[PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table

Linux IIO development
 help / color / mirror / Atom feed

* [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table
@ 2026-05-10  2:35 Stepan Ionichev
  2026-05-10  3:06 ` Stepan Ionichev
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Stepan Ionichev @ 2026-05-10  2:35 UTC (permalink / raw)
  To: jic23
  Cc: dlechner, nuno.sa, andy, gregkh, hcazarim, linux-iio,
	linux-kernel, sozdayvek

bmg160_get_filter() walks bmg160_samp_freq_table[] looking for the
entry matching the bw_bits value read from the chip:

	for (i = 0; i < ARRAY_SIZE(bmg160_samp_freq_table); ++i) {
		if (bmg160_samp_freq_table[i].bw_bits == bw_bits)
			break;
	}
	*val = bmg160_samp_freq_table[i].filter;

If no entry matches, i ends up equal to the array size and the next
line reads one slot past the end. bmg160_set_filter() has the same
shape, driven by 'val' instead of bw_bits.

smatch flags both:

  drivers/iio/gyro/bmg160_core.c:204 bmg160_get_filter() error:
  buffer overflow 'bmg160_samp_freq_table' 7 <= 7
  drivers/iio/gyro/bmg160_core.c:222 bmg160_set_filter() error:
  buffer overflow 'bmg160_samp_freq_table' 7 <= 7

Return -EINVAL when no entry matches.

Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
---
 drivers/iio/gyro/bmg160_core.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/iio/gyro/bmg160_core.c b/drivers/iio/gyro/bmg160_core.c
index 38394b5f3..58963f3ea 100644
--- a/drivers/iio/gyro/bmg160_core.c
+++ b/drivers/iio/gyro/bmg160_core.c
@@ -201,6 +201,9 @@ static int bmg160_get_filter(struct bmg160_data *data, int *val)
 			break;
 	}
 
+	if (i == ARRAY_SIZE(bmg160_samp_freq_table))
+		return -EINVAL;
+
 	*val = bmg160_samp_freq_table[i].filter;
 
 	return ret ? ret : IIO_VAL_INT;
@@ -218,6 +221,9 @@ static int bmg160_set_filter(struct bmg160_data *data, int val)
 			break;
 	}
 
+	if (i == ARRAY_SIZE(bmg160_samp_freq_table))
+		return -EINVAL;
+
 	ret = regmap_write(data->regmap, BMG160_REG_PMU_BW,
 			   bmg160_samp_freq_table[i].bw_bits);
 	if (ret < 0) {
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table
  2026-05-10  2:35 [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table Stepan Ionichev
@ 2026-05-10  3:06 ` Stepan Ionichev
  2026-05-10 11:56   ` Andy Shevchenko
  2026-05-10 10:15 ` Andy Shevchenko
  2026-05-10 12:53 ` Andy Shevchenko
  2 siblings, 1 reply; 5+ messages in thread
From: Stepan Ionichev @ 2026-05-10  3:06 UTC (permalink / raw)
  To: andy
  Cc: jic23, dlechner, nuno.sa, gregkh, hcazarim, linux-iio,
	linux-kernel, sozdayvek

I checked patchwork for bmg160 -- no prior post for this fix. If you
remember the thread, point me to it.

Same pattern (loop with 'i' used after no-break) appears in other iio
drivers too. Maybe that is what you saw.

Stepan

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table
  2026-05-10  2:35 [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table Stepan Ionichev
  2026-05-10  3:06 ` Stepan Ionichev
@ 2026-05-10 10:15 ` Andy Shevchenko
  2026-05-10 12:53 ` Andy Shevchenko
  2 siblings, 0 replies; 5+ messages in thread
From: Andy Shevchenko @ 2026-05-10 10:15 UTC (permalink / raw)
  To: Stepan Ionichev
  Cc: jic23, dlechner, nuno.sa, andy, gregkh, hcazarim, linux-iio,
	linux-kernel

