From nobody Mon Jun 8 18:58:40 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4C8FE3ED5A8; Wed, 27 May 2026 09:38:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779874721; cv=none; b=SZ+7zxDc7LQfufNHKmkoE5NKlxz19WmTHWIyowFYjMXqcn1jRYflR/PURnGJvMBG/aiNvm5NMhEfzsOEH7u5uE9VK0Te0cNZbOhtrs621I78vgvOpCfqCP1gBbJ8eNjLmrss6PAzRaZ3QKDS9trjJ8YDzFJstIZCYSpobkCCNSM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779874721; c=relaxed/simple; bh=l0gn/ceJGXl3sz4iPhyZRlM/OumNDIWS6BfiwpkaCzY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=nt2aeuh0P3nSgHmUHHu802dec8+mtbHuAqevKr33lUH/j9De2sN5hFoXAC/m89pzLYHjqUGG8kXOppI7Iw5jkTokBdYp7PRbP/6vlG7tOWyLN5dnCZPADVuN0dMkmx2yI7DY7c6z40GIt4d22UsOR8KaPUA/o8O+/nnOdHRFVqo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=JXwsRLYd; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="JXwsRLYd" Received: by smtp.kernel.org (Postfix) with ESMTPS id 2BE13C2BCB3; Wed, 27 May 2026 09:38:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1779874720; bh=l0gn/ceJGXl3sz4iPhyZRlM/OumNDIWS6BfiwpkaCzY=; h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From; b=JXwsRLYdmRom5m6CnJyvKl+0HPlemM8iFlNHTrBUxtPgObsqT70ONlofgWdtV9aJY MjByQ0l5ZumkaTrUGj4Jv6szHJnVP3EQAtpxK03bpOHu4QGIvNgoqMJDfpWKvut2Hs 8NqLIygggAca1ogGqHGBvbUyl+gb/nZMuu0IX2805q2oLHv3bqn90qFP566q1YNDDZ lCI5XYtNuhGocvr6SyGv7U42Bhx+eTyl/NKk81bCQmqUxotPmtBdAQpWfRqJznm4Ib AEnLpWBQeT7UFeEPQ+UrZpg0S/lqRUruC+uhbzbg6a3FOc8/xm0P2FPMed22qB+0JW pVZHVPJ/j0XYw== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1644ECD4F54; Wed, 27 May 2026 09:38:40 +0000 (UTC) From: Radu Sabau via B4 Relay Date: Wed, 27 May 2026 12:38:38 +0300 Subject: [PATCH v5 1/2] iio: adc: ad_sigma_delta: fix CS held asserted and state leaks Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260527-ad_sigma_delta-fix-v5-1-446fd2bc7330@analog.com> References: <20260527-ad_sigma_delta-fix-v5-0-446fd2bc7330@analog.com> In-Reply-To: <20260527-ad_sigma_delta-fix-v5-0-446fd2bc7330@analog.com> To: Lars-Peter Clausen , Michael Hennerich , Jonathan Cameron , David Lechner , =?utf-8?q?Nuno_S=C3=A1?= , Andy Shevchenko , =?utf-8?q?Uwe_Kleine-K=C3=B6nig?= Cc: linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org, Radu Sabau , Jonathan Cameron X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1779874718; l=2544; i=radu.sabau@analog.com; s=20260220; h=from:subject:message-id; bh=QFWfNaET8rJJ77RhwFpRfRVxthjDFfu19nJZEMUWpQ4=; b=9mvEoYkkSx7dx7qeYU0zgbemxfaNTLszCpOqUl+1gjIAynb64WmEy7Q37XKjQkBsTl2NU/1yV db//UcghU3CDfp+ebrVGGIVsbrLrpJrhIK0rIVoIS/OybUVKy2uXOcc X-Developer-Key: i=radu.sabau@analog.com; a=ed25519; pk=lDPQHgn9jTdt0vo58Na9lLxLaE2mb330if71Cn+EvFU= X-Endpoint-Received: by B4 Relay for radu.sabau@analog.com/20260220 with auth_id=642 X-Original-From: Radu Sabau Reply-To: radu.sabau@analog.com From: Radu Sabau In ad_sigma_delta_single_conversion(), set_mode(AD_SD_MODE_IDLE) and disable_one() were called from the out: block while keep_cs_asserted was still true. This caused any SPI transfer issued by those callbacks to carry cs_change=3D1, leaving CS permanently asserted after the conversion. Fix by moving both calls into the out_unlock: block, after keep_cs_asserted is cleared, matching the pattern already used in ad_sd_calibrate(). In the error path of ad_sd_buffer_postenable(), if an operation fails after set_mode(AD_SD_MODE_CONTINUOUS) has already succeeded (e.g. spi_offload_trigger_enable()), the device is left in continuous conversion mode with CS physically asserted. Additionally, bus_locked remaining true after spi_bus_unlock() causes subsequent SPI operations to call spi_sync_locked() without the bus lock actually held, allowing concurrent SPI access. Fix the error path by clearing keep_cs_asserted first, then calling set_mode(AD_SD_MODE_IDLE) to revert the device mode and deassert CS, then clearing bus_locked before releasing the bus. For devices that implement neither set_mode nor disable_one (such as MAX11205, which has no physical CS pin), no SPI transfer is issued during cleanup and the cs_change flag has no effect on any physical line. Signed-off-by: Radu Sabau --- drivers/iio/adc/ad_sigma_delta.