Re: [PATCH v2] iio: adc: sun20i-gpadc: support non-contiguous channel lookups

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Medium] Missing validation of iiospec->nargs leads to uninitialized stack memory read
- [Low] Spelling and grammar errors in the commit message
--

commit 0da362a2628891f0ec84a4906fcbc3b1521286d2
Author: Michal Piekos <michal.piekos@mmpsystems.pl>

iio: adc: sun20i-gpadc: support non-contiguous channel lookups

This commit adds a fwnode_xlate callback to support sparse channel maps
by mapping the devicetree phandle argument to the registered channel whose
ID matches the hardware channel number.

> Using consumer driver like iio-hwmon which resolve channels thorugh
> io-channels phandles will fail for sparse channels because IIO core by
> default threats phandle argument as index into channel array.

This isn't a bug, but there are typos in the commit message: "thorugh"
instead of "through", and "threats" instead of "treats".

> diff --git a/drivers/iio/adc/sun20i-gpadc-iio.c b/drivers/iio/adc/sun20i-gpadc-iio.c
> index 861c14da75add..78c9a52f38df0 100644
> --- a/drivers/iio/adc/sun20i-gpadc-iio.c
> +++ b/drivers/iio/adc/sun20i-gpadc-iio.c

[ ... ]

> @@ -139,8 +139,20 @@ static irqreturn_t sun20i_gpadc_irq_handler(int irq, void *data)
>  	return IRQ_HANDLED;
>  }
>  
> +static int
> +sun20i_gpadc_fwnode_xlate(struct iio_dev *indio_dev,
> +			  const struct fwnode_reference_args *iiospec)
> +{
> +	for (unsigned int i = 0; i < indio_dev->num_channels; i++)
> +		if (indio_dev->channels[i].channel == iiospec->args[0])

Is it possible to read uninitialized stack memory here?

The IIO core function __fwnode_iio_channel_get() allocates iiospec on the
stack without zero-initializing it. When parsing a reference from a
malformed devicetree node (e.g., #io-channel-cells = <0>), an ACPI table,
or a software node, fwnode_property_get_reference_args() returns success
and sets iiospec->nargs = 0 but leaves the args array unmodified.

If iiospec->nargs is not verified, this evaluates iiospec->args[0]
using uninitialized memory. If this garbage data happens to match an
existing channel ID, the driver could spuriously map a random channel.

Should this function check if iiospec->nargs < 1 before accessing the
arguments array?

> +			return i;
> +
> +	return -EINVAL;
> +}
> +

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260514-fix-sunxi-gpadc-sparse-channels-v2-1-d4a66b70c7a7@mmpsystems.pl?part=1