Re: [PATCH v4 9/9] iio: temperature: ltc2983: Add support for ADT7604
From: Liviu Stan
Date: Tue May 26 2026 - 04:52:58 EST
On Mon, 25 May 2026 19:06:14 +0000 sashiko-bot@xxxxxxxxxx wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
>
> Pre-existing issues:
> - [High] Integer truncation of `num_channels` leads to an out-of-bounds write on the heap when parsing device tree children.
> --
>
> commit 482bc8c51e04185002511817885173bd265542d8
> Author: Liviu Stan <liviu.stan@xxxxxxxxxx>
>
> iio: temperature: ltc2983: Add support for ADT7604
>
> This commit adds support for the ADT7604 sensor, repurposing custom RTD
> and thermistor sensor types as copper trace and leak detectors. It
> introduces new structs, parser functions, and hardware register mappings
> to handle these new types.
>
> > diff --git a/drivers/iio/temperature/ltc2983.c b/drivers/iio/temperature/ltc2983.c
> > index 130ab7fddc2fe..fc65d8352d120 100644
> > --- a/drivers/iio/temperature/ltc2983.c
> > +++ b/drivers/iio/temperature/ltc2983.c
>
> [ ... ]
>
> > @@ -1348,7 +1672,7 @@ static int ltc2983_parse_fw(struct ltc2983_data *st)
> > if (!st->sensors)
> > return -ENOMEM;
> >
> > - st->iio_channels = st->num_channels;
> > + st->iio_channels = 0;
>
> [Severity: High]
> This is a pre-existing issue, but does st->num_channels silently truncate
> the number of child nodes since it is defined as a u8?
>
> If a device tree is provided with 256 or more child nodes (e.g., 257
> nodes via DT overlays), device_get_child_node_count() returns 257, but
> st->num_channels truncates this to 1. This causes devm_kcalloc() to
> allocate only a 1-element array for st->sensors.
>
> The device_for_each_child_node_scoped() loop directly following this will
> then iterate over the children and write into st->sensors[chan], resulting
> in out-of-bounds writes on the heap. Could num_channels be changed to an
> unsigned int to prevent this memory corruption?
>
> > device_for_each_child_node_scoped(dev, child) {
> > struct ltc2983_sensor sensor;
>
> --
> Sashiko AI review · https://sashiko.dev/#/patchset/20260525164013.118614-1-liviu.stan@xxxxxxxxxx?part=9
>
The hardware has 20 channels maximum, so num_channels as u8 can never overflow in practice.
Thanks,
Liviu