diff mbox series

[2/3] iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers

Message ID 20210508182319.488551-3-jic23@kernel.org (mailing list archive)
State New, archived
Headers show
Series iio: adc: ad7124: Fixes and devm_ for all of probe | expand

Commit Message

Jonathan Cameron May 8, 2021, 6:23 p.m. UTC
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

Channel numbering must start at 0 and then not have any holes, or
it is possible to overflow the available storage.  Note this bug was
introduced as part of a fix to ensure we didn't rely on the ordering
of child nodes.  So we need to support arbitrary ordering but they all
need to be there somewhere.

Note I hit this when using qemu to test the rest of this series.
Arguably this isn't the best fix, but it is probably the most minimal
option for backporting etc.

Fixes: d7857e4ee1ba6 ("iio: adc: ad7124: Fix DT channel configuration")
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
 drivers/iio/adc/ad7124.c | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

Alexandru Ardelean May 9, 2021, 7:22 a.m. UTC | #1
On Sat, May 8, 2021 at 9:24 PM Jonathan Cameron <jic23@kernel.org> wrote:
>
> From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
>
> Channel numbering must start at 0 and then not have any holes, or
> it is possible to overflow the available storage.  Note this bug was
> introduced as part of a fix to ensure we didn't rely on the ordering
> of child nodes.  So we need to support arbitrary ordering but they all
> need to be there somewhere.
>
> Note I hit this when using qemu to test the rest of this series.
> Arguably this isn't the best fix, but it is probably the most minimal
> option for backporting etc.
>

Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>

> Fixes: d7857e4ee1ba6 ("iio: adc: ad7124: Fix DT channel configuration")
> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> ---
>  drivers/iio/adc/ad7124.c | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c
> index c0d0870a29ff..9c2401c5848e 100644
> --- a/drivers/iio/adc/ad7124.c
> +++ b/drivers/iio/adc/ad7124.c
> @@ -616,6 +616,13 @@ static int ad7124_of_parse_channel_config(struct iio_dev *indio_dev,
>                 if (ret)
>                         goto err;
>
> +               if (channel >= indio_dev->num_channels) {
> +                       dev_err(indio_dev->dev.parent,
> +                               "Channel index >= number of channels\n");
> +                       ret = -EINVAL;
> +                       goto err;
> +               }
> +
>                 ret = of_property_read_u32_array(child, "diff-channels",
>                                                  ain, 2);
>                 if (ret)
> --
> 2.31.1
>
diff mbox series

Patch

diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c
index c0d0870a29ff..9c2401c5848e 100644
--- a/drivers/iio/adc/ad7124.c
+++ b/drivers/iio/adc/ad7124.c
@@ -616,6 +616,13 @@  static int ad7124_of_parse_channel_config(struct iio_dev *indio_dev,
 		if (ret)
 			goto err;
 
+		if (channel >= indio_dev->num_channels) {
+			dev_err(indio_dev->dev.parent,
+				"Channel index >= number of channels\n");
+			ret = -EINVAL;
+			goto err;
+		}
+
 		ret = of_property_read_u32_array(child, "diff-channels",
 						 ain, 2);
 		if (ret)