From: sashiko-bot@kernel.org
To: "Rodrigo Alencar via B4 Relay"
<devnull+rodrigo.alencar.analog.com@kernel.org>
Cc: conor+dt@kernel.org, devicetree@vger.kernel.org, robh@kernel.org
Subject: Re: [PATCH v5 11/12] iio: dac: ad5686: add triggered buffer support
Date: Sun, 28 Jun 2026 14:30:26 +0000 [thread overview]
Message-ID: <20260628143026.EC6CA1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260628-ad5686-new-features-v5-11-577caadbf7c0@analog.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Missing data masking in triggered buffer handler allows userspace to corrupt SPI commands for AD5310_REGMAP devices.
--
commit 2caa0f8a9fedc3f66e7b64f897087b47952a9915
Author: Rodrigo Alencar <rodrigo.alencar@analog.com>
iio: dac: ad5686: add triggered buffer support
Implement trigger handler by leveraging the LDAC gpio to update all DAC
channels at once when it is available. Also, the multiple channel writes
can be flushed at once with the sync() operation.
> diff --git a/drivers/iio/dac/ad5686.c b/drivers/iio/dac/ad5686.c
> --- a/drivers/iio/dac/ad5686.c
> +++ b/drivers/iio/dac/ad5686.c
[ ... ]
> @@ -467,6 +472,60 @@ const struct ad5686_chip_info ad5679r_chip_info = {
> };
> EXPORT_SYMBOL_NS_GPL(ad5679r_chip_info, "IIO_AD5686");
>
> +static void do_ad5686_trigger_handler(struct iio_dev *indio_dev)
> +{
> + struct iio_buffer *buffer = indio_dev->buffer;
> + struct ad5686_state *st = iio_priv(indio_dev);
> + u16 val[AD5686_MAX_CHANNELS] = { };
> + unsigned int scan_count, ch, i;
> + bool async_update;
> + u8 cmd;
> +
> + if (iio_pop_from_buffer(buffer, val))
> + return;
> +
> + guard(mutex)(&st->lock);
> +
> + scan_count = bitmap_weight(indio_dev->active_scan_mask,
> + iio_get_masklength(indio_dev));
> + async_update = st->ldac_gpio && scan_count > 1;
> + if (async_update) {
> + /* use LDAC to update all channels simultaneously */
> + cmd = AD5686_CMD_WRITE_INPUT_N;
> + gpiod_set_value_cansleep(st->ldac_gpio, 0);
> + } else {
> + cmd = AD5686_CMD_WRITE_INPUT_N_UPDATE_N;
> + }
> +
> + i = 0;
> + iio_for_each_active_channel(indio_dev, ch) {
> + if (st->ops->write(st, cmd, indio_dev->channels[ch].address, val[i++]))
[Severity: High]
Does this code need to mask the value popped from the buffer before
passing it to the write operation?
If userspace provides 16-bit data with bits 12-15 set, it appears it can
corrupt the SPI commands for AD5310_REGMAP devices. For example, looking at
ad5686_spi_write():
drivers/iio/dac/ad5686-spi.c:ad5686_spi_write() {
...
case AD5310_REGMAP:
st->data[bus_data->size].d16 =
cpu_to_be16(AD5310_CMD(cmd) | val);
...
}
Since the command is shifted to bits 12-15, an unmasked user value from the
triggered buffer could overwrite the SPI command.
> + break;
> + }
> +
> + /*
> + * If sync() is available, it is called here regardless of write
> + * failure to allow bus implementation to reset. In that case, partial
> + * writes are unlikely as the write operations would just queue up
> + * the transfers.
> + */
> + if (st->ops->sync)
> + st->ops->sync(st);
> +
> + if (async_update)
> + gpiod_set_value_cansleep(st->ldac_gpio, 1);
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260628-ad5686-new-features-v5-0-577caadbf7c0@analog.com?part=11
next prev parent reply other threads:[~2026-06-28 14:30 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-28 14:08 [PATCH v5 00/12] New features for the AD5686 IIO driver Rodrigo Alencar via B4 Relay
2026-06-28 14:08 ` [PATCH v5 01/12] dt-bindings: iio: dac: ad5696: add reset/ldac/gain support Rodrigo Alencar via B4 Relay
2026-06-28 14:08 ` [PATCH v5 02/12] dt-bindings: iio: dac: ad5696: rework on power supplies Rodrigo Alencar via B4 Relay
2026-06-28 14:19 ` sashiko-bot
2026-06-28 14:08 ` [PATCH v5 03/12] dt-bindings: iio: dac: ad5686: add reset/ldac/gain support Rodrigo Alencar via B4 Relay
2026-06-28 14:08 ` [PATCH v5 04/12] dt-bindings: iio: dac: ad5686: rework on power supplies Rodrigo Alencar via B4 Relay
2026-06-28 14:19 ` sashiko-bot
2026-06-28 14:08 ` [PATCH v5 05/12] iio: dac: ad5686: add support for missing " Rodrigo Alencar via B4 Relay
2026-06-28 14:08 ` [PATCH v5 06/12] iio: dac: ad5686: consume optional reset signal Rodrigo Alencar via B4 Relay
2026-06-28 14:21 ` sashiko-bot
2026-06-28 14:08 ` [PATCH v5 07/12] iio: dac: ad5686: add ldac gpio Rodrigo Alencar via B4 Relay
2026-06-28 14:08 ` [PATCH v5 08/12] iio: dac: ad5686: introduce sync operation Rodrigo Alencar via B4 Relay
2026-06-28 14:08 ` [PATCH v5 09/12] iio: dac: ad5686: implement new sync() op for the spi bus Rodrigo Alencar via B4 Relay
2026-06-28 14:08 ` [PATCH v5 10/12] iio: dac: ad5686: read_raw/write_raw: use guard(mutex)() Rodrigo Alencar via B4 Relay
2026-06-28 14:08 ` [PATCH v5 11/12] iio: dac: ad5686: add triggered buffer support Rodrigo Alencar via B4 Relay
2026-06-28 14:30 ` sashiko-bot [this message]
2026-06-28 14:08 ` [PATCH v5 12/12] iio: dac: ad5686: add gain control support Rodrigo Alencar via B4 Relay
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260628143026.EC6CA1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=devnull+rodrigo.alencar.analog.com@kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox