Re: [PATCH v5 0/2] iio: adc: ad_sigma_delta: fix CS assertion and registerless device handling

[Jonathan Cameron]

On Wed, 27 May 2026 12:18:41 +0100
Jonathan Cameron <jic23@xxxxxxxxxx> wrote:

> On Wed, 27 May 2026 12:16:48 +0100
> Jonathan Cameron <jic23@xxxxxxxxxx> wrote:
> 
> > On Wed, 27 May 2026 12:38:37 +0300
> > Radu Sabau via B4 Relay <devnull+radu.sabau.analog.com@xxxxxxxxxx> wrote:
> >   
> > > This series fixes two independent bugs in the ad_sigma_delta framework.
> > > 
> > > Patch 1 fixes CS being left permanently asserted after single conversion
> > > and in the error path of ad_sd_buffer_postenable(). In
> > > ad_sigma_delta_single_conversion(), set_mode(AD_SD_MODE_IDLE) and
> > > disable_one() were executing while keep_cs_asserted was still true,
> > > causing any SPI transfer they issued to carry cs_change=1. The
> > > postenable() error path also failed to call set_mode(AD_SD_MODE_IDLE),
> > > leaving the device in continuous conversion mode with bus_locked
> > > incorrectly set, opening a window for concurrent SPI access.
> > > 
> > > Patch 2 fixes ad_sigma_delta_clear_pending_event() for devices with                                     
> > > has_registers = false and no rdy_gpiod (currently AD7191, AD7780, and
> > > MAX11205). These devices fall through to the status register read path,                                 
> > > but since has_registers is false, ad_sd_read_reg() transmits no address                               
> > > byte and blindly clocks raw MISO bytes — indistinguishable from reading
> > > conversion data, partially consuming any pending result and corrupting the
> > > stream. With num_resetclks = 0 on these devices a further hazard exists:
> > > if pending_event is set, the drain path attempts memset of SIZE_MAX bytes,
> > > corrupting the heap. The fix returns 0 immediately for registerless
> > > devices. This is safe for all current instances: AD7191 and AD7780 (with
> > > powerdown GPIO) are reset between conversions by CS deassertion; AD7780
> > > (without powerdown GPIO) and MAX11205 are continuously-converting and
> > > cycle ~DRDY regardless, so the next falling edge fires naturally. A future
> > > registerless device that holds ~DRDY asserted until data is read would
> > > need num_resetclks set or a rdy-gpio instead. The same heap corruption can
> > > be triggered on any device with rdy_gpiod set but num_resetclks = 0, so
> > > an explicit data_read_len == 0 guard is added independently.
> > > 
> > > Signed-off-by: Radu Sabau <radu.sabau@xxxxxxxxxx>    
> > Hi Radu,
> > 
> > Applied to the fixes-togreg branch of iