Skip to content

Commit 499a8ce

Browse files
amiclausjic23
amiclaus
authored and
jic23
committed
iio: adc: ad4851: fix ad4858 chan pointer handling
The pointer returned from ad4851_parse_channels_common() is incremented internally as each channel is populated. In ad4858_parse_channels(), the same pointer was further incremented while setting ext_scan_type fields for each channel. This resulted in indio_dev->channels being set to a pointer past the end of the allocated array, potentially causing memory corruption or undefined behavior. Fix this by iterating over the channels using an explicit index instead of incrementing the pointer. This preserves the original base pointer and ensures all channel metadata is set correctly. Fixes: 6250803 ("iio: adc: ad4851: add ad485x driver") Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com> Reviewed-by: Nuno Sá <nuno.sa@analog.com> Link: https://patch.msgid.link/20250509101657.6742-1-antoniu.miclaus@analog.com Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
1 parent e2f8200 commit 499a8ce

File tree

1 file changed

+7
-7
lines changed

1 file changed

+7
-7
lines changed

drivers/iio/adc/ad4851.c

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1034,23 +1034,23 @@ static int ad4858_parse_channels(struct iio_dev *indio_dev)
10341034
struct device *dev = &st->spi->dev;
10351035
struct iio_chan_spec *ad4851_channels;
10361036
const struct iio_chan_spec ad4851_chan = AD4858_IIO_CHANNEL;
1037-
int ret;
1037+
int ret, i = 0;
10381038

10391039
ret = ad4851_parse_channels_common(indio_dev, &ad4851_channels,
10401040
ad4851_chan);
10411041
if (ret < 0)
10421042
return ret;
10431043

10441044
device_for_each_child_node_scoped(dev, child) {
1045-
ad4851_channels->has_ext_scan_type = 1;
1045+
ad4851_channels[i].has_ext_scan_type = 1;
10461046
if (fwnode_property_read_bool(child, "bipolar")) {
1047-
ad4851_channels->ext_scan_type = ad4851_scan_type_20_b;
1048-
ad4851_channels->num_ext_scan_type = ARRAY_SIZE(ad4851_scan_type_20_b);
1047+
ad4851_channels[i].ext_scan_type = ad4851_scan_type_20_b;
1048+
ad4851_channels[i].num_ext_scan_type = ARRAY_SIZE(ad4851_scan_type_20_b);
10491049
} else {
1050-
ad4851_channels->ext_scan_type = ad4851_scan_type_20_u;
1051-
ad4851_channels->num_ext_scan_type = ARRAY_SIZE(ad4851_scan_type_20_u);
1050+
ad4851_channels[i].ext_scan_type = ad4851_scan_type_20_u;
1051+
ad4851_channels[i].num_ext_scan_type = ARRAY_SIZE(ad4851_scan_type_20_u);
10521052
}
1053-
ad4851_channels++;
1053+
i++;
10541054
}
10551055

10561056
indio_dev->channels = ad4851_channels;

0 commit comments

Comments
 (0)