* [PATCH] iio: adc: ad7124: fix possible OOB array access
@ 2025-10-22 15:15 David Lechner
2025-10-22 16:54 ` Marcelo Schmitt
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: David Lechner @ 2025-10-22 15:15 UTC (permalink / raw)
To: Michael Hennerich, Jonathan Cameron, Nuno Sá,
Andy Shevchenko
Cc: Jonathan Cameron, linux-iio, linux-kernel, Dan Carpenter,
David Lechner
Reorder the channel bounds check before using it to index into the
channels array in ad7124_release_config_slot(). This prevents reading
past the end of the array.
The value read from invalid memory was not used, so this was mostly
harmless, but we still should not be reading out of bounds in the first
place.
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/linux-iio/aPi6V-hcaKReSNWK@stanley.mountain/
Fixes: 9065197e0d41 ("iio: adc: ad7124: change setup reg allocation strategy")
Signed-off-by: David Lechner <dlechner@baylibre.com>
---
drivers/iio/adc/ad7124.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c
index 9d58ced7371d0af7004a81153888714e9795d4f4..ed828a82acb71342fb2eae27abfbbd86861cba53 100644
--- a/drivers/iio/adc/ad7124.c
+++ b/drivers/iio/adc/ad7124.c
@@ -586,13 +586,18 @@ static int ad7124_request_config_slot(struct ad7124_state *st, u8 channel)
static void ad7124_release_config_slot(struct ad7124_state *st, u8 channel)
{
- unsigned int slot = st->channels[channel].cfg.cfg_slot;
+ unsigned int slot;
/*
- * All of these conditions can happen at probe when all channels are
- * disabled. Otherwise, they should not happen normally.
+ * All of these early return conditions can happen at probe when all
+ * channels are disabled. Otherwise, they should not happen normally.
*/
- if (channel >= st->num_channels || slot == AD7124_CFG_SLOT_UNASSIGNED ||
+ if (channel >= st->num_channels)
+ return;
+
+ slot = st->channels[channel].cfg.cfg_slot;
+
+ if (slot == AD7124_CFG_SLOT_UNASSIGNED ||
st->cfg_slot_use_count[slot] == 0)
return;
---
base-commit: 89cba586b8b4cde09c44b1896624720ea29f0205
change-id: 20251022-iio-adc-ad7124-fix-possible-oob-array-access-239be24ac692
Best regards,
--
David Lechner <dlechner@baylibre.com>
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH] iio: adc: ad7124: fix possible OOB array access
2025-10-22 15:15 [PATCH] iio: adc: ad7124: fix possible OOB array access David Lechner
@ 2025-10-22 16:54 ` Marcelo Schmitt
2025-10-22 16:59 ` David Lechner
2025-10-22 17:18 ` Dan Carpenter
2025-10-27 14:27 ` Jonathan Cameron
2 siblings, 1 reply; 6+ messages in thread
From: Marcelo Schmitt @ 2025-10-22 16:54 UTC (permalink / raw)
To: David Lechner
Cc: Michael Hennerich, Jonathan Cameron, Nuno Sá,
Andy Shevchenko, Jonathan Cameron, linux-iio, linux-kernel,
Dan Carpenter
Hi David,
One minor question inline.
Nevertheless, the fix looks good to me.
Reviewed-by: Marcelo Schmitt <marcelo.schmitt@analog.com>
On 10/22, David Lechner wrote:
> Reorder the channel bounds check before using it to index into the
> channels array in ad7124_release_config_slot(). This prevents reading
> past the end of the array.
>
> The value read from invalid memory was not used, so this was mostly
What is considered using the value in this context? (see other comment below)
> harmless, but we still should not be reading out of bounds in the first
> place.
