* [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table
@ 2026-05-10 2:35 Stepan Ionichev
2026-05-10 3:06 ` Stepan Ionichev
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Stepan Ionichev @ 2026-05-10 2:35 UTC (permalink / raw)
To: jic23
Cc: dlechner, nuno.sa, andy, gregkh, hcazarim, linux-iio,
linux-kernel, sozdayvek
bmg160_get_filter() walks bmg160_samp_freq_table[] looking for the
entry matching the bw_bits value read from the chip:
for (i = 0; i < ARRAY_SIZE(bmg160_samp_freq_table); ++i) {
if (bmg160_samp_freq_table[i].bw_bits == bw_bits)
break;
}
*val = bmg160_samp_freq_table[i].filter;
If no entry matches, i ends up equal to the array size and the next
line reads one slot past the end. bmg160_set_filter() has the same
shape, driven by 'val' instead of bw_bits.
smatch flags both:
drivers/iio/gyro/bmg160_core.c:204 bmg160_get_filter() error:
buffer overflow 'bmg160_samp_freq_table' 7 <= 7
drivers/iio/gyro/bmg160_core.c:222 bmg160_set_filter() error:
buffer overflow 'bmg160_samp_freq_table' 7 <= 7
Return -EINVAL when no entry matches.
Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
---
drivers/iio/gyro/bmg160_core.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/iio/gyro/bmg160_core.c b/drivers/iio/gyro/bmg160_core.c
index 38394b5f3..58963f3ea 100644
--- a/drivers/iio/gyro/bmg160_core.c
+++ b/drivers/iio/gyro/bmg160_core.c
@@ -201,6 +201,9 @@ static int bmg160_get_filter(struct bmg160_data *data, int *val)
break;
}
+ if (i == ARRAY_SIZE(bmg160_samp_freq_table))
+ return -EINVAL;
+
*val = bmg160_samp_freq_table[i].filter;
return ret ? ret : IIO_VAL_INT;
@@ -218,6 +221,9 @@ static int bmg160_set_filter(struct bmg160_data *data, int val)
break;
}
+ if (i == ARRAY_SIZE(bmg160_samp_freq_table))
+ return -EINVAL;
+
ret = regmap_write(data->regmap, BMG160_REG_PMU_BW,
bmg160_samp_freq_table[i].bw_bits);
if (ret < 0) {
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table
2026-05-10 2:35 [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table Stepan Ionichev
@ 2026-05-10 3:06 ` Stepan Ionichev
2026-05-10 11:56 ` Andy Shevchenko
2026-05-10 10:15 ` Andy Shevchenko
` (2 subsequent siblings)
3 siblings, 1 reply; 6+ messages in thread
From: Stepan Ionichev @ 2026-05-10 3:06 UTC (permalink / raw)
To: andy
Cc: jic23, dlechner, nuno.sa, gregkh, hcazarim, linux-iio,
linux-kernel, sozdayvek
I checked patchwork for bmg160 -- no prior post for this fix. If you
remember the thread, point me to it.
Same pattern (loop with 'i' used after no-break) appears in other iio
drivers too. Maybe that is what you saw.
Stepan
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table
2026-05-10 2:35 [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table Stepan Ionichev
2026-05-10 3:06 ` Stepan Ionichev
@ 2026-05-10 10:15 ` Andy Shevchenko
2026-05-10 12:53 ` Andy Shevchenko
2026-05-11 16:23 ` Jonathan Cameron
3 siblings, 0 replies; 6+ messages in thread
From: Andy Shevchenko @ 2026-05-10 10:15 UTC (permalink / raw)
To: Stepan Ionichev
Cc: jic23, dlechner, nuno.sa, andy, gregkh, hcazarim, linux-iio,
linux-kernel
On Sun, May 10, 2026 at 07:35:00AM +0500, Stepan Ionichev wrote:
> bmg160_get_filter() walks bmg160_samp_freq_table[] looking for the
> entry matching the bw_bits value read from the chip:
>
> for (i = 0; i < ARRAY_SIZE(bmg160_samp_freq_table); ++i) {
> if (bmg160_samp_freq_table[i].bw_bits == bw_bits)
> break;
> }
> *val = bmg160_samp_freq_table[i].filter;
>
> If no entry matches, i ends up equal to the array size and the next
> line reads one slot past the end. bmg160_set_filter() has the same
> shape, driven by 'val' instead of bw_bits.
>
> smatch flags both:
>
> drivers/iio/gyro/bmg160_core.c:204 bmg160_get_filter() error:
> buffer overflow 'bmg160_samp_freq_table' 7 <= 7
> drivers/iio/gyro/bmg160_core.c:222 bmg160_set_filter() error:
> buffer overflow 'bmg160_samp_freq_table' 7 <= 7
>
> Return -EINVAL when no entry matches.
Have you checked the mailing list archive? I have a weak memory of seeing this
or something similar in the (recent) past...
--
With Best Regards,
Andy Shevchenko
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table
2026-05-10 3:06 ` Stepan Ionichev
@ 2026-05-10 11:56 ` Andy Shevchenko
0 siblings, 0 replies; 6+ messages in thread
From: Andy Shevchenko @ 2026-05-10 11:56 UTC (permalink / raw)
To: Stepan Ionichev
Cc: andy, jic23, dlechner, nuno.sa, gregkh, hcazarim, linux-iio,
linux-kernel
On Sun, May 10, 2026 at 08:06:47AM +0500, Stepan Ionichev wrote:
> I checked patchwork for bmg160 -- no prior post for this fix. If you
> remember the thread, point me to it.
