Re: [PATCH v5 0/2] iio: adc: ad_sigma_delta: fix CS assertion and registerless device handling

[Jonathan Cameron]

On Wed, 27 May 2026 12:16:48 +0100
Jonathan Cameron <jic23@xxxxxxxxxx> wrote:

> On Wed, 27 May 2026 12:38:37 +0300
> Radu Sabau via B4 Relay <devnull+radu.sabau.analog.com@xxxxxxxxxx> wrote:
> 
> > This series fixes two independent bugs in the ad_sigma_delta framework.
> > 
> > Patch 1 fixes CS being left permanently asserted after single conversion
> > and in the error path of ad_sd_buffer_postenable(). In
> > ad_sigma_delta_single_conversion(), set_mode(AD_SD_MODE_IDLE) and
> > disable_one() were executing while keep_cs_asserted was still true,
> > causing any SPI transfer they issued to carry cs_change=1. The
> > postenable() error path also failed to call set_mode(AD_SD_MODE_IDLE),
> > leaving the device in continuous conversion mode with bus_locked
> > incorrectly set, opening a window for concurrent SPI access.
> > 
> > Patch 2 fixes ad_sigma_delta_clear_pending_event() for devices with                                     
> > has_registers = false and no rdy_gpiod (currently AD7191, AD7780, and
> > MAX11205). These devices fall through to the status register read path,                                 
> > but since has_registers is false, ad_sd_read_reg() transmits no address                               
> > byte and blindly clocks raw MISO bytes — indistinguishable from reading
> > conversion data, partially consuming any pending result and corrupting the
> > stream. With num_resetclks = 0 on these devices a further hazard exists:
> > if pending_event is set, the drain path attempts memset of SIZE_MAX bytes,
> > corrupting the heap. The fix returns 0 immediately for registerless
> > devices. This is safe for all current instances: AD7191 and AD7780 (with
> > powerdown GPIO) are reset between conversions by CS deassertion; AD7780
> > (without powerdown GPIO) and MAX11205 are continuously-converting and
> > cycle ~DRDY regardless, so the next falling edge fires naturally. A future
> > registerless device that holds ~DRDY asserted until data is read would
> > need num_resetclks set or a rdy-gpio instead. The same heap corruption can
> > be triggered on any device with rdy_gpiod set but num_resetclks = 0, so
> > an explicit data_read_len == 0 guard is added independently.
> > 
> > Signed-off-by: Radu Sabau <radu.sabau@xxxxxxxxxx>  
> Hi Radu,
> 
> Applied to the fixes-togreg branch of iio.git and marked for stable.
> 
> Note that as this is all a bit fiddly in the ideal world I'd like some
> more eyes on this and will be happy to add tags or indeed pull the patch
> in response to any reviews in the next few days.
> 
> Sashiko is now 'happy' I think and it found a lot more issues than I identified
> in earlier versions.
> 
Actually scratch that - these both need Fixes tags.  Please reply to each email
with whatever seems most likely.  I know it can be hard to find the point where
a complex bug got introduced but we should still be providing some guidance
on how far to backport.

Thanks,

Jonathan

> Thanks,
> 
> Jonathan