>
> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> Closes: https://lore.kernel.org/linux-iio/aPi6V-hcaKReSNWK@stanley.mountain/
> Fixes: 9065197e0d41 ("iio: adc: ad7124: change setup reg allocation strategy")
> Signed-off-by: David Lechner <dlechner@baylibre.com>
> ---
> drivers/iio/adc/ad7124.c | 13 +++++++++----
> 1 file changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c
> index 9d58ced7371d0af7004a81153888714e9795d4f4..ed828a82acb71342fb2eae27abfbbd86861cba53 100644
> --- a/drivers/iio/adc/ad7124.c
> +++ b/drivers/iio/adc/ad7124.c
> @@ -586,13 +586,18 @@ static int ad7124_request_config_slot(struct ad7124_state *st, u8 channel)
>
> static void ad7124_release_config_slot(struct ad7124_state *st, u8 channel)
> {
> - unsigned int slot = st->channels[channel].cfg.cfg_slot;
> + unsigned int slot;
>
> /*
> - * All of these conditions can happen at probe when all channels are
> - * disabled. Otherwise, they should not happen normally.
> + * All of these early return conditions can happen at probe when all
> + * channels are disabled. Otherwise, they should not happen normally.
> */
> - if (channel >= st->num_channels || slot == AD7124_CFG_SLOT_UNASSIGNED ||
> + if (channel >= st->num_channels)
> + return;
> +
> + slot = st->channels[channel].cfg.cfg_slot;
> +
> + if (slot == AD7124_CFG_SLOT_UNASSIGNED ||
> st->cfg_slot_use_count[slot] == 0)
Wasn't the value potentially read from invalid memory used above?
It's fixed now, so I guess there's no point in nitpicking on that.
> return;
Best regards,
Marcelo
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] iio: adc: ad7124: fix possible OOB array access
2025-10-22 16:54 ` Marcelo Schmitt
@ 2025-10-22 16:59 ` David Lechner
2025-10-22 17:45 ` Marcelo Schmitt
0 siblings, 1 reply; 6+ messages in thread
From: David Lechner @ 2025-10-22 16:59 UTC (permalink / raw)
To: Marcelo Schmitt
Cc: Michael Hennerich, Jonathan Cameron, Nuno Sá,
Andy Shevchenko, Jonathan Cameron, linux-iio, linux-kernel,
Dan Carpenter
On 10/22/25 11:54 AM, Marcelo Schmitt wrote:
> Hi David,
>
> One minor question inline.
> Nevertheless, the fix looks good to me.
>
> Reviewed-by: Marcelo Schmitt <marcelo.schmitt@analog.com>
>
> On 10/22, David Lechner wrote:
>> Reorder the channel bounds check before using it to index into the
>> channels array in ad7124_release_config_slot(). This prevents reading
>> past the end of the array.
>>
>> The value read from invalid memory was not used, so this was mostly
> What is considered using the value in this context? (see other comment below)
>
>> harmless, but we still should not be reading out of bounds in the first
>> place.
>>
>> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
>> Closes: https://lore.kernel.org/linux-iio/aPi6V-hcaKReSNWK@stanley.mountain/
>> Fixes: 9065197e0d41 ("iio: adc: ad7124: change setup reg allocation strategy")
>> Signed-off-by: David Lechner <dlechner@baylibre.com>
>> ---
>> drivers/iio/adc/ad7124.c | 13 +++++++++----
>> 1 file changed, 9 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c
>> index 9d58ced7371d0af7004a81153888714e9795d4f4..ed828a82acb71342fb2eae27abfbbd86861cba53 100644
>> --- a/drivers/iio/adc/ad7124.c
>> +++ b/drivers/iio/adc/ad7124.c
>> @@ -586,13 +586,18 @@ static int ad7124_request_config_slot(struct ad7124_state *st, u8 channel)
>>
>> static void ad7124_release_config_slot(struct ad7124_state *st, u8 channel)
>> {
>> - unsigned int slot = st->channels[channel].cfg.cfg_slot;
>> + unsigned int slot;
>>
>> /*
>> - * All of these conditions can happen at probe when all channels are
>> - * disabled. Otherwise, they should not happen normally.
>> + * All of these early return conditions can happen at probe when all
>> + * channels are disabled. Otherwise, they should not happen normally.
>> */
>> - if (channel >= st->num_channels || slot == AD7124_CFG_SLOT_UNASSIGNED ||
>> + if (channel >= st->num_channels)
>> + return;
>> +
>> + slot = st->channels[channel].cfg.cfg_slot;
>> +
>> + if (slot == AD7124_CFG_SLOT_UNASSIGNED ||
>> st->cfg_slot_use_count[slot] == 0)
> Wasn't the value potentially read from invalid memory used above?