Okay, thanks for confirming!
> Same pattern (loop with 'i' used after no-break) appears in other iio
> drivers too. Maybe that is what you saw.
--
With Best Regards,
Andy Shevchenko
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table
2026-05-10 2:35 [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table Stepan Ionichev
2026-05-10 3:06 ` Stepan Ionichev
2026-05-10 10:15 ` Andy Shevchenko
@ 2026-05-10 12:53 ` Andy Shevchenko
2026-05-11 16:23 ` Jonathan Cameron
3 siblings, 0 replies; 6+ messages in thread
From: Andy Shevchenko @ 2026-05-10 12:53 UTC (permalink / raw)
To: Stepan Ionichev
Cc: jic23, dlechner, nuno.sa, andy, gregkh, hcazarim, linux-iio,
linux-kernel
On Sun, May 10, 2026 at 07:35:00AM +0500, Stepan Ionichev wrote:
> bmg160_get_filter() walks bmg160_samp_freq_table[] looking for the
> entry matching the bw_bits value read from the chip:
>
> for (i = 0; i < ARRAY_SIZE(bmg160_samp_freq_table); ++i) {
> if (bmg160_samp_freq_table[i].bw_bits == bw_bits)
> break;
> }
> *val = bmg160_samp_freq_table[i].filter;
>
> If no entry matches, i ends up equal to the array size and the next
> line reads one slot past the end. bmg160_set_filter() has the same
> shape, driven by 'val' instead of bw_bits.
>
> smatch flags both:
>
> drivers/iio/gyro/bmg160_core.c:204 bmg160_get_filter() error:
> buffer overflow 'bmg160_samp_freq_table' 7 <= 7
> drivers/iio/gyro/bmg160_core.c:222 bmg160_set_filter() error:
> buffer overflow 'bmg160_samp_freq_table' 7 <= 7
>
> Return -EINVAL when no entry matches.
Sounds legit and proper behaviour in this case.
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
--
With Best Regards,
Andy Shevchenko
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table
2026-05-10 2:35 [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table Stepan Ionichev
` (2 preceding siblings ...)
2026-05-10 12:53 ` Andy Shevchenko
@ 2026-05-11 16:23 ` Jonathan Cameron
3 siblings, 0 replies; 6+ messages in thread
From: Jonathan Cameron @ 2026-05-11 16:23 UTC (permalink / raw)
To: Stepan Ionichev
Cc: dlechner, nuno.sa, andy, gregkh, hcazarim, linux-iio,
linux-kernel
On Sun, 10 May 2026 07:35:00 +0500
Stepan Ionichev <sozdayvek@gmail.com> wrote:
> bmg160_get_filter() walks bmg160_samp_freq_table[] looking for the
> entry matching the bw_bits value read from the chip:
>
> for (i = 0; i < ARRAY_SIZE(bmg160_samp_freq_table); ++i) {
> if (bmg160_samp_freq_table[i].bw_bits == bw_bits)
> break;
> }
> *val = bmg160_samp_freq_table[i].filter;
>
> If no entry matches, i ends up equal to the array size and the next
> line reads one slot past the end. bmg160_set_filter() has the same
> shape, driven by 'val' instead of bw_bits.
>
> smatch flags both:
>
> drivers/iio/gyro/bmg160_core.c:204 bmg160_get_filter() error:
> buffer overflow 'bmg160_samp_freq_table' 7 <= 7
> drivers/iio/gyro/bmg160_core.c:222 bmg160_set_filter() error:
> buffer overflow 'bmg160_samp_freq_table' 7 <= 7
>
> Return -EINVAL when no entry matches.
>
> Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
For the get case it would be a hardware bug to return wrong value.
That's good to harden against but not something I'd consider an urgent bug.
The set case is a different matter. Looks to me like userspace can trivally cause
an overflow. As such this needs a fixes tag. Please can you send one in reply
to this email so I can pick it up when taking the patch.
Thanks and good fix!
Jonathan
> ---
> drivers/iio/gyro/bmg160_core.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/iio/gyro/bmg160_core.c b/drivers/iio/gyro/bmg160_core.c
> index 38394b5f3..58963f3ea 100644
> --- a/drivers/iio/gyro/bmg160_core.c
> +++ b/drivers/iio/gyro/bmg160_core.c
> @@ -201,6 +201,9 @@ static int bmg160_get_filter(struct bmg160_data *data, int *val)
> break;
> }
>
> + if (i == ARRAY_SIZE(bmg160_samp_freq_table))
> + return -EINVAL;
> +
> *val = bmg160_samp_freq_table[i].filter;
>
> return ret ? ret : IIO_VAL_INT;
> @@ -218,6 +221,9 @@ static int bmg160_set_filter(struct bmg160_data *data, int val)
> break;
> }
>
> + if (i == ARRAY_SIZE(bmg160_samp_freq_table))
> + return -EINVAL;
> +
> ret = regmap_write(data->regmap, BMG160_REG_PMU_BW,
> bmg160_samp_freq_table[i].bw_bits);
> if (ret < 0) {
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-05-11 16:23 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-10 2:35 [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table Stepan Ionichev
2026-05-10 3:06 ` Stepan Ionichev
2026-05-10 11:56 ` Andy Shevchenko
2026-05-10 10:15 ` Andy Shevchenko
2026-05-10 12:53 ` Andy Shevchenko
2026-05-11 16:23 ` Jonathan Cameron
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox