Re: [PATCH v4 9/9] iio: temperature: ltc2983: Add support for ADT7604

[Jonathan Cameron]

On Tue, 26 May 2026 11:47:01 +0300
Liviu Stan <liviu.stan@xxxxxxxxxx> wrote:

> On Mon, 25 May 2026 19:06:14 +0000 sashiko-bot@xxxxxxxxxx wrote:
> 
> > Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> > 
> > Pre-existing issues:
> > - [High] Integer truncation of `num_channels` leads to an out-of-bounds write on the heap when parsing device tree children.
> > --
> > 
> > commit 482bc8c51e04185002511817885173bd265542d8
> > Author: Liviu Stan <liviu.stan@xxxxxxxxxx>
> > 
> > iio: temperature: ltc2983: Add support for ADT7604
> > 
> > This commit adds support for the ADT7604 sensor, repurposing custom RTD
> > and thermistor sensor types as copper trace and leak detectors. It
> > introduces new structs, parser functions, and hardware register mappings
> > to handle these new types.
> >   
> > > diff --git a/drivers/iio/temperature/ltc2983.c b/drivers/iio/temperature/ltc2983.c
> > > index 130ab7fddc2fe..fc65d8352d120 100644
> > > --- a/drivers/iio/temperature/ltc2983.c
> > > +++ b/drivers/iio/temperature/ltc2983.c  
> > 
> > [ ... ]
> >   
> > > @@ -1348,7 +1672,7 @@ static int ltc2983_parse_fw(struct ltc2983_data *st)
> > >  	if (!st->sensors)
> > >  		return -ENOMEM;
> > >  
> > > -	st->iio_channels = st->num_channels;
> > > +	st->iio_channels = 0;  
> > 
> > [Severity: High]
> > This is a pre-existing issue, but does st->num_channels silently truncate
> > the number of child nodes since it is defined as a u8?
> > 
> > If a device tree is provided with 256 or more child nodes (e.g., 257
> > nodes via DT overlays), device_get_child_node_count() returns 257, but
> > st->num_channels truncates this to 1. This causes devm_kcalloc() to
> > allocate only a 1-element array for st->sensors.
> > 
> > The device_for_each_child_node_scoped() loop directly following this will
> > then iterate over the children and write into st->sensors[chan], resulting
> > in out-of-bounds writes on the heap. Could num_channels be changed to an
> > unsigned int to prevent this memory corruption?
> >   
> > >  	device_for_each_child_node_scoped(dev, child) {
> > >  		struct ltc2983_sensor sensor;  
> > 
> > -- 
> > Sashiko AI review · https://sashiko.dev/#/patchset/20260525164013.118614-1-liviu.stan@xxxxxxxxxx?part=9
> >   
> 
> The hardware has 20 channels maximum, so num_channels as u8 can never overflow in practice.
> 
All looks good to me so applied to the testing branch of iio.git.

Thanks,

Jonathan

> Thanks,
> Liviu