From: Jonathan Cameron <jic23@kernel.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org,
"Sam Daly" <sam@samdaly.ie>, stable <stable@kernel.org>,
"Lars-Peter Clausen" <lars@metafoo.de>,
"Michael Hennerich" <Michael.Hennerich@analog.com>,
"David Lechner" <dlechner@baylibre.com>,
"Nuno Sá" <nuno.sa@analog.com>,
"Andy Shevchenko" <andy@kernel.org>
Subject: Re: [PATCH 3/3] iio: adc: ad7768-1: add bounds check to ad7768_filter_regval_to_type index
Date: Fri, 15 May 2026 15:52:30 +0100 [thread overview]
Message-ID: <20260515155230.6d7402db@jic23-huawei> (raw)
In-Reply-To: <2026051423-snowcap-excusably-2b68@gregkh>
On Thu, 14 May 2026 18:23:22 +0200
Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> From: Sam Daly <sam@samdaly.ie>
>
> ad7768_filter_regval_to_type has 12 elements but the combined mask
> AD7768_DIG_FIL_EN_60HZ_REJ | AD7768_DIG_FIL_FIL_MSK spans 4 bits
> and can yield values 0-15. If it returns a value >= 12, this causes
> an out-of-bounds array access. Add a bounds check and return -EINVAL
> if the index is out of range.
I think this needs some more explanation as that's a sparsely filled array.
Now we are considering hardware returning values it shouldn't it gets
more complex.
So whilst it's not going to cause an out of bounds read, if we
get say a 5 then it shouldn't map to a SINC5 filter, but instead
return an error.
I suppose we could do it as a pair of fixes, but it feels like explicit
value matching is to ones we expect may well involve switching from
an array to a switch statement and once we've done that what is
being fixed here will be a natural side effect.
Given it's hardening against stuff we don't expect I'm not that worried
if it takes a little while to get the more complete fix in place.
Jonathan
>
> Assisted-by: gkh_clanker_2000
> Cc: stable <stable@kernel.org>
> Cc: Lars-Peter Clausen <lars@metafoo.de>
> Cc: Michael Hennerich <Michael.Hennerich@analog.com>
> Cc: Jonathan Cameron <jic23@kernel.org>
> Cc: David Lechner <dlechner@baylibre.com>
> Cc: "Nuno Sá" <nuno.sa@analog.com>
> Cc: Andy Shevchenko <andy@kernel.org>
> Signed-off-by: Sam Daly <sam@samdaly.ie>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> drivers/iio/adc/ad7768-1.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/iio/adc/ad7768-1.c b/drivers/iio/adc/ad7768-1.c
> index e16dede687d3..52e95017d36b 100644
> --- a/drivers/iio/adc/ad7768-1.c
> +++ b/drivers/iio/adc/ad7768-1.c
> @@ -897,7 +897,7 @@ static int ad7768_get_filter_type_attr(struct iio_dev *dev,
> {
> struct ad7768_state *st = iio_priv(dev);
> int ret;
> - unsigned int mode, mask;
> + unsigned int mode, mask, idx;
>
> ret = regmap_read(st->regmap, AD7768_REG_DIGITAL_FILTER, &mode);
> if (ret)
> @@ -905,7 +905,11 @@ static int ad7768_get_filter_type_attr(struct iio_dev *dev,
>
> mask = AD7768_DIG_FIL_EN_60HZ_REJ | AD7768_DIG_FIL_FIL_MSK;
> /* From the register value, get the corresponding filter type */
> - return ad7768_filter_regval_to_type[FIELD_GET(mask, mode)];
> + idx = FIELD_GET(mask, mode);
> + if (idx >= ARRAY_SIZE(ad7768_filter_regval_to_type))
> + return -EINVAL;
> +
> + return ad7768_filter_regval_to_type[idx];
> }
>
> static int ad7768_update_dec_rate(struct iio_dev *dev, unsigned int dec_rate)
next prev parent reply other threads:[~2026-05-15 14:52 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-14 16:23 [PATCH 1/3] iio: adc: ti-ads1298: add bounds check to pga_settings index Greg Kroah-Hartman
2026-05-14 16:23 ` [PATCH 2/3] iio: light: veml6075: add bounds check to veml6075_it_ms index Greg Kroah-Hartman
2026-05-14 19:17 ` Javier Carrasco
2026-05-15 14:33 ` Jonathan Cameron
2026-05-15 15:05 ` Greg Kroah-Hartman
2026-05-14 16:23 ` [PATCH 3/3] iio: adc: ad7768-1: add bounds check to ad7768_filter_regval_to_type index Greg Kroah-Hartman
2026-05-15 14:52 ` Jonathan Cameron [this message]
2026-05-15 14:39 ` [PATCH 1/3] iio: adc: ti-ads1298: add bounds check to pga_settings index Jonathan Cameron
2026-05-15 15:06 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260515155230.6d7402db@jic23-huawei \
--to=jic23@kernel.org \
--cc=Michael.Hennerich@analog.com \
--cc=andy@kernel.org \
--cc=dlechner@baylibre.com \
--cc=gregkh@linuxfoundation.org \
--cc=lars@metafoo.de \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nuno.sa@analog.com \
--cc=sam@samdaly.ie \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox