From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A373F25A341; Mon, 9 Jun 2025 13:47:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1749476830; cv=none; b=NLUv+tEKoIUeWDIRlCjTLQhtRHCcgMVDbTeENSMsf8EETd0DOZtJbnPas6Mm96jEQUuAE3XM1ylUaOkxZpHSEKhMXeIOCfEIinahRf1m2caIcfhwFi2Uzgz4EIG5gINn4Q06EdwHjJNhnAcZYfR4Fc4kgYIwUt1Npij6jQRtHEo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1749476830; c=relaxed/simple; bh=6czpS3TjCdJaTgLha2FTbzCS3PSHLsCljrG3Jre9Mf0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=p0Grqq1lhYeAewTRdWbgzKC5G2zitmGoOlCYfGw4ttHxoT091txPpWpYWL09x1wuBpp11j/tdXob/I7869Hr/A+0/hBTeQ+bGEUuN5MwVVjdrRbD78ywxURpXoaqO10Hmr5yNjqCWGjqxxNvnm1f2hukQWSeH5NWZmrKaPM+cO4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=pXc0ZiKS; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="pXc0ZiKS" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9B7F7C4CEED; Mon, 9 Jun 2025 13:47:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1749476830; bh=6czpS3TjCdJaTgLha2FTbzCS3PSHLsCljrG3Jre9Mf0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pXc0ZiKSbJXkq1v1DtvfvPxKEPS0ZPHyr6Gw7Oylqd1fKuvEjquK+YHL7uGcWRJ4e 7jmXa+lSi1HpDznSeMxyhySem9GExYhxSR8PO9HAp7Jbs8ETQ33QpZgoWAz6CaMgMv yC0VHdvISBCFOxpa5RQ07OXMl6P6khRRYQqQk5FT3DkvY/J5uytJsjSOuprD3Qaw2v UZtLz4JRpRdCMSxy6R+e0++4f8OgSBzEOcDfAHgWeg8MTT+BmrhDhG7LZdBUNuUqMA cmfvUNVDtpSg/CLLDx1MjoIE2qTv3L1yfOFyIobHk+3ees1GdP6cPBQ4U3wvssgmkX 0fU+DMAMSmQRw== From: Sasha Levin To: patches@lists.linux.dev, stable@vger.kernel.org Cc: Purva Yeshi , Jonathan Cameron , Sasha Levin , lars@metafoo.de, Michael.Hennerich@analog.com Subject: [PATCH AUTOSEL 6.6 10/18] iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos Date: Mon, 9 Jun 2025 09:46:44 -0400 Message-Id: <20250609134652.1344323-10-sashal@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250609134652.1344323-1-sashal@kernel.org> References: <20250609134652.1344323-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.6.93 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Purva Yeshi [ Upstream commit e5cdb098a3cb165d52282ffc3a6448642953ea13 ] Fix Smatch-detected issue: drivers/iio/adc/ad_sigma_delta.c:604 ad_sd_trigger_handler() error: uninitialized symbol 'status_pos'. The variable `status_pos` was only initialized in specific switch cases (1, 2, 3, 4), which could leave it uninitialized if `reg_size` had an unexpected value. Fix by adding a default case to the switch block to catch unexpected values of `reg_size`. Use `dev_err_ratelimited()` for error logging and `goto irq_handled` instead of returning early. Signed-off-by: Purva Yeshi Link: https://patch.msgid.link/20250410170408.8585-1-purvayeshi550@gmail.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin --- Let me analyze the commit without the kernel repository. Looking at the commit information: **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Analysis of the Bug Fix ### 1. **Critical Bug Nature** The commit fixes a serious issue where the variable `status_pos` could be used uninitialized. This is a critical bug because: - Uninitialized variables can contain arbitrary memory values - Using an uninitialized `status_pos` in line `converted_channel = data[status_pos] & sigma_delta->info->status_ch_mask;` could lead to: - Out-of-bounds array access - Memory corruption - System crashes or undefined behavior ### 2. **Code Analysis of the Fix** The problematic code was in the `ad_sd_trigger_handler()` function: ```c switch (reg_size) { case 4: case 2: case 1: status_pos = reg_size; // ... break; case 3: status_pos = reg_size + 1; // ... break; } ``` **Problem**: If `reg_size` had any value other than 1, 2, 3, or 4, `status_pos` would remain uninitialized. **Solution**: The fix adds a default case: ```c default: dev_err_ratelimited(&indio_dev->dev, "Unsupported reg_size: %u\n", reg_size); goto irq_handled; ``` ### 3. **Risk Assessment - LOW RISK** - **Contained fix**: Only adds error handling, doesn't change existing logic - **No functional changes**: For valid `reg_size` values (1-4), behavior is identical - **Safe error handling**: Uses rate-limited logging and proper cleanup via `goto irq_handled` - **No architectural changes**: Simple defensive programming addition ### 4. **User Impact - HIGH** - **Affects all users**: Any driver using ad_sigma_delta could potentially trigger this - **Data corruption potential**: Uninitialized variable could cause incorrect channel data processing - **System stability**: Could lead to kernel panics or memory corruption - **Silent failures**: Bug might manifest as subtle data corruption rather than obvious crashes ### 5. **Stable Tree Criteria Compliance** ✅ **Important bugfix**: Prevents potential memory corruption and crashes ✅ **Small and contained**: Only adds 3 lines of defensive code ✅ **Low regression risk**: Cannot break existing functionality ✅ **Clear benefit**: Eliminates undefined behavior ✅ **No new features**: Pure bug fix ### 6. **Comparison with Similar Commits** Unlike the reference commits that were marked "NO" for backporting: - This fixes a **functional bug** (not just code style/cleanup) - Has **user-visible impact** (potential crashes vs. cosmetic improvements) - Addresses **undefined behavior** (critical vs. minor improvements) - **Security implications** (memory safety vs. readability) ### 7. **Static Analysis Tool Detection** The fact that Smatch detected this issue indicates it's a real problem that static analysis considers serious enough to flag. This type of uninitialized variable usage is a common source of security vulnerabilities and system instability. **Conclusion**: This is a textbook example of a commit that should be backported - it fixes a real bug with serious consequences, has minimal risk of regression, and follows all stable tree guidelines. drivers/iio/adc/ad_sigma_delta.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c index 7e21928707437..533667eefe419 100644 --- a/drivers/iio/adc/ad_sigma_delta.c +++ b/drivers/iio/adc/ad_sigma_delta.c @@ -476,6 +476,10 @@ static irqreturn_t ad_sd_trigger_handler(int irq, void *p) * byte set to zero. */ ad_sd_read_reg_raw(sigma_delta, data_reg, transfer_size, &data[1]); break; + + default: + dev_err_ratelimited(&indio_dev->dev, "Unsupported reg_size: %u\n", reg_size); + goto irq_handled; } /* -- 2.39.5