Re: [PATCH v5 0/2] iio: adc: ad_sigma_delta: fix CS assertion and registerless device handling

[Jonathan Cameron]

On Wed, 27 May 2026 12:38:37 +0300
Radu Sabau via B4 Relay <devnull+radu.sabau.analog.com@xxxxxxxxxx> wrote:

> This series fixes two independent bugs in the ad_sigma_delta framework.
> 
> Patch 1 fixes CS being left permanently asserted after single conversion
> and in the error path of ad_sd_buffer_postenable(). In
> ad_sigma_delta_single_conversion(), set_mode(AD_SD_MODE_IDLE) and
> disable_one() were executing while keep_cs_asserted was still true,
> causing any SPI transfer they issued to carry cs_change=1. The
> postenable() error path also failed to call set_mode(AD_SD_MODE_IDLE),
> leaving the device in continuous conversion mode with bus_locked
> incorrectly set, opening a window for concurrent SPI access.
> 
> Patch 2 fixes ad_sigma_delta_clear_pending_event() for devices with                                     
> has_registers = false and no rdy_gpiod (currently AD7191, AD7780, and
> MAX11205). These devices fall through to the status register read path,                                 
> but since has_registers is false, ad_sd_read_reg() transmits no address                               
> byte and blindly clocks raw MISO bytes — indistinguishable from reading
> conversion data, partially consuming any pending result and corrupting the
> stream. With num_resetclks = 0 on these devices a further hazard exists:
> if pending_event is set, the drain path attempts memset of SIZE_MAX bytes,
> corrupting the heap. The fix returns 0 immediately for registerless
> devices. This is safe for all current instances: AD7191 and AD7780 (with
> powerdown GPIO) are reset between conversions by CS deassertion; AD7780
> (without powerdown GPIO) and MAX11205 are continuously-converting and
> cycle ~DRDY regardless, so the next falling edge fires naturally. A future
> registerless device that holds ~DRDY asserted until data is read would
> need num_resetclks set or a rdy-gpio instead. The same heap corruption can
> be triggered on any device with rdy_gpiod set but num_resetclks = 0, so
> an explicit data_read_len == 0 guard is added independently.
> 
> Signed-off-by: Radu Sabau <radu.sabau@xxxxxxxxxx>
Hi Radu,

Applied to the fixes-togreg branch of iio.git and marked for stable.

Note that as this is all a bit fiddly in the ideal world I'd like some
more eyes on this and will be happy to add tags or indeed pull the patch
in response to any reviews in the next few days.

Sashiko is now 'happy' I think and it found a lot more issues than I identified
in earlier versions.

Thanks,

Jonathan