Re: [PATCH v2 4/4] iio: adc: ltc2378: Enable triggered buffer data capture

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Marcelo Schmitt" <marcelo.schmitt@analog.com>
Cc: conor+dt@kernel.org, devicetree@vger.kernel.org, robh@kernel.org
Subject: Re: [PATCH v2 4/4] iio: adc: ltc2378: Enable triggered buffer data capture
Date: Thu, 28 May 2026 17:21:04 +0000	[thread overview]
Message-ID: <20260528172104.F08851F000E9@smtp.kernel.org> (raw)
In-Reply-To: <dc235f0b036a9eb33b37b0970815a95c9da52414.1779976379.git.marcelo.schmitt@analog.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] The `ltc2378_scan` structure is allocated on the stack but not fully initialized, leaving fields like `endianness`, `shift`, and `repeat` with garbage values. This leads to out-of-bounds array reads in the IIO core, data corruption, and potential information disclosure.
--

commit 9e45014ec9c648942b0872f2dcaabf867779b73e
Author: Marcelo Schmitt <marcelo.schmitt@analog.com>

iio: adc: ltc2378: Enable triggered buffer data capture

This commit adds support for triggered buffer data captures to the
LTC2378 ADC driver. It implements a trigger handler and configures the
scan type for both SPI offload and fallback triggered buffer cases.

> diff --git a/drivers/iio/adc/ltc2378.c b/drivers/iio/adc/ltc2378.c
> index 6b01d8e96cc60..514645b847f0b 100644
> --- a/drivers/iio/adc/ltc2378.c
> +++ b/drivers/iio/adc/ltc2378.c
[ ... ]
> @@ -314,17 +337,27 @@ static int ltc2378_probe(struct spi_device *spi)
>  	st->chans[0].type = IIO_VOLTAGE;
>  	st->chans[0].info_mask_separate = BIT(IIO_CHAN_INFO_RAW) |
>  					  BIT(IIO_CHAN_INFO_SCALE);
> +	st->chans[0].scan_index = 0;
>  
>  	struct iio_scan_type ltc2378_scan;
>  
>  	ret = ltc2378_offload_buffer_setup(indio_dev, spi);
>  	if (ret == -ENODEV) {
>  		/* SPI offloading is unavailable. Fall back to triggered buffer. */
> -		dev_dbg(dev, "triggered data capture not supported\n");
>  		ltc2378_scan.format = st->info->twos_comp ? IIO_SCAN_FORMAT_SIGNED_INT :
>  							    IIO_SCAN_FORMAT_UNSIGNED_INT;
>  		ltc2378_scan.realbits = st->info->resolution;
>  		ltc2378_scan.storagebits = st->info->resolution > 16 ? 32 : 16;

[Severity: High]
Does this leave fields in ltc2378_scan uninitialized?

It looks like ltc2378_scan is allocated on the stack but not fully
initialized. Only format, realbits, and storagebits are assigned here,
leaving fields like endianness, shift, and repeat with stack garbage.

When st->chans[0].scan_type is later assigned from this struct, the
uninitialized endianness field could cause an out-of-bounds array read in
iio_show_scan_type() when indexing into iio_endian_prefix.

The garbage repeat value could also result in miscalculated IIO buffer
chunk sizes.

Could ltc2378_scan be zero-initialized to prevent these issues?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/cover.1779976379.git.marcelo.schmitt@analog.com?part=4

next prev parent reply	other threads:[~2026-05-28 17:21 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-28 15:02 [PATCH v2 0/4] iio: adc: Add support for LTC2378 and similar ADCs Marcelo Schmitt
2026-05-28 15:03 ` [PATCH v2 1/4] dt-bindings: iio: adc: Add ltc2378 Marcelo Schmitt
2026-05-28 16:55   ` Conor Dooley
2026-05-28 15:03 ` [PATCH v2 2/4] iio: adc: ltc2378: Add support for LTC2378-20 and similar ADCs Marcelo Schmitt
2026-05-28 15:51   ` sashiko-bot
2026-05-29 10:02   ` Jonathan Cameron
2026-05-29 12:37     ` Marcelo Schmitt
2026-05-29 17:31       ` Jonathan Cameron
2026-05-28 15:04 ` [PATCH v2 3/4] iio: adc: ltc2378: Enable high-speed data capture Marcelo Schmitt
2026-05-28 16:39   ` sashiko-bot
2026-05-29 10:29   ` Jonathan Cameron
2026-05-28 15:04 ` [PATCH v2 4/4] iio: adc: ltc2378: Enable triggered buffer " Marcelo Schmitt
2026-05-28 17:21   ` sashiko-bot [this message]
2026-05-29 10:30   ` Jonathan Cameron
2026-06-03  7:59 ` [PATCH v2 0/4] iio: adc: Add support for LTC2378 and similar ADCs Andy Shevchenko
2026-06-03 14:11   ` Marcelo Schmitt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260528172104.F08851F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=marcelo.schmitt@analog.com \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.