From: Jonathan Cameron <jic23@kernel.org>
To: "Sabau, Radu bogdan" <Radu.Sabau@analog.com>
Cc: "Lars-Peter Clausen" <lars@metafoo.de>,
"Hennerich, Michael" <Michael.Hennerich@analog.com>,
"David Lechner" <dlechner@baylibre.com>,
"Sa, Nuno" <Nuno.Sa@analog.com>,
"Andy Shevchenko" <andy@kernel.org>,
"Rob Herring" <robh@kernel.org>,
"Krzysztof Kozlowski" <krzk+dt@kernel.org>,
"Conor Dooley" <conor+dt@kernel.org>,
"Uwe Kleine-König" <ukleinek@kernel.org>,
"Liam Girdwood" <lgirdwood@gmail.com>,
"Mark Brown" <broonie@kernel.org>,
"Linus Walleij" <linusw@kernel.org>,
"Bartosz Golaszewski" <brgl@kernel.org>,
"Philipp Zabel" <p.zabel@pengutronix.de>,
"Jonathan Corbet" <corbet@lwn.net>,
"Shuah Khan" <skhan@linuxfoundation.org>,
"linux-iio@vger.kernel.org" <linux-iio@vger.kernel.org>,
"devicetree@vger.kernel.org" <devicetree@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-pwm@vger.kernel.org" <linux-pwm@vger.kernel.org>,
"linux-gpio@vger.kernel.org" <linux-gpio@vger.kernel.org>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>
Subject: Re: [PATCH v9 5/6] iio: adc: ad4691: add oversampling support
Date: Thu, 7 May 2026 16:26:52 +0100 [thread overview]
Message-ID: <20260507162652.18898e28@jic23-huawei> (raw)
In-Reply-To: <LV9PR03MB8414B9A4A4D48BDF8E60398FF73C2@LV9PR03MB8414.namprd03.prod.outlook.com>
On Thu, 7 May 2026 11:56:53 +0000
"Sabau, Radu bogdan" <Radu.Sabau@analog.com> wrote:
> Addressing Sashiko's review for the oversampling support patch.
>
One thing inline. I think Sashiko got it wrong..
> > @@ -691,6 +857,10 @@ static int ad4691_enter_conversion_mode(struct
> > ad4691_state *st)
> > return regmap_update_bits(st->regmap,
> > AD4691_DEVICE_SETUP,
> > AD4691_MANUAL_MODE,
> > AD4691_MANUAL_MODE);
> >
> > + ret = ad4691_write_osc_freq(st);
> > + if (ret)
> > + return ret;
> > +
> > ret = regmap_update_bits(st->regmap, AD4691_ADC_SETUP,
> > AD4691_ADC_MODE_MASK,
> > AD4691_CNV_BURST_MODE);
> > if (ret)
> > @@ -844,6 +1014,12 @@ static int
> > ad4691_cnv_burst_buffer_preenable(struct iio_dev *indio_dev)
> > if (ret)
> > goto err_unoptimize;
> >
> > + iio_for_each_active_channel(indio_dev, i) {
> > + ret = regmap_write(st->regmap, AD4691_ACC_DEPTH_IN(i),
> > st->osr[i]);
> > + if (ret)
> > + goto err_unoptimize;
> > + }
> > +
>
> "If the IIO soft timestamp channel is enabled, its scan_index is 16.
> iio_for_each_active_channel() iterates over all active channels including
> the timestamp channel.
I saw this one and think it's wrong.
It is sort of true and sort of not. active_scan_mask never has the timestamp
channel set. There is special handling for that channel.
https://elixir.bootlin.com/linux/v7.0.1/source/drivers/iio/industrialio-buffer.c#L613
IIRC the bitmap is technically one bit too large given that quirk
(I've not checked that today so I'm relying on memory of when this last came up).
Jonathan
> Will this loop process i = 16 and access st->osr[16] out of bounds, since
> st->osr is an array of size 16?
> Additionally, since AD4691_ACC_DEPTH_IN(16) resolves to 0x196
> (AD4691_GPIO_MODE1_REG), will this silently corrupt the GPIO configuration
> and potentially break the DATA_READY interrupt?
> Furthermore, does the presence of the timestamp channel cause the loop
> iteration to advance k to 17, making the state-reset SPI transfers appended
> after the loop write to st->scan_xfers[34] and [35]? This would overflow
> the scan_xfers array which is sized 34 and could corrupt the surrounding
> struct ad4691_state."
>
> Valid for the osr[] out-of-bounds and GPIO corruption concerns. With
> the soft timestamp enabled (scan_index = 16), the loop would access
> st->osr[16] out-of-bounds and write to AD4691_ACC_DEPTH_IN(16) = 0x196,
> which is AD4691_GPIO_MODE1_REG, silently corrupting the GPIO configuration
> and potentially breaking the DATA_READY interrupt.
>
> Added the same guard used by the scan_xfers loops in the triggered-buffer
> commit: if (i >= indio_dev->num_channels - 1) break.
>
> The scan_xfers k-overflow concern is already handled by that existing guard
> in a separate loop — it is not affected by the ACC_DEPTH_IN loop added
> here.
>
next prev parent reply other threads:[~2026-05-07 15:27 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-30 10:16 [PATCH v9 0/6] iio: adc: ad4691: add driver for AD4691 multichannel SAR ADC family Radu Sabau via B4 Relay
2026-04-30 10:16 ` [PATCH v9 1/6] dt-bindings: iio: adc: add AD4691 family Radu Sabau via B4 Relay
2026-04-30 10:16 ` [PATCH v9 2/6] iio: adc: ad4691: add initial driver for " Radu Sabau via B4 Relay
2026-05-05 13:23 ` Jonathan Cameron
2026-05-07 9:26 ` Sabau, Radu bogdan
2026-05-07 14:15 ` Jonathan Cameron
2026-05-08 4:44 ` Andy Shevchenko
2026-05-08 9:53 ` Andy Shevchenko
2026-04-30 10:16 ` [PATCH v9 3/6] iio: adc: ad4691: add triggered buffer support Radu Sabau via B4 Relay
2026-05-04 7:57 ` Andy Shevchenko
2026-05-04 12:05 ` Sabau, Radu bogdan
2026-05-05 13:26 ` Jonathan Cameron
2026-05-05 14:58 ` Andy Shevchenko
2026-05-05 16:17 ` Jonathan Cameron
2026-05-06 7:25 ` Andy Shevchenko
2026-05-06 9:01 ` Sabau, Radu bogdan
2026-05-05 14:04 ` Jonathan Cameron
2026-05-05 14:07 ` Jonathan Cameron
2026-05-07 11:37 ` Sabau, Radu bogdan
2026-05-07 14:25 ` Jonathan Cameron
2026-05-08 11:08 ` Sabau, Radu bogdan
2026-04-30 10:16 ` [PATCH v9 4/6] iio: adc: ad4691: add SPI offload support Radu Sabau via B4 Relay
2026-05-04 8:10 ` Andy Shevchenko
2026-05-05 14:12 ` Jonathan Cameron
2026-05-05 14:28 ` Jonathan Cameron
2026-05-06 9:17 ` Sabau, Radu bogdan
2026-05-07 11:49 ` Sabau, Radu bogdan
2026-05-07 15:11 ` Jonathan Cameron
2026-05-08 11:11 ` Sabau, Radu bogdan
2026-04-30 10:16 ` [PATCH v9 5/6] iio: adc: ad4691: add oversampling support Radu Sabau via B4 Relay
2026-05-04 8:14 ` Andy Shevchenko
2026-05-05 14:32 ` Jonathan Cameron
2026-05-07 11:56 ` Sabau, Radu bogdan
2026-05-07 15:26 ` Jonathan Cameron [this message]
2026-04-30 10:16 ` [PATCH v9 6/6] docs: iio: adc: ad4691: add driver documentation Radu Sabau via B4 Relay
2026-05-05 14:35 ` Jonathan Cameron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260507162652.18898e28@jic23-huawei \
--to=jic23@kernel.org \
--cc=Michael.Hennerich@analog.com \
--cc=Nuno.Sa@analog.com \
--cc=Radu.Sabau@analog.com \
--cc=andy@kernel.org \
--cc=brgl@kernel.org \
--cc=broonie@kernel.org \
--cc=conor+dt@kernel.org \
--cc=corbet@lwn.net \
--cc=devicetree@vger.kernel.org \
--cc=dlechner@baylibre.com \
--cc=krzk+dt@kernel.org \
--cc=lars@metafoo.de \
--cc=lgirdwood@gmail.com \
--cc=linusw@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-gpio@vger.kernel.org \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pwm@vger.kernel.org \
--cc=p.zabel@pengutronix.de \
--cc=robh@kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=ukleinek@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox