[PATCH AUTOSEL 6.6 10/18] iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos

[Sasha Levin <sashal@kernel.org>]

From: Purva Yeshi <purvayeshi550@gmail.com>

[ Upstream commit e5cdb098a3cb165d52282ffc3a6448642953ea13 ]

Fix Smatch-detected issue:
drivers/iio/adc/ad_sigma_delta.c:604 ad_sd_trigger_handler() error:
uninitialized symbol 'status_pos'.

The variable `status_pos` was only initialized in specific switch cases
(1, 2, 3, 4), which could leave it uninitialized if `reg_size` had an
unexpected value.

Fix by adding a default case to the switch block to catch unexpected
values of `reg_size`. Use `dev_err_ratelimited()` for error logging and
`goto irq_handled` instead of returning early.

Signed-off-by: Purva Yeshi <purvayeshi550@gmail.com>
Link: https://patch.msgid.link/20250410170408.8585-1-purvayeshi550@gmail.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

Let me analyze the commit without the kernel repository. Looking at the
commit information:

**YES**

This commit should be backported to stable kernel trees. Here's my
extensive analysis:

## Analysis of the Bug Fix

### 1. **Critical Bug Nature**
The commit fixes a serious issue where the variable `status_pos` could
be used uninitialized. This is a critical bug because:
- Uninitialized variables can contain arbitrary memory values
- Using an uninitialized `status_pos` in line `converted_channel =
  data[status_pos] & sigma_delta->info->status_ch_mask;` could lead to:
  - Out-of-bounds array access
  - Memory corruption
  - System crashes or undefined behavior

### 2. **Code Analysis of the Fix**
The problematic code was in the `ad_sd_trigger_handler()` function:

```c
switch (reg_size) {
case 4:
case 2:
case 1:
    status_pos = reg_size;
    // ...
    break;
case 3:
    status_pos = reg_size + 1;
    // ...
    break;
}
```

**Problem**: If `reg_size` had any value other than 1, 2, 3, or 4,
`status_pos` would remain uninitialized.

**Solution**: The fix adds a default case:
```c
default:
    dev_err_ratelimited(&indio_dev->dev, "Unsupported reg_size: %u\n",
reg_size);
    goto irq_handled;
```

### 3. **Risk Assessment - LOW RISK**
- **Contained fix**: Only adds error handling, doesn't change existing
  logic
- **No functional changes**: For valid `reg_size` values (1-4), behavior
  is identical
- **Safe error handling**: Uses rate-limited logging and proper cleanup
  via `goto irq_handled`
- **No architectural changes**: Simple defensive programming addition

### 4. **User Impact - HIGH**
- **Affects all users**: Any driver using ad_sigma_delta could
  potentially trigger this
- **Data corruption potential**: Uninitialized variable could cause
  incorrect channel data processing
- **System stability**: Could lead to kernel panics or memory corruption
- **Silent failures**: Bug might manifest as subtle data corruption
  rather than obvious crashes

### 5. **Stable Tree Criteria Compliance**
✅ **Important bugfix**: Prevents potential memory corruption and crashes
✅ **Small and contained**: Only adds 3 lines of defensive code
✅ **Low regression risk**: Cannot break existing functionality
✅ **Clear benefit**: Eliminates undefined behavior
✅ **No new features**: Pure bug fix

### 6. **Comparison with Similar Commits**
Unlike the reference commits that were marked "NO" for backporting:
- This fixes a **functional bug** (not just code style/cleanup)
- Has **user-visible impact** (potential crashes vs. cosmetic
  improvements)
- Addresses **undefined behavior** (critical vs. minor improvements)
- **Security implications** (memory safety vs. readability)

### 7. **Static Analysis Tool Detection**
The fact that Smatch detected this issue indicates it's a real problem
that static analysis considers serious enough to flag. This type of
uninitialized variable usage is a common source of security
vulnerabilities and system instability.

**Conclusion**: This is a textbook example of a commit that should be
backported - it fixes a real bug with serious consequences, has minimal
risk of regression, and follows all stable tree guidelines.

 drivers/iio/adc/ad_sigma_delta.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c
index 7e21928707437..533667eefe419 100644
--- a/drivers/iio/adc/ad_sigma_delta.c
+++ b/drivers/iio/adc/ad_sigma_delta.c
@@ -476,6 +476,10 @@ static irqreturn_t ad_sd_trigger_handler(int irq, void *p)
 		 * byte set to zero. */
 		ad_sd_read_reg_raw(sigma_delta, data_reg, transfer_size, &data[1]);
 		break;
+
+	default:
+		dev_err_ratelimited(&indio_dev->dev, "Unsupported reg_size: %u\n", reg_size);
+		goto irq_handled;
 	}
 
 	/*
-- 
2.39.5