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_de= lta.c index a955556f9ec8..651ade67ad2e 100644 --- a/drivers/iio/adc/ad_sigma_delta.c +++ b/drivers/iio/adc/ad_sigma_delta.c @@ -441,11 +441,10 @@ int ad_sigma_delta_single_conversion(struct iio_dev *= indio_dev, out: ad_sd_disable_irq(sigma_delta); =20 - ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE); - ad_sigma_delta_disable_one(sigma_delta, chan->address); - out_unlock: sigma_delta->keep_cs_asserted =3D false; + ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE); + ad_sigma_delta_disable_one(sigma_delta, chan->address); sigma_delta->bus_locked =3D false; spi_bus_unlock(sigma_delta->spi->controller); out_release: @@ -578,6 +577,9 @@ static int ad_sd_buffer_postenable(struct iio_dev *indi= o_dev) return 0; =20 err_unlock: + sigma_delta->keep_cs_asserted =3D false; + ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE); + sigma_delta->bus_locked =3D false; spi_bus_unlock(sigma_delta->spi->controller); spi_unoptimize_message(&sigma_delta->sample_msg); =20 --=20 2.43.0 From nobody Mon Jun 8 18:58:40 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4A96C3ED131; Wed, 27 May 2026 09:38:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779874721; cv=none; b=cpX0bz/GZw6/2bDliTHMsxMDjsY0FX/T6CBmJedBNfoV6EkEugYIsT9CAYPgD7lb6Nc68QPXaRqDoq4sFQzVriflPspUdyYhuz1+551Nfd8kPgnf2sC45gN0rcp7sTkzKXoTaZ50AZ9ee6QF+NkBHXulHeCy7dOfwlcTA6DEZ3A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779874721; c=relaxed/simple; bh=yLkFIpkEZekynvHfZCDaP+WVorUp5oz7eqoNrVfSQ7U=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Z+wQCAJo5yVyyApCcWO+a4cprZ5o0SOwlhU8j60B4NsxoJ0y6ZsmHP5ipmQUQ2uWrfRi4NBGHrmXfSH9fcyAcmXXFFL0WAJkEqreGq3s5GoubRLSW0QLqVVUfUQN3++6AIDXqTQfUxEh6OrWWySPN3gMh1KDckPhCa1S2ON5Kw0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=NCX4KIB3; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="NCX4KIB3" Received: by smtp.kernel.org (Postfix) with ESMTPS id 39BEDC2BCC9; Wed, 27 May 2026 09:38:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1779874720; bh=yLkFIpkEZekynvHfZCDaP+WVorUp5oz7eqoNrVfSQ7U=; h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From; b=NCX4KIB3ylSRNzBbxKEzlcG/Q5TnrYt7GcibfZx+hEzQOuhYlRF5tzIjRh6LFFcCQ tmXwhzmCOjVl+EzNgOv66FpdE4dUwCc2g57eq6BkM0UF0+IBJE1d28rdAikAMnGVGc e8A0gnBwqg44d5tQY9ytMNPI015IQi8yPNjsMNjQFyOAl2+dFDn/UibElA5Tiv7ugG lhvRpF2/LySRZh7wCs7r0f5h/R2l0l9SZNbQS8+NBfjNNQv0wL+hsrSvZNAsrs2OKz W2V/m1sk8g3Z42lAw0s1/RaWq7dyriA2MY5XmTii2Fy5UY9x65Z85fyeFFC0VTIYJk rk1jNFIHM+sKA== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2422CCD6E43; Wed, 27 May 2026 09:38:40 +0000 (UTC) From: Radu Sabau via B4 Relay Date: Wed, 27 May 2026 12:38:39 +0300 Subject: [PATCH v5 2/2] iio: adc: ad_sigma_delta: fix clear_pending_event for registerless devices Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260527-ad_sigma_delta-fix-v5-2-446fd2bc7330@analog.com> References: <20260527-ad_sigma_delta-fix-v5-0-446fd2bc7330@analog.com> In-Reply-To: <20260527-ad_sigma_delta-fix-v5-0-446fd2bc7330@analog.com> To: Lars-Peter Clausen , Michael Hennerich , Jonathan Cameron , David Lechner , =?utf-8?q?Nuno_S=C3=A1?= , Andy Shevchenko , =?utf-8?q?Uwe_Kleine-K=C3=B6nig?= Cc: linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org, Radu Sabau , Jonathan Cameron X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1779874718; l=4448; i=radu.sabau@analog.com; s=20260220; h=from:subject:message-id; bh=OrjGnfGoe7J/W0wIwReDwTRbQHqbgERYs5TdNgBva0I=; b=8wv6agogPPlo8Hyo3lva5OyRjQrXmrDYHjm/628xzNIZ+GoERQg2pe0r+s57VIp2cC6m426n1 QJ65PaUTfBVBMLdK3unJzcMRVqcQr/x+K87RyJiRs9k6gmttW9PZkjA X-Developer-Key: i=radu.sabau@analog.com; a=ed25519; pk=lDPQHgn9jTdt0vo58Na9lLxLaE2mb330if71Cn+EvFU= X-Endpoint-Received: by B4 Relay for radu.sabau@analog.com/20260220 with auth_id=642 X-Original-From: Radu Sabau Reply-To: radu.sabau@analog.com From: Radu Sabau ad_sigma_delta_clear_pending_event() falls through to the status register read path for devices with has_registers =3D false and no rdy_gpiod. For such devices, ad_sd_read_reg() skips the address byte entirely and clocks raw MISO bytes with no address phase =E2=80=94 making it byte-for-byte iden= tical to reading conversion data. If a pending conversion result is present, this partially consumes it and corrupts the data stream for the subsequent ad_sd_read_reg() call in ad_sigma_delta_single_conversion(). Furthermore, with num_resetclks =3D 0 on these devices, data_read_len evaluates to 0. If the clocked byte has bit 7 clear, pending_event is set and the code attempts memset(data + 2, 0xff, 0 - 1), overflowing to SIZE_MAX and corrupting the heap. Fix by returning 0 immediately when neither rdy_gpiod nor has_registers is set. This is safe for all current registerless devices: ad7191 and ad7780 (with powerdown GPIO) are reset between conversions by CS deassertion, so there is no stale result to drain; ad7780 (without powerdown GPIO) and max11205 are continuously-converting and cycle ~DRDY at the output data rate regardless of whether the previous result was read, so the next falling edge fires naturally. A future registerless device that holds ~DRDY asserted until data is read would be broken by this early return and would require either num_resetclks set or a rdy-gpio. The same heap corruption is reachable on any device with rdy_gpiod set but num_resetclks =3D 0: if the GPIO indicates a pending event, the drain path executes memset(data + 2, 0xff, 0 - 1) regardless of has_registers. Add an explicit data_read_len =3D=3D 0 guard after the pending event check; the stale result is then consumed by the first ad_sd_read_reg() call in ad_sigma_delta_single_conversion(). Signed-off-by: Radu Sabau --- drivers/iio/adc/ad_sigma_delta.c | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_de= lta.c index 651ade67ad2e..1b410291da53 100644 --- a/drivers/iio/adc/ad_sigma_delta.c +++ b/drivers/iio/adc/ad_sigma_delta.c @@ -262,11 +262,25 @@ static int ad_sigma_delta_clear_pending_event(struct = ad_sigma_delta *sigma_delta =20 /* * Read R=CC=85D=CC=85Y=CC=85 pin (if possible) or status register to che= ck if there is an - * old event. + * old event. For devices with neither an RDY GPIO nor registers, + * ad_sd_read_reg() transmits no address byte and clocks raw MISO bytes, + * which is indistinguishable from reading conversion data and would + * partially consume a pending result. Skip the check for such devices. + * + * This is safe for all current registerless devices: ad7191 and ad7780 + * (with powerdown GPIO) are reset between conversions by CS deassertion, + * so there is no stale result to drain; ad7780 (without powerdown GPIO) + * and max11205 are continuously-converting and cycle ~DRDY at the output + * data rate regardless of whether the previous result was read, so the + * next falling edge fires naturally. + * + * A future registerless device that holds ~DRDY asserted until data is + * read would be broken by this early return and would need either + * num_resetclks set or a rdy-gpio. */ if (sigma_delta->rdy_gpiod) { pending_event =3D gpiod_get_value(sigma_delta->rdy_gpiod); - } else { + } else if (sigma_delta->info->has_registers) { unsigned int status_reg; =20 ret =3D ad_sd_read_reg(sigma_delta, AD_SD_REG_STATUS, 1, &status_reg); @@ -274,11 +288,24 @@ static int ad_sigma_delta_clear_pending_event(struct = ad_sigma_delta *sigma_delta return ret; =20 pending_event =3D !(status_reg & AD_SD_REG_STATUS_RDY); + } else { + return 0; } =20 if (!pending_event) return 0; =20 + /* + * With num_resetclks =3D 0, data_read_len is 0 and the drain sequence + * below would compute memset(data + 2, 0xff, 0 - 1), underflowing to + * SIZE_MAX and corrupting the heap. There is no safe way to drain the + * stale result without knowing the data register size; it will be + * consumed by the first ad_sd_read_reg() call in + * ad_sigma_delta_single_conversion(). + */ + if (!data_read_len) + return 0; + /* * In general the size of the data register is unknown. It varies from * device to device, might be one byte longer if CONTROL.DATA_STATUS is --=20 2.43.0