
>  	int ret;
> -	const char *str;
>  	struct device *dev = &st->spi->dev;
>  
>  	st->det_en = device_property_read_bool(dev, "adi,detector-enable");
>  
> -	ret = device_property_read_string(dev, "adi,input-mode", &str);
> -	if (ret)
> -		st->input_mode = ADMV1013_IQ_MODE;
> +	ret = device_property_match_property_string(dev, "adi,input-mode",
> +						    admv1013_input_modes,
> +						    ARRAY_SIZE(admv1013_input_modes));
> +	st->input_mode = ret >= 0 ? ret : ADMV1013_IQ_MODE;
>  
> -	if (!strcmp(str, "iq"))
> -		st->input_mode = ADMV1013_IQ_MODE;
> -	else if (!strcmp(str, "if"))
> -		st->input_mode = ADMV1013_IF_MODE;
> -	else
> -		return -EINVAL;
> +	ret = device_property_match_property_string(dev, "adi,quad-se-mode",
> +						    admv1013_quad_se_modes,
> +						    ARRAY_SIZE(admv1013_quad_se_modes));
> +	if (ret < 0)
> +		ret = ADMV1013_QUAD_SE_DIFF;
>  
> -	ret = device_property_read_string(dev, "adi,quad-se-mode", &str);
> -	if (ret)
> -		st->quad_se_mode = ADMV1013_SE_MODE_DIFF;
> -
> -	if (!strcmp(str, "diff"))
> -		st->quad_se_mode = ADMV1013_SE_MODE_DIFF;
> -	else if (!strcmp(str, "se-pos"))
> -		st->quad_se_mode = ADMV1013_SE_MODE_POS;
> -	else if (!strcmp(str, "se-neg"))
> -		st->quad_se_mode = ADMV1013_SE_MODE_NEG;
> -	else
> -		return -EINVAL;
> +	st->quad_se_mode = admv1013_quad_se_regvals[ret];

You could have kept the same style:

st->quad_se_mode = ret >= 0 ? admv1013_quad_se_regvals[ret] : ADMV1013_SE_MODE_DIFF;

yes, more that 80 col but maybe one of those justifiable cases :)

- Nuno Sá