On Sun, May 10, 2026 at 07:35:00AM +0500, Stepan Ionichev wrote:
> bmg160_get_filter() walks bmg160_samp_freq_table[] looking for the
> entry matching the bw_bits value read from the chip:
> 
> 	for (i = 0; i < ARRAY_SIZE(bmg160_samp_freq_table); ++i) {
> 		if (bmg160_samp_freq_table[i].bw_bits == bw_bits)
> 			break;
> 	}
> 	*val = bmg160_samp_freq_table[i].filter;
> 
> If no entry matches, i ends up equal to the array size and the next
> line reads one slot past the end. bmg160_set_filter() has the same
> shape, driven by 'val' instead of bw_bits.
> 
> smatch flags both:
> 
>   drivers/iio/gyro/bmg160_core.c:204 bmg160_get_filter() error:
>   buffer overflow 'bmg160_samp_freq_table' 7 <= 7
>   drivers/iio/gyro/bmg160_core.c:222 bmg160_set_filter() error:
>   buffer overflow 'bmg160_samp_freq_table' 7 <= 7
> 
> Return -EINVAL when no entry matches.

Have you checked the mailing list archive? I have a weak memory of seeing this
or something similar in the (recent) past...

-- 
With Best Regards,
Andy Shevchenko



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table
  2026-05-10  3:06 ` Stepan Ionichev
@ 2026-05-10 11:56   ` Andy Shevchenko
  0 siblings, 0 replies; 5+ messages in thread
From: Andy Shevchenko @ 2026-05-10 11:56 UTC (permalink / raw)
  To: Stepan Ionichev
  Cc: andy, jic23, dlechner, nuno.sa, gregkh, hcazarim, linux-iio,
	linux-kernel

On Sun, May 10, 2026 at 08:06:47AM +0500, Stepan Ionichev wrote:
> I checked patchwork for bmg160 -- no prior post for this fix. If you
> remember the thread, point me to it.

Okay, thanks for confirming!

> Same pattern (loop with 'i' used after no-break) appears in other iio
> drivers too. Maybe that is what you saw.

-- 
With Best Regards,
Andy Shevchenko



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table
  2026-05-10  2:35 [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table Stepan Ionichev
  2026-05-10  3:06 ` Stepan Ionichev
  2026-05-10 10:15 ` Andy Shevchenko
@ 2026-05-10 12:53 ` Andy Shevchenko
  2 siblings, 0 replies; 5+ messages in thread
From: Andy Shevchenko @ 2026-05-10 12:53 UTC (permalink / raw)
  To: Stepan Ionichev
  Cc: jic23, dlechner, nuno.sa, andy, gregkh, hcazarim, linux-iio,
	linux-kernel

On Sun, May 10, 2026 at 07:35:00AM +0500, Stepan Ionichev wrote:
> bmg160_get_filter() walks bmg160_samp_freq_table[] looking for the
> entry matching the bw_bits value read from the chip:
> 
> 	for (i = 0; i < ARRAY_SIZE(bmg160_samp_freq_table); ++i) {
> 		if (bmg160_samp_freq_table[i].bw_bits == bw_bits)
> 			break;
> 	}
> 	*val = bmg160_samp_freq_table[i].filter;
> 
> If no entry matches, i ends up equal to the array size and the next
> line reads one slot past the end. bmg160_set_filter() has the same
> shape, driven by 'val' instead of bw_bits.
> 
> smatch flags both:
> 
>   drivers/iio/gyro/bmg160_core.c:204 bmg160_get_filter() error:
>   buffer overflow 'bmg160_samp_freq_table' 7 <= 7
>   drivers/iio/gyro/bmg160_core.c:222 bmg160_set_filter() error:
>   buffer overflow 'bmg160_samp_freq_table' 7 <= 7
> 
> Return -EINVAL when no entry matches.

Sounds legit and proper behaviour in this case.
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>

-- 
With Best Regards,
Andy Shevchenko



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-05-10 12:53 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-10  2:35 [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table Stepan Ionichev
2026-05-10  3:06 ` Stepan Ionichev
2026-05-10 11:56   ` Andy Shevchenko
2026-05-10 10:15 ` Andy Shevchenko
2026-05-10 12:53 ` Andy Shevchenko

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox