From: sashiko-bot@kernel.org
To: "Piyush Patle" <piyushpatle228@gmail.com>
Cc: devicetree@vger.kernel.org, robh@kernel.org, conor+dt@kernel.org,
krzk+dt@kernel.org
Subject: Re: [PATCH v7 10/11] iio: adc: hx711: pass iio_chan_spec to hx711_reset_read
Date: Mon, 11 May 2026 23:10:08 +0000 [thread overview]
Message-ID: <20260511231009.D4B25C2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260510194947.31997-11-piyushpatle228@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] The triggered buffer interrupt handler (`hx711_trigger`) erroneously processes the IIO soft timestamp channel as a physical data channel, causing an out-of-bounds array write and unintended hardware state mutations.
--
commit 44e12b9836d72a45314f8d5048344b3fe6398fb7
Author: Piyush Patle <piyushpatle228@gmail.com>
iio: adc: hx711: pass iio_chan_spec to hx711_reset_read
Change hx711_reset_read() to accept the channel descriptor directly and
split out the channel-selection work into a small helper.
> diff --git a/drivers/iio/adc/hx711.c b/drivers/iio/adc/hx711.c
> index b4cdd1dc98518..a0e73aa475de0 100644
> --- a/drivers/iio/adc/hx711.c
> +++ b/drivers/iio/adc/hx711.c
[ ... ]
> @@ -390,8 +405,8 @@ static irqreturn_t hx711_trigger(int irq, void *p)
> memset(&hx711_data->buffer, 0, sizeof(hx711_data->buffer));
>
> iio_for_each_active_channel(indio_dev, i) {
> - hx711_data->buffer.channel[j] = hx711_reset_read(hx711_data,
> - indio_dev->channels[i].channel);
> + hx711_data->buffer.channel[j] =
> + hx711_reset_read(hx711_data, &indio_dev->channels[i]);
When the IIO soft timestamp channel is enabled, does this loop also process
it as a physical data channel?
Since iio_for_each_active_channel() iterates over all set bits in the
active_scan_mask, it includes the timestamp channel. For the timestamp
channel, the .channel value is typically -1.
Does passing the timestamp channel to hx711_reset_read() cause it to fall
back to the channel B configuration, resulting in an unintended hardware
state change and a slow physical read?
Additionally, if all physical channels and the timestamp are active, does
writing to hx711_data->buffer.channel[j] cause an out-of-bounds array write?
The buffer.channel array only has room for the physical channels:
struct {
u32 channel[2];
aligned_s64 timestamp;
} buffer;
While the out-of-bounds write happens to land in the adjacent timestamp
struct member, this will trigger undefined behavior and can cause kernel
panics when compiled with CONFIG_UBSAN_BOUNDS or CONFIG_FORTIFY_SOURCE.
Could this be fixed by explicitly skipping the timestamp channel in the
loop, such as checking if indio_dev->channels[i].type == IIO_TIMESTAMP?
> j++;
> }
>
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260510194947.31997-1-piyushpatle228@gmail.com?part=10
next prev parent reply other threads:[~2026-05-11 23:10 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-10 19:49 [PATCH v7 00/11] iio: adc: hx711: add HX710B support Piyush Patle
2026-05-10 19:49 ` [PATCH v7 01/11] dt-bindings: iio: adc: hx711: clean up existing binding text Piyush Patle
2026-05-11 16:08 ` Conor Dooley
2026-05-10 19:49 ` [PATCH v7 02/11] dt-bindings: iio: adc: hx711: add VSUP supply property Piyush Patle
2026-05-11 16:09 ` Conor Dooley
2026-05-10 19:49 ` [PATCH v7 03/11] dt-bindings: iio: adc: hx711: add RATE GPIO property Piyush Patle
2026-05-11 16:09 ` Conor Dooley
2026-05-10 19:49 ` [PATCH v7 04/11] dt-bindings: iio: adc: hx711: add HX710B support Piyush Patle
2026-05-11 16:09 ` Conor Dooley
2026-05-11 21:54 ` sashiko-bot
2026-05-12 16:51 ` Conor Dooley
2026-05-10 19:49 ` [PATCH v7 05/11] iio: adc: hx711: move scale computation to per-device storage Piyush Patle
2026-05-11 11:19 ` Andy Shevchenko
2026-05-11 13:45 ` Piyush Patle
2026-05-10 19:49 ` [PATCH v7 06/11] iio: adc: hx711: introduce hx711_chip_info structure Piyush Patle
2026-05-11 14:33 ` Jonathan Cameron
2026-05-11 22:27 ` sashiko-bot
2026-05-10 19:49 ` [PATCH v7 07/11] iio: adc: hx711: pass trailing pulse count into hx711_read Piyush Patle
2026-05-10 19:49 ` [PATCH v7 08/11] iio: adc: hx711: split variable assignments in hx711_read and hx711_reset Piyush Patle
2026-05-11 11:22 ` Andy Shevchenko
2026-05-11 14:34 ` Jonathan Cameron
2026-05-10 19:49 ` [PATCH v7 09/11] iio: adc: hx711: localize loop iterators in hx711_read Piyush Patle
2026-05-10 19:49 ` [PATCH v7 10/11] iio: adc: hx711: pass iio_chan_spec to hx711_reset_read Piyush Patle
2026-05-11 23:10 ` sashiko-bot [this message]
2026-05-10 20:26 ` [PATCH v7 11/11] iio: adc: hx711: add support for HX710B Piyush Patle
2026-05-11 11:27 ` Andy Shevchenko
2026-05-11 13:49 ` Piyush Patle
2026-05-11 14:59 ` Jonathan Cameron
2026-05-11 14:26 ` Jonathan Cameron
2026-05-12 0:01 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260511231009.D4B25C2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=krzk+dt@kernel.org \
--cc=piyushpatle228@gmail.com \
--cc=robh@kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.