From f2a772c51206b0c3f262e4f6a3812c89a650191b Mon Sep 17 00:00:00 2001

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

Date: Thu, 13 May 2021 15:07:42 +0300

Subject: [PATCH] iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers

Git-commit: f2a772c51206b0c3f262e4f6a3812c89a650191b

Patch-mainline: v5.13-rc4

References: git-fixes

Channel numbering must start at 0 and then not have any holes, or

it is possible to overflow the available storage.  Note this bug was

introduced as part of a fix to ensure we didn't rely on the ordering

of child nodes.  So we need to support arbitrary ordering but they all

need to be there somewhere.

Note I hit this when using qemu to test the rest of this series.

Arguably this isn't the best fix, but it is probably the most minimal

option for backporting etc.

Alexandru's sign-off is here because he carried this patch in a larger

set that Jonathan then applied.

Fixes: d7857e4ee1ba6 ("iio: adc: ad7124: Fix DT channel configuration")

Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>

Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

Signed-off-by: Alexandru Ardelean <aardelean@deviqon.com>

Cc: <Stable@vger.kernel.org>

Acked-by: Takashi Iwai <tiwai@suse.de>

---

 drivers/iio/adc/ad7124.c | 7 +++++++

 1 file changed, 7 insertions(+)

diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c

index 437116a07cf1..a27db78ea13e 100644

--- a/drivers/iio/adc/ad7124.c

+++ b/drivers/iio/adc/ad7124.c

@@ -771,6 +771,13 @@ static int ad7124_of_parse_channel_config(struct iio_dev *indio_dev,

 		if (ret)

 			goto err;

+		if (channel >= indio_dev->num_channels) {

+			dev_err(indio_dev->dev.parent,

+				"Channel index >= number of channels\n");

+			ret = -EINVAL;

+			goto err;

+		}

+

 		ret = of_property_read_u32_array(child, "diff-channels",

 						 ain, 2);

 		if (ret)

-- 

2.26.2