From nobody Sun May 24 21:40:17 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F38CE395D8F; Thu, 21 May 2026 10:30:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779359451; cv=none; b=IVqpgLIuLL7VBTbxX2Y892XtR6zteGQmkKaGWOnCVto1yaE4hiJgl/sEEEmrGxByFGU+1oUPFPlGqsbib6/p4Yp3B1EH0bto6i7IVkcZr6Jk4/ZUMlg4j9NyNBDWdZsjHDvK1WVKa1Cw8KSql7V+xCBCNG2u9+pYDLVU2wezXX0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779359451; c=relaxed/simple; bh=l0gn/ceJGXl3sz4iPhyZRlM/OumNDIWS6BfiwpkaCzY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=eLdHbtrgJte83eMbJ9EhJhZYmq4ZevVG1R+zCMRyVavEQXLdxPDRBC8SAVVc8xu3jka/yJm2EHWmeWA2XsYpecCU6vGzx9e3TVqnY7dt++IZCuHfC2Gy9Ki7pNWEZ6TptfAHQ6KkTXWm6G7L5VecoKEcU92hFEklQ+gD3tIltm4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=A6KgrgTj; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="A6KgrgTj" Received: by smtp.kernel.org (Postfix) with ESMTPS id A4209C2BCB4; Thu, 21 May 2026 10:30:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1779359450; bh=l0gn/ceJGXl3sz4iPhyZRlM/OumNDIWS6BfiwpkaCzY=; h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From; b=A6KgrgTjgYaaD+NJHBynyHesoJNEyMpj+5AmNLtXuAbwo0VkvRxmQ7SFLwL2x2DGO CYp8qPk1cvjloxvv5sLYZ80XbxPkmVwB3f2/jSoFmV87oI12cpjiaRRSB2mQd07HIw 7V9x3KWZ41nKeB+QAx1bmh2nIQ0KPBeNdduSHThr3/Z1PO7S94H1Gz2UlWbyg+G7lj lA8fG2ElNs4qcf2oOCyBjk2gDqSe3fH4OzhSe4KqKp62p8f+1DbDBdHEyTyjgXjZ4T dVur0EuXFjvdnZdGvWO0abSPYKCfgijuR+jEIczSPvATG/ariQ3x2M6TcuUpl0Q/al HMjiDmDMrTwhQ== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8C30FCD5BAC; Thu, 21 May 2026 10:30:50 +0000 (UTC) From: Radu Sabau via B4 Relay Date: Thu, 21 May 2026 13:30:48 +0300 Subject: [PATCH v4 1/2] iio: adc: ad_sigma_delta: fix CS held asserted and state leaks Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260521-ad_sigma_delta-fix-v4-1-bfb3df3e36da@analog.com> References: <20260521-ad_sigma_delta-fix-v4-0-bfb3df3e36da@analog.com> In-Reply-To: <20260521-ad_sigma_delta-fix-v4-0-bfb3df3e36da@analog.com> To: Lars-Peter Clausen , Michael Hennerich , Jonathan Cameron , David Lechner , =?utf-8?q?Nuno_S=C3=A1?= , Andy Shevchenko , =?utf-8?q?Uwe_Kleine-K=C3=B6nig?= Cc: linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org, Radu Sabau , Jonathan Cameron X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1779359449; l=2544; i=radu.sabau@analog.com; s=20260220; h=from:subject:message-id; bh=QFWfNaET8rJJ77RhwFpRfRVxthjDFfu19nJZEMUWpQ4=; b=LbSgvFA5wi7yTz1cyNQQIBbu6CA3C8DB/HcLdsoECrwV956nTN2jxnEoLRb2m6eDe6QBt7VeU 58tw8gz6dyOBUzAp75fuFKgaePtkhrj/Momq6ovnLtSEJzs8y/mUJVF X-Developer-Key: i=radu.sabau@analog.com; a=ed25519; pk=lDPQHgn9jTdt0vo58Na9lLxLaE2mb330if71Cn+EvFU= X-Endpoint-Received: by B4 Relay for radu.sabau@analog.com/20260220 with auth_id=642 X-Original-From: Radu Sabau Reply-To: radu.sabau@analog.com From: Radu Sabau In ad_sigma_delta_single_conversion(), set_mode(AD_SD_MODE_IDLE) and disable_one() were called from the out: block while keep_cs_asserted was still true. This caused any SPI transfer issued by those callbacks to carry cs_change=3D1, leaving CS permanently asserted after the conversion. Fix by moving both calls into the out_unlock: block, after keep_cs_asserted is cleared, matching the pattern already used in ad_sd_calibrate(). In the error path of ad_sd_buffer_postenable(), if an operation fails after set_mode(AD_SD_MODE_CONTINUOUS) has already succeeded (e.g. spi_offload_trigger_enable()), the device is left in continuous conversion mode with CS physically asserted. Additionally, bus_locked remaining true after spi_bus_unlock() causes subsequent SPI operations to call spi_sync_locked() without the bus lock actually held, allowing concurrent SPI access. Fix the error path by clearing keep_cs_asserted first, then calling set_mode(AD_SD_MODE_IDLE) to revert the device mode and deassert CS, then clearing bus_locked before releasing the bus. For devices that implement neither set_mode nor disable_one (such as MAX11205, which has no physical CS pin), no SPI transfer is issued during cleanup and the cs_change flag has no effect on any physical line. Signed-off-by: Radu Sabau --- drivers/iio/adc/ad_sigma_delta.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_de= lta.c index a955556f9ec8..651ade67ad2e 100644 --- a/drivers/iio/adc/ad_sigma_delta.c +++ b/drivers/iio/adc/ad_sigma_delta.c @@ -441,11 +441,10 @@ int ad_sigma_delta_single_conversion(struct iio_dev *= indio_dev, out: ad_sd_disable_irq(sigma_delta); =20 - ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE); - ad_sigma_delta_disable_one(sigma_delta, chan->address); - out_unlock: sigma_delta->keep_cs_asserted =3D false; + ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE); + ad_sigma_delta_disable_one(sigma_delta, chan->address); sigma_delta->bus_locked =3D false; spi_bus_unlock(sigma_delta->spi->controller); out_release: @@ -578,6 +577,9 @@ static int ad_sd_buffer_postenable(struct iio_dev *indi= o_dev) return 0; =20 err_unlock: + sigma_delta->keep_cs_asserted =3D false; + ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE); + sigma_delta->bus_locked =3D false; spi_bus_unlock(sigma_delta->spi->controller); spi_unoptimize_message(&sigma_delta->sample_msg); =20 --=20 2.43.0 From nobody Sun May 24 21:40:17 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F37A0384CEC; Thu, 21 May 2026 10:30:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779359451; cv=none; b=iEiQiWyqoDbbFf6u/h/NgPURFC8g5ng4+Ef6Sf0F+I/IctgBQky/PxQheQUUv0gysUn68lBccNmZN1HTL4Gx5mU4twpwGKQZvVx6oScjeJed2ay1IxHfYBmK2qWI+HYjp5N6B0Kicj+f+A+XOkOItMQfGDKxhVDqjCcZuBJztVg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779359451; c=relaxed/simple; bh=WeqN+OvVQLhFI36aCifsXRnz9voVflvhKf787rdOVCE=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=UgTNIy9v3rJ8oPzQ4nOjkwme7IGQRAmgu3xzn+Lr+60t5D2WS/8ZuThfVE5avg76hHDY/Un1m3JPjGdeHw0SEfkl1q5SEGbCYkGWl5hJzarwLIMKLDzBEpcRdgOMYKZJMr3hvRcqJw1yvznkP200otwgVRGo3bN+B5nqVgXDD10= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=gesz8rDS; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="gesz8rDS" Received: by smtp.kernel.org (Postfix) with ESMTPS id AC30CC2BCB9; Thu, 21 May 2026 10:30:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1779359450; bh=WeqN+OvVQLhFI36aCifsXRnz9voVflvhKf787rdOVCE=; h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From; b=gesz8rDSGK1t4MRT9R74CluVw8Y456S+/BXCSaJNHdzYlzDhlu3GzfE4EfS9qdLi9 evsU3+wtTz+W98IZCwcVDwyguHbQFbU9Nynsx6Qx/4bMTKZ4lCttBw3rCX2CjQ0vSx j0PQ2JooyulAUZjCZCsLZ5MgqlosuuXlEQWq0I9jEo0tdN6wrHy9Wz0lGFIUGz8zg8 3koM8Qh08whsYQVVP/buUtoyv/2Fi2VB40dUt1XH4sdJjPwM28P6RkihOkYRXt2aoF sF2gLXURz0e+bBF3Pf0KlMZ7aerlRlJE7G/osJhgBp52S5KAgJcP0g0yzMvd+og386 bQ/JOxWC3E/Kg== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9D1B8CD5BB1; Thu, 21 May 2026 10:30:50 +0000 (UTC) From: Radu Sabau via B4 Relay Date: Thu, 21 May 2026 13:30:49 +0300 Subject: [PATCH v4 2/2] iio: adc: ad_sigma_delta: fix clear_pending_event for registerless devices Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260521-ad_sigma_delta-fix-v4-2-bfb3df3e36da@analog.com> References: <20260521-ad_sigma_delta-fix-v4-0-bfb3df3e36da@analog.com> In-Reply-To: <20260521-ad_sigma_delta-fix-v4-0-bfb3df3e36da@analog.com> To: Lars-Peter Clausen , Michael Hennerich , Jonathan Cameron , David Lechner , =?utf-8?q?Nuno_S=C3=A1?= , Andy Shevchenko , =?utf-8?q?Uwe_Kleine-K=C3=B6nig?