> It's fixed now, so I guess there's no point in nitpicking on that.
This code was unreachable with an undefined slot even before
this change because of the check to channel >= st->num_channels
before it.
>
>> return;
>
> Best regards,
> Marcelo
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] iio: adc: ad7124: fix possible OOB array access
2025-10-22 16:59 ` David Lechner
@ 2025-10-22 17:45 ` Marcelo Schmitt
0 siblings, 0 replies; 6+ messages in thread
From: Marcelo Schmitt @ 2025-10-22 17:45 UTC (permalink / raw)
To: David Lechner
Cc: Michael Hennerich, Jonathan Cameron, Nuno Sá,
Andy Shevchenko, Jonathan Cameron, linux-iio, linux-kernel,
Dan Carpenter
On 10/22, David Lechner wrote:
> On 10/22/25 11:54 AM, Marcelo Schmitt wrote:
> > Hi David,
> >
> > One minor question inline.
> > Nevertheless, the fix looks good to me.
> >
> > Reviewed-by: Marcelo Schmitt <marcelo.schmitt@analog.com>
> >
> > On 10/22, David Lechner wrote:
> >> Reorder the channel bounds check before using it to index into the
> >> channels array in ad7124_release_config_slot(). This prevents reading
> >> past the end of the array.
> >>
> >> The value read from invalid memory was not used, so this was mostly
> > What is considered using the value in this context? (see other comment below)
> >
> >> harmless, but we still should not be reading out of bounds in the first
> >> place.
> >>
> >> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> >> Closes: https://lore.kernel.org/linux-iio/aPi6V-hcaKReSNWK@stanley.mountain/
> >> Fixes: 9065197e0d41 ("iio: adc: ad7124: change setup reg allocation strategy")
> >> Signed-off-by: David Lechner <dlechner@baylibre.com>
> >> ---
> >> drivers/iio/adc/ad7124.c | 13 +++++++++----
> >> 1 file changed, 9 insertions(+), 4 deletions(-)
> >>
> >> diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c
> >> index 9d58ced7371d0af7004a81153888714e9795d4f4..ed828a82acb71342fb2eae27abfbbd86861cba53 100644
> >> --- a/drivers/iio/adc/ad7124.c
> >> +++ b/drivers/iio/adc/ad7124.c
> >> @@ -586,13 +586,18 @@ static int ad7124_request_config_slot(struct ad7124_state *st, u8 channel)
> >>
> >> static void ad7124_release_config_slot(struct ad7124_state *st, u8 channel)
> >> {
> >> - unsigned int slot = st->channels[channel].cfg.cfg_slot;
> >> + unsigned int slot;
> >>
> >> /*
> >> - * All of these conditions can happen at probe when all channels are
> >> - * disabled. Otherwise, they should not happen normally.
> >> + * All of these early return conditions can happen at probe when all
> >> + * channels are disabled. Otherwise, they should not happen normally.
> >> */
> >> - if (channel >= st->num_channels || slot == AD7124_CFG_SLOT_UNASSIGNED ||
> >> + if (channel >= st->num_channels)
> >> + return;
> >> +
> >> + slot = st->channels[channel].cfg.cfg_slot;
> >> +
> >> + if (slot == AD7124_CFG_SLOT_UNASSIGNED ||
> >> st->cfg_slot_use_count[slot] == 0)
> > Wasn't the value potentially read from invalid memory used above?
> > It's fixed now, so I guess there's no point in nitpicking on that.
>
> This code was unreachable with an undefined slot even before
> this change because of the check to channel >= st->num_channels
> before it.
>
ah, got it. Duh, should have realized channel >= st->num_channels always true
for the invalid access case.
Thanks
> >
> >> return;
> >
> > Best regards,
> > Marcelo
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] iio: adc: ad7124: fix possible OOB array access
2025-10-22 15:15 [PATCH] iio: adc: ad7124: fix possible OOB array access David Lechner
2025-10-22 16:54 ` Marcelo Schmitt
@ 2025-10-22 17:18 ` Dan Carpenter
2025-10-27 14:27 ` Jonathan Cameron
2 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2025-10-22 17:18 UTC (permalink / raw)
To: David Lechner, Marcelo Schmitt
Cc: Michael Hennerich, Jonathan Cameron, Nuno Sá,
Andy Shevchenko, Jonathan Cameron, linux-iio, linux-kernel
On Wed, Oct 22, 2025 at 10:15:05AM -0500, David Lechner wrote:
> Reorder the channel bounds check before using it to index into the
> channels array in ad7124_release_config_slot(). This prevents reading
> past the end of the array.
