[PATCH 1/3] iio: adc: ti-ads1298: add bounds check to pga_settings index

[PATCH 1/3] iio: adc: ti-ads1298: add bounds check to pga_settings index

[Greg Kroah-Hartman]

From: Sam Daly <sam@samdaly.ie>

ads1298_pga_settings has 7 elements but ADS1298_MASK_CH_PGA can yield
values 0-7. If it yields a value >= 7, this causes an out-of-bounds
array access. Add a bounds check and return -EINVAL if the index
is out of range.

Assisted-by: gkh_clanker_2000
Cc: stable <stable@kernel.org>
Cc: Jonathan Cameron <jic23@kernel.org>
Cc: David Lechner <dlechner@baylibre.com>
Cc: "Nuno Sá" <nuno.sa@analog.com>
Cc: Andy Shevchenko <andy@kernel.org>
Signed-off-by: Sam Daly <sam@samdaly.ie>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/adc/ti-ads1298.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/iio/adc/ti-ads1298.c b/drivers/iio/adc/ti-ads1298.c
index ae30b47e4514..731792f06993 100644
--- a/drivers/iio/adc/ti-ads1298.c
+++ b/drivers/iio/adc/ti-ads1298.c
@@ -279,6 +279,7 @@ static const u8 ads1298_pga_settings[] = { 6, 1, 2, 3, 4, 8, 12 };
 static int ads1298_get_scale(struct ads1298_private *priv,
 			     int channel, int *val, int *val2)
 {
+	unsigned int pga_idx;
 	int ret;
 	unsigned int regval;
 	u8 gain;
@@ -302,7 +303,11 @@ static int ads1298_get_scale(struct ads1298_private *priv,
 	if (ret)
 		return ret;
 
-	gain = ads1298_pga_settings[FIELD_GET(ADS1298_MASK_CH_PGA, regval)];
+	pga_idx = FIELD_GET(ADS1298_MASK_CH_PGA, regval);
+	if (pga_idx >= ARRAY_SIZE(ads1298_pga_settings))
+		return -EINVAL;
+
+	gain = ads1298_pga_settings[pga_idx];
 	*val /= gain; /* Full scale is VREF / gain */
 
 	*val2 = ADS1298_BITS_PER_SAMPLE - 1; /* Signed, hence the -1 */
-- 
2.54.0

[PATCH 2/3] iio: light: veml6075: add bounds check to veml6075_it_ms index

[Greg Kroah-Hartman]

From: Sam Daly <sam@samdaly.ie>

veml6075_it_ms has 5 elements but VEML6075_CONF_IT can yield
values 0-7. If it returns a value >= 5, this causes an
out-of-bounds array access. Add a bounds check and return
-EINVAL if the index is out of range.

Assisted-by: gkh_clanker_2000
Cc: stable <stable@kernel.org>
Cc: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Cc: Jonathan Cameron <jic23@kernel.org>
Cc: David Lechner <dlechner@baylibre.com>
Cc: "Nuno Sá" <nuno.sa@analog.com>
Cc: Andy Shevchenko <andy@kernel.org>
Signed-off-by: Sam Daly <sam@samdaly.ie>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/light/veml6075.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/iio/light/veml6075.c b/drivers/iio/light/veml6075.c
index edbb43407054..f7eb159e5cb4 100644
--- a/drivers/iio/light/veml6075.c
+++ b/drivers/iio/light/veml6075.c
@@ -100,7 +100,7 @@ static const struct iio_chan_spec veml6075_channels[] = {
 
 static int veml6075_request_measurement(struct veml6075_data *data)
 {
-	int ret, conf, int_time;
+	int ret, conf, int_time, int_index;
 
 	ret = regmap_read(data->regmap, VEML6075_CMD_CONF, &conf);
 	if (ret < 0)
@@ -117,7 +117,11 @@ static int veml6075_request_measurement(struct veml6075_data *data)
 	 * time for all possible configurations. Using a 1.50 factor simplifies
 	 * operations and ensures reliability under all circumstances.
 	 */
-	int_time = veml6075_it_ms[FIELD_GET(VEML6075_CONF_IT, conf)];
+	int_index = FIELD_GET(VEML6075_CONF_IT, conf);
+	if (int_index >= ARRAY_SIZE(veml6075_it_ms))
+		return -EINVAL;
+
+	int_time = veml6075_it_ms[int_index];
 	msleep(int_time + (int_time / 2));
 
 	/* shutdown again, data registers are still accessible */
-- 
2.54.0

[PATCH 3/3] iio: adc: ad7768-1: add bounds check to ad7768_filter_regval_to_type index

[Greg Kroah-Hartman]

From: Sam Daly <sam@samdaly.ie>

ad7768_filter_regval_to_type has 12 elements but the combined mask
AD7768_DIG_FIL_EN_60HZ_REJ | AD7768_DIG_FIL_FIL_MSK spans 4 bits
and can yield values 0-15. If it returns a value >= 12, this causes
an out-of-bounds array access. Add a bounds check and return -EINVAL
if the index is out of range.

Assisted-by: gkh_clanker_2000
Cc: stable <stable@kernel.org>
Cc: Lars-Peter Clausen <lars@metafoo.de>
Cc: Michael Hennerich <Michael.Hennerich@analog.com>
Cc: Jonathan Cameron <jic23@kernel.org>
Cc: David Lechner <dlechner@baylibre.com>
Cc: "Nuno Sá" <nuno.sa@analog.com>
Cc: Andy Shevchenko <andy@kernel.org>
Signed-off-by: Sam Daly <sam@samdaly.ie>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/adc/ad7768-1.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/iio/adc/ad7768-1.c b/drivers/iio/adc/ad7768-1.c
index e16dede687d3..52e95017d36b 100644
--- a/drivers/iio/adc/ad7768-1.c
+++ b/drivers/iio/adc/ad7768-1.c
@@ -897,7 +897,7 @@ static int ad7768_get_filter_type_attr(struct iio_dev *dev,
 {
 	struct ad7768_state *st = iio_priv(dev);
 	int ret;
-	unsigned int mode, mask;
+	unsigned int mode, mask, idx;
 
 	ret = regmap_read(st->regmap, AD7768_REG_DIGITAL_FILTER, &mode);
 	if (ret)
@@ -905,7 +905,11 @@ static int ad7768_get_filter_type_attr(struct iio_dev *dev,
 
 	mask = AD7768_DIG_FIL_EN_60HZ_REJ | AD7768_DIG_FIL_FIL_MSK;
 	/* From the register value, get the corresponding filter type */
-	return ad7768_filter_regval_to_type[FIELD_GET(mask, mode)];
+	idx = FIELD_GET(mask, mode);
+	if (idx >= ARRAY_SIZE(ad7768_filter_regval_to_type))
+		return -EINVAL;
+
+	return ad7768_filter_regval_to_type[idx];
 }
 
 static int ad7768_update_dec_rate(struct iio_dev *dev, unsigned int dec_rate)
-- 
2.54.0

Re: [PATCH 2/3] iio: light: veml6075: add bounds check to veml6075_it_ms index

[Javier Carrasco]

On Fri May 15, 2026 at 5:23 AM +13, Greg Kroah-Hartman wrote:
> From: Sam Daly <sam@samdaly.ie>
>
> veml6075_it_ms has 5 elements but VEML6075_CONF_IT can yield
> values 0-7. If it returns a value >= 5, this causes an
> out-of-bounds array access. Add a bounds check and return
> -EINVAL if the index is out of range.
>
> Assisted-by: gkh_clanker_2000
> Cc: stable <stable@kernel.org>
> Cc: Javier Carrasco <javier.carrasco.cruz@gmail.com>
> Cc: Jonathan Cameron <jic23@kernel.org>
> Cc: David Lechner <dlechner@baylibre.com>
> Cc: "Nuno Sá" <nuno.sa@analog.com>
> Cc: Andy Shevchenko <andy@kernel.org>
> Signed-off-by: Sam Daly <sam@samdaly.ie>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
>  drivers/iio/light/veml6075.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/iio/light/veml6075.c b/drivers/iio/light/veml6075.c
> index edbb43407054..f7eb159e5cb4 100644
> --- a/drivers/iio/light/veml6075.c
> +++ b/drivers/iio/light/veml6075.c
> @@ -100,7 +100,7 @@ static const struct iio_chan_spec veml6075_channels[] = {
>
>  static int veml6075_request_measurement(struct veml6075_data *data)
>  {
> -	int ret, conf, int_time;
> +	int ret, conf, int_time, int_index;
>
>  	ret = regmap_read(data->regmap, VEML6075_CMD_CONF, &conf);
>  	if (ret < 0)
> @@ -117,7 +117,11 @@ static int veml6075_request_measurement(struct veml6075_data *data)
>  	 * time for all possible configurations. Using a 1.50 factor simplifies
>  	 * operations and ensures reliability under all circumstances.
>  	 */
> -	int_time = veml6075_it_ms[FIELD_GET(VEML6075_CONF_IT, conf)];
> +	int_index = FIELD_GET(VEML6075_CONF_IT, conf);
> +	if (int_index >= ARRAY_SIZE(veml6075_it_ms))
> +		return -EINVAL;
> +
> +	int_time = veml6075_it_ms[int_index];
>  	msleep(int_time + (int_time / 2));
>
>  	/* shutdown again, data registers are still accessible */

Reviewed-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>

Re: [PATCH 2/3] iio: light: veml6075: add bounds check to veml6075_it_ms index

[Jonathan Cameron]

On Fri, 15 May 2026 08:17:18 +1300
"Javier Carrasco" <javier.carrasco.cruz@gmail.com> wrote:

> On Fri May 15, 2026 at 5:23 AM +13, Greg Kroah-Hartman wrote:
> > From: Sam Daly <sam@samdaly.ie>
> >
> > veml6075_it_ms has 5 elements but VEML6075_CONF_IT can yield
> > values 0-7. If it returns a value >= 5, this causes an
> > out-of-bounds array access. Add a bounds check and return
> > -EINVAL if the index is out of range.

I'd prefer it if this sort of change called out that we don't expect
to ever see those values except when we have bus corruption or
a broken device.  Good to protect against but that info might help
folk decide whether to backport or not.

I'll add a note whilst applying.  Applied to the fixes-togreg
branch of iio.git.  I also rewrapped the description as 60 chars
is rather short.

Applied

Jonathan

> >
> > Assisted-by: gkh_clanker_2000
> > Cc: stable <stable@kernel.org>
> > Cc: Javier Carrasco <javier.carrasco.cruz@gmail.com>
> > Cc: Jonathan Cameron <jic23@kernel.org>
> > Cc: David Lechner <dlechner@baylibre.com>
> > Cc: "Nuno Sá" <nuno.sa@analog.com>
> > Cc: Andy Shevchenko <andy@kernel.org>
> > Signed-off-by: Sam Daly <sam@samdaly.ie>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > ---
> >  drivers/iio/light/veml6075.c | 8 ++++++--
> >  1 file changed, 6 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/iio/light/veml6075.c b/drivers/iio/light/veml6075.c
> > index edbb43407054..f7eb159e5cb4 100644
> > --- a/drivers/iio/light/veml6075.c
> > +++ b/drivers/iio/light/veml6075.c
> > @@ -100,7 +100,7 @@ static const struct iio_chan_spec veml6075_channels[] = {
> >
> >  static int veml6075_request_measurement(struct veml6075_data *data)
> >  {
> > -	int ret, conf, int_time;
> > +	int ret, conf, int_time, int_index;
> >
> >  	ret = regmap_read(data->regmap, VEML6075_CMD_CONF, &conf);
> >  	if (ret < 0)
> > @@ -117,7 +117,11 @@ static int veml6075_request_measurement(struct veml6075_data *data)
> >  	 * time for all possible configurations. Using a 1.50 factor simplifies
> >  	 * operations and ensures reliability under all circumstances.
> >  	 */
> > -	int_time = veml6075_it_ms[FIELD_GET(VEML6075_CONF_IT, conf)];
> > +	int_index = FIELD_GET(VEML6075_CONF_IT, conf);
> > +	if (int_index >= ARRAY_SIZE(veml6075_it_ms))
> > +		return -EINVAL;
> > +
> > +	int_time = veml6075_it_ms[int_index];
> >  	msleep(int_time + (int_time / 2));
> >
> >  	/* shutdown again, data registers are still accessible */  
> 
> Reviewed-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>

Re: [PATCH 1/3] iio: adc: ti-ads1298: add bounds check to pga_settings index

[Jonathan Cameron]

On Thu, 14 May 2026 18:23:20 +0200
Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:

> From: Sam Daly <sam@samdaly.ie>
> 
> ads1298_pga_settings has 7 elements but ADS1298_MASK_CH_PGA can yield
> values 0-7. If it yields a value >= 7, this causes an out-of-bounds
> array access. Add a bounds check and return -EINVAL if the index
> is out of range.
> 
I'll add something about the other value be reserved whilst applying.

Note that Sashiko has found a more involved similar case (I haven't
checked it)

https://sashiko.dev/#/patchset/2026051420-strudel-graves-f6cd%40gregkh

Whilst ideally we should harden drivers against faulty values from
hardware, sometimes (like that one) it gets rather involved to actually
do!  Hence I'm not suggesting we actually fix that one but if anyone
does want to take a look - go ahead.

Jonathan


> Assisted-by: gkh_clanker_2000
> Cc: stable <stable@kernel.org>
> Cc: Jonathan Cameron <jic23@kernel.org>
> Cc: David Lechner <dlechner@baylibre.com>
> Cc: "Nuno Sá" <nuno.sa@analog.com>
> Cc: Andy Shevchenko <andy@kernel.org>
> Signed-off-by: Sam Daly <sam@samdaly.ie>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
>  drivers/iio/adc/ti-ads1298.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/iio/adc/ti-ads1298.c b/drivers/iio/adc/ti-ads1298.c
> index ae30b47e4514..731792f06993 100644
> --- a/drivers/iio/adc/ti-ads1298.c
> +++ b/drivers/iio/adc/ti-ads1298.c
> @@ -279,6 +279,7 @@ static const u8 ads1298_pga_settings[] = { 6, 1, 2, 3, 4, 8, 12 };
>  static int ads1298_get_scale(struct ads1298_private *priv,
>  			     int channel, int *val, int *val2)
>  {
> +	unsigned int pga_idx;
>  	int ret;
>  	unsigned int regval;
>  	u8 gain;
> @@ -302,7 +303,11 @@ static int ads1298_get_scale(struct ads1298_private *priv,
>  	if (ret)
>  		return ret;
>  
> -	gain = ads1298_pga_settings[FIELD_GET(ADS1298_MASK_CH_PGA, regval)];
> +	pga_idx = FIELD_GET(ADS1298_MASK_CH_PGA, regval);
> +	if (pga_idx >= ARRAY_SIZE(ads1298_pga_settings))
> +		return -EINVAL;
> +
> +	gain = ads1298_pga_settings[pga_idx];
>  	*val /= gain; /* Full scale is VREF / gain */
>  
>  	*val2 = ADS1298_BITS_PER_SAMPLE - 1; /* Signed, hence the -1 */

Re: [PATCH 3/3] iio: adc: ad7768-1: add bounds check to ad7768_filter_regval_to_type index

[Jonathan Cameron]

On Thu, 14 May 2026 18:23:22 +0200
Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:

> From: Sam Daly <sam@samdaly.ie>
> 
> ad7768_filter_regval_to_type has 12 elements but the combined mask
> AD7768_DIG_FIL_EN_60HZ_REJ | AD7768_DIG_FIL_FIL_MSK spans 4 bits
> and can yield values 0-15. If it returns a value >= 12, this causes
> an out-of-bounds array access. Add a bounds check and return -EINVAL
> if the index is out of range.

I think this needs some more explanation as that's a sparsely filled array.
Now we are considering hardware returning values it shouldn't it gets
more complex.

So whilst it's not going to cause an out of bounds read, if we
get say a 5 then it shouldn't map to a SINC5 filter, but instead
return an error.

I suppose we could do it as a pair of fixes, but it feels like explicit
value matching is to ones we expect may well involve switching from
an array to a switch statement and once we've done that what is
being fixed here will be a natural side effect.

Given it's hardening against stuff we don't expect I'm not that worried
if it takes a little while to get the more complete fix in place.

Jonathan



> 
> Assisted-by: gkh_clanker_2000
> Cc: stable <stable@kernel.org>
> Cc: Lars-Peter Clausen <lars@metafoo.de>
> Cc: Michael Hennerich <Michael.Hennerich@analog.com>
> Cc: Jonathan Cameron <jic23@kernel.org>
> Cc: David Lechner <dlechner@baylibre.com>
> Cc: "Nuno Sá" <nuno.sa@analog.com>
> Cc: Andy Shevchenko <andy@kernel.org>
> Signed-off-by: Sam Daly <sam@samdaly.ie>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
>  drivers/iio/adc/ad7768-1.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/iio/adc/ad7768-1.c b/drivers/iio/adc/ad7768-1.c
> index e16dede687d3..52e95017d36b 100644
> --- a/drivers/iio/adc/ad7768-1.c
> +++ b/drivers/iio/adc/ad7768-1.c
> @@ -897,7 +897,7 @@ static int ad7768_get_filter_type_attr(struct iio_dev *dev,
>  {
>  	struct ad7768_state *st = iio_priv(dev);
>  	int ret;
> -	unsigned int mode, mask;
> +	unsigned int mode, mask, idx;
>  
>  	ret = regmap_read(st->regmap, AD7768_REG_DIGITAL_FILTER, &mode);
>  	if (ret)
> @@ -905,7 +905,11 @@ static int ad7768_get_filter_type_attr(struct iio_dev *dev,
>  
>  	mask = AD7768_DIG_FIL_EN_60HZ_REJ | AD7768_DIG_FIL_FIL_MSK;
>  	/* From the register value, get the corresponding filter type */
> -	return ad7768_filter_regval_to_type[FIELD_GET(mask, mode)];
> +	idx = FIELD_GET(mask, mode);
> +	if (idx >= ARRAY_SIZE(ad7768_filter_regval_to_type))
> +		return -EINVAL;
> +
> +	return ad7768_filter_regval_to_type[idx];
>  }
>  
>  static int ad7768_update_dec_rate(struct iio_dev *dev, unsigned int dec_rate)

Re: [PATCH 2/3] iio: light: veml6075: add bounds check to veml6075_it_ms index

[Greg Kroah-Hartman]

On Fri, May 15, 2026 at 03:33:07PM +0100, Jonathan Cameron wrote:
> On Fri, 15 May 2026 08:17:18 +1300
> "Javier Carrasco" <javier.carrasco.cruz@gmail.com> wrote:
> 
> > On Fri May 15, 2026 at 5:23 AM +13, Greg Kroah-Hartman wrote:
> > > From: Sam Daly <sam@samdaly.ie>
> > >
> > > veml6075_it_ms has 5 elements but VEML6075_CONF_IT can yield
> > > values 0-7. If it returns a value >= 5, this causes an
> > > out-of-bounds array access. Add a bounds check and return
> > > -EINVAL if the index is out of range.
> 
> I'd prefer it if this sort of change called out that we don't expect
> to ever see those values except when we have bus corruption or
> a broken device.  Good to protect against but that info might help
> folk decide whether to backport or not.

Thanks.  This came from a run of "look at all of these bugfixes and find
where we need to also apply the same pattern" of my bot.

> I'll add a note whilst applying.  Applied to the fixes-togreg
> branch of iio.git.  I also rewrapped the description as 60 chars
> is rather short.

Thanks!

greg k-h

Re: [PATCH 1/3] iio: adc: ti-ads1298: add bounds check to pga_settings index

[Greg Kroah-Hartman]

On Fri, May 15, 2026 at 03:39:13PM +0100, Jonathan Cameron wrote:
> On Thu, 14 May 2026 18:23:20 +0200
> Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> 
> > From: Sam Daly <sam@samdaly.ie>
> > 
> > ads1298_pga_settings has 7 elements but ADS1298_MASK_CH_PGA can yield
> > values 0-7. If it yields a value >= 7, this causes an out-of-bounds
> > array access. Add a bounds check and return -EINVAL if the index
> > is out of range.
> > 
> I'll add something about the other value be reserved whilst applying.
> 
> Note that Sashiko has found a more involved similar case (I haven't
> checked it)
> 
> https://sashiko.dev/#/patchset/2026051420-strudel-graves-f6cd%40gregkh
> 
> Whilst ideally we should harden drivers against faulty values from
> hardware, sometimes (like that one) it gets rather involved to actually
> do!  Hence I'm not suggesting we actually fix that one but if anyone
> does want to take a look - go ahead.

Right now, once a driver binds to a device, we "trust" the hardware
works properly.  But "obvious issues" like this patch and the series are
good to have for some devices where the same pattern of fix has been
applied elsewhere in the tree.

thanks,

greg k-h