= Cc: linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org, Radu Sabau , Jonathan Cameron X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1779359449; l=3777; i=radu.sabau@analog.com; s=20260220; h=from:subject:message-id; bh=YJn4ucDjfXYyLL0W25JZU0TDf0qEIYyxu+YF9hUqSaI=; b=PK2Ju6vFK6InwZgcxzt5N01tN1viC8aI+GX3Ziwix31s+NLl88AWPFNqTu3FTU1pwxMs3PIJP WTk33z8R249CwWuAmXDJrR2gDeyAfbcYAweGCQ2Tx1gEgh+s6N9GDEd X-Developer-Key: i=radu.sabau@analog.com; a=ed25519; pk=lDPQHgn9jTdt0vo58Na9lLxLaE2mb330if71Cn+EvFU= X-Endpoint-Received: by B4 Relay for radu.sabau@analog.com/20260220 with auth_id=642 X-Original-From: Radu Sabau Reply-To: radu.sabau@analog.com From: Radu Sabau ad_sigma_delta_clear_pending_event() falls through to the status register read path for devices with has_registers =3D false and no rdy_gpiod. For such devices, ad_sd_read_reg() skips the address byte entirely and clocks raw MISO bytes with no address phase =E2=80=94 making it byte-for-byte iden= tical to reading conversion data. If a pending conversion result is present, this partially consumes it and corrupts the data stream for the subsequent ad_sd_read_reg() call in ad_sigma_delta_single_conversion(). Furthermore, with num_resetclks =3D 0 on these devices, data_read_len evaluates to 0. If the clocked byte has bit 7 clear, pending_event is set and the code attempts memset(data + 2, 0xff, 0 - 1), overflowing to SIZE_MAX and corrupting the heap. Fix by returning 0 immediately when neither rdy_gpiod nor has_registers is set. This is safe because the IRQ is requested with IRQF_NO_AUTOEN and IRQ_DISABLE_UNLAZY, which keeps the hardware IRQ line unmasked even while software-disabled. Any falling edge from a completed conversion is latched by the IRQ controller. When ad_sd_enable_irq() is subsequently called the latched edge fires immediately, and the existing ad_sd_read_reg() call in ad_sigma_delta_single_conversion() reads the complete stale result from the beginning with no prior partial clock corruption. The same heap corruption is reachable on any device with rdy_gpiod set but num_resetclks =3D 0: if the GPIO indicates a pending event, the drain path executes memset(data + 2, 0xff, 0 - 1) regardless of has_registers. Add an explicit data_read_len =3D=3D 0 guard after the pending event check = to cover this path. Signed-off-by: Radu Sabau --- drivers/iio/adc/ad_sigma_delta.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_de= lta.c index 651ade67ad2e..d4ded8d6b211 100644 --- a/drivers/iio/adc/ad_sigma_delta.c +++ b/drivers/iio/adc/ad_sigma_delta.c @@ -262,11 +262,16 @@ static int ad_sigma_delta_clear_pending_event(struct = ad_sigma_delta *sigma_delta =20 /* * Read R=CC=85D=CC=85Y=CC=85 pin (if possible) or status register to che= ck if there is an - * old event. + * old event. For devices with neither an RDY GPIO nor registers, + * ad_sd_read_reg() transmits no address byte and clocks raw MISO bytes, + * which is indistinguishable from reading conversion data and would + * partially consume a pending result. Skip the check for such devices; + * IRQ_DISABLE_UNLAZY ensures any pending falling edge is latched and + * fires naturally on the next ad_sd_enable_irq() call. */ if (sigma_delta->rdy_gpiod) { pending_event =3D gpiod_get_value(sigma_delta->rdy_gpiod); - } else { + } else if (sigma_delta->info->has_registers) { unsigned int status_reg; =20 ret =3D ad_sd_read_reg(sigma_delta, AD_SD_REG_STATUS, 1, &status_reg); @@ -274,11 +279,23 @@ static int ad_sigma_delta_clear_pending_event(struct = ad_sigma_delta *sigma_delta return ret; =20 pending_event =3D !(status_reg & AD_SD_REG_STATUS_RDY); + } else { + return 0; } =20 if (!pending_event) return 0; =20 + /* + * With num_resetclks =3D 0, data_read_len is 0 and the drain sequence + * below would compute memset(data + 2, 0xff, 0 - 1), underflowing to + * SIZE_MAX and corrupting the heap. There is no safe way to drain the + * stale result without knowing the data register size, so return 0 and + * let the latched IRQ edge fire on the next ad_sd_enable_irq() call. + */ + if (!data_read_len) + return 0; + /* * In general the size of the data register is unknown. It varies from * device to device, might be one byte longer if CONTROL.DATA_STATUS is --=20 2.43.0