RE: [PATCH v5 2/2] iio: adc: ad_sigma_delta: fix clear_pending_event for registerless devices

[Sabau, Radu bogdan]

> -----Original Message-----
> From: Radu Sabau via B4 Relay <devnull+radu.sabau.analog.com@xxxxxxxxxx>
> Sent: Wednesday, May 27, 2026 12:39 PM
> To: Lars-Peter Clausen <lars@xxxxxxxxxx>; Hennerich, Michael
> <Michael.Hennerich@xxxxxxxxxx>; Jonathan Cameron <jic23@xxxxxxxxxx>;
> David Lechner <dlechner@xxxxxxxxxxxx>; Sa, Nuno <Nuno.Sa@xxxxxxxxxx>;
> Andy Shevchenko <andy@xxxxxxxxxx>; Uwe Kleine König <u.kleine-
> koenig@xxxxxxxxxxxx>
> Cc: linux-iio@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; Sabau, Radu
> bogdan <Radu.Sabau@xxxxxxxxxx>; Jonathan Cameron <jic23@xxxxxxxxxx>
> Subject: [PATCH v5 2/2] iio: adc: ad_sigma_delta: fix clear_pending_event for
> registerless devices
> 
> From: Radu Sabau <radu.sabau@xxxxxxxxxx>
> 
> ad_sigma_delta_clear_pending_event() falls through to the status register
> read path for devices with has_registers = false and no rdy_gpiod. For
> such devices, ad_sd_read_reg() skips the address byte entirely and clocks
> raw MISO bytes with no address phase — making it byte-for-byte identical
> to reading conversion data. If a pending conversion result is present,
> this partially consumes it and corrupts the data stream for the subsequent
> ad_sd_read_reg() call in ad_sigma_delta_single_conversion().
> 
> Furthermore, with num_resetclks = 0 on these devices, data_read_len
> evaluates to 0. If the clocked byte has bit 7 clear, pending_event is set
> and the code attempts memset(data + 2, 0xff, 0 - 1), overflowing to
> SIZE_MAX and corrupting the heap.
> 
> Fix by returning 0 immediately when neither rdy_gpiod nor has_registers
> is set. This is safe for all current registerless devices: ad7191 and
> ad7780 (with powerdown GPIO) are reset between conversions by CS
> deassertion, so there is no stale result to drain; ad7780 (without
> powerdown GPIO) and max11205 are continuously-converting and cycle
> ~DRDY
> at the output data rate regardless of whether the previous result was
> read, so the next falling edge fires naturally.
> 
> A future registerless device that holds ~DRDY asserted until data is read
> would be broken by this early return and would require either
> num_resetclks set or a rdy-gpio.
> 
> The same heap corruption is reachable on any device with rdy_gpiod set
> but num_resetclks = 0: if the GPIO indicates a pending event, the drain
> path executes memset(data + 2, 0xff, 0 - 1) regardless of has_registers.
> Add an explicit data_read_len == 0 guard after the pending event check;
> the stale result is then consumed by the first ad_sd_read_reg() call in
> ad_sigma_delta_single_conversion().

Fixes tag needed

Fixes: 132d44dc6966 ("iio: adc: ad_sigma_delta: Check for previous ready signals")

The same commit introduced ad_sigma_delta_clear_pending_event() itself with an
unconditional else that calls ad_sd_read_reg() for any device without rdy_gpiod,
regardless of has_registers.

> 
> Signed-off-by: Radu Sabau <radu.sabau@xxxxxxxxxx>
> ---