>
> The value read from invalid memory was not used, so this was mostly
> harmless,
I didn't spend a lot of time looking at the callers, but an out of bounds
read will cause a KASAN warning at runtime (hopefully) and if the page
we're reading from isn't mapped then it can cause a crash.
So, it's not like we can exploit this to get root but it potentially
could be annoying.
> but we still should not be reading out of bounds in the first place.
Thanks!
regards,
dan carpenter
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] iio: adc: ad7124: fix possible OOB array access
2025-10-22 15:15 [PATCH] iio: adc: ad7124: fix possible OOB array access David Lechner
2025-10-22 16:54 ` Marcelo Schmitt
2025-10-22 17:18 ` Dan Carpenter
@ 2025-10-27 14:27 ` Jonathan Cameron
2 siblings, 0 replies; 6+ messages in thread
From: Jonathan Cameron @ 2025-10-27 14:27 UTC (permalink / raw)
To: David Lechner
Cc: Michael Hennerich, Nuno Sá, Andy Shevchenko,
Jonathan Cameron, linux-iio, linux-kernel, Dan Carpenter
On Wed, 22 Oct 2025 10:15:05 -0500
David Lechner <dlechner@baylibre.com> wrote:
> Reorder the channel bounds check before using it to index into the
> channels array in ad7124_release_config_slot(). This prevents reading
> past the end of the array.
>
> The value read from invalid memory was not used, so this was mostly
> harmless, but we still should not be reading out of bounds in the first
> place.
>
> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> Closes: https://lore.kernel.org/linux-iio/aPi6V-hcaKReSNWK@stanley.mountain/
> Fixes: 9065197e0d41 ("iio: adc: ad7124: change setup reg allocation strategy")
> Signed-off-by: David Lechner <dlechner@baylibre.com>
Applied to the togreg branch of iio.git.
thanks,
J
> ---
> drivers/iio/adc/ad7124.c | 13 +++++++++----
> 1 file changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c
> index 9d58ced7371d0af7004a81153888714e9795d4f4..ed828a82acb71342fb2eae27abfbbd86861cba53 100644
> --- a/drivers/iio/adc/ad7124.c
> +++ b/drivers/iio/adc/ad7124.c
> @@ -586,13 +586,18 @@ static int ad7124_request_config_slot(struct ad7124_state *st, u8 channel)
>
> static void ad7124_release_config_slot(struct ad7124_state *st, u8 channel)
> {
> - unsigned int slot = st->channels[channel].cfg.cfg_slot;
> + unsigned int slot;
>
> /*
> - * All of these conditions can happen at probe when all channels are
> - * disabled. Otherwise, they should not happen normally.
> + * All of these early return conditions can happen at probe when all
> + * channels are disabled. Otherwise, they should not happen normally.
> */
> - if (channel >= st->num_channels || slot == AD7124_CFG_SLOT_UNASSIGNED ||
> + if (channel >= st->num_channels)
> + return;
> +
> + slot = st->channels[channel].cfg.cfg_slot;
> +
> + if (slot == AD7124_CFG_SLOT_UNASSIGNED ||
> st->cfg_slot_use_count[slot] == 0)
> return;
>
>
> ---
> base-commit: 89cba586b8b4cde09c44b1896624720ea29f0205
> change-id: 20251022-iio-adc-ad7124-fix-possible-oob-array-access-239be24ac692
>
> Best regards,
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-10-27 14:27 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-22 15:15 [PATCH] iio: adc: ad7124: fix possible OOB array access David Lechner
2025-10-22 16:54 ` Marcelo Schmitt
2025-10-22 16:59 ` David Lechner
2025-10-22 17:45 ` Marcelo Schmitt
2025-10-22 17:18 ` Dan Carpenter
2025-10-27 14:27 ` Jonathan Cameron
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox