From: Jonathan Cameron <jic23@kernel.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org,
"Sam Daly" <sam@samdaly.ie>, stable <stable@kernel.org>,
"David Lechner" <dlechner@baylibre.com>,
"Nuno Sá" <nuno.sa@analog.com>,
"Andy Shevchenko" <andy@kernel.org>
Subject: Re: [PATCH 1/3] iio: adc: ti-ads1298: add bounds check to pga_settings index
Date: Fri, 15 May 2026 15:39:13 +0100 [thread overview]
Message-ID: <20260515153913.00150136@jic23-huawei> (raw)
In-Reply-To: <2026051420-strudel-graves-f6cd@gregkh>
On Thu, 14 May 2026 18:23:20 +0200
Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> From: Sam Daly <sam@samdaly.ie>
>
> ads1298_pga_settings has 7 elements but ADS1298_MASK_CH_PGA can yield
> values 0-7. If it yields a value >= 7, this causes an out-of-bounds
> array access. Add a bounds check and return -EINVAL if the index
> is out of range.
>
I'll add something about the other value be reserved whilst applying.
Note that Sashiko has found a more involved similar case (I haven't
checked it)
https://sashiko.dev/#/patchset/2026051420-strudel-graves-f6cd%40gregkh
Whilst ideally we should harden drivers against faulty values from
hardware, sometimes (like that one) it gets rather involved to actually
do! Hence I'm not suggesting we actually fix that one but if anyone
does want to take a look - go ahead.
Jonathan
> Assisted-by: gkh_clanker_2000
> Cc: stable <stable@kernel.org>
> Cc: Jonathan Cameron <jic23@kernel.org>
> Cc: David Lechner <dlechner@baylibre.com>
> Cc: "Nuno Sá" <nuno.sa@analog.com>
> Cc: Andy Shevchenko <andy@kernel.org>
> Signed-off-by: Sam Daly <sam@samdaly.ie>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> drivers/iio/adc/ti-ads1298.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/iio/adc/ti-ads1298.c b/drivers/iio/adc/ti-ads1298.c
> index ae30b47e4514..731792f06993 100644
> --- a/drivers/iio/adc/ti-ads1298.c
> +++ b/drivers/iio/adc/ti-ads1298.c
> @@ -279,6 +279,7 @@ static const u8 ads1298_pga_settings[] = { 6, 1, 2, 3, 4, 8, 12 };
> static int ads1298_get_scale(struct ads1298_private *priv,
> int channel, int *val, int *val2)
> {
> + unsigned int pga_idx;
> int ret;
> unsigned int regval;
> u8 gain;
> @@ -302,7 +303,11 @@ static int ads1298_get_scale(struct ads1298_private *priv,
> if (ret)
> return ret;
>
> - gain = ads1298_pga_settings[FIELD_GET(ADS1298_MASK_CH_PGA, regval)];
> + pga_idx = FIELD_GET(ADS1298_MASK_CH_PGA, regval);
> + if (pga_idx >= ARRAY_SIZE(ads1298_pga_settings))
> + return -EINVAL;
> +
> + gain = ads1298_pga_settings[pga_idx];
> *val /= gain; /* Full scale is VREF / gain */
>
> *val2 = ADS1298_BITS_PER_SAMPLE - 1; /* Signed, hence the -1 */
next prev parent reply other threads:[~2026-05-15 14:39 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-14 16:23 [PATCH 1/3] iio: adc: ti-ads1298: add bounds check to pga_settings index Greg Kroah-Hartman
2026-05-14 16:23 ` [PATCH 2/3] iio: light: veml6075: add bounds check to veml6075_it_ms index Greg Kroah-Hartman
2026-05-14 19:17 ` Javier Carrasco
2026-05-15 14:33 ` Jonathan Cameron
2026-05-15 15:05 ` Greg Kroah-Hartman
2026-05-14 16:23 ` [PATCH 3/3] iio: adc: ad7768-1: add bounds check to ad7768_filter_regval_to_type index Greg Kroah-Hartman
2026-05-15 14:52 ` Jonathan Cameron
2026-05-15 14:39 ` Jonathan Cameron [this message]
2026-05-15 15:06 ` [PATCH 1/3] iio: adc: ti-ads1298: add bounds check to pga_settings index Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260515153913.00150136@jic23-huawei \
--to=jic23@kernel.org \
--cc=andy@kernel.org \
--cc=dlechner@baylibre.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nuno.sa@analog.com \
--cc=sam@samdaly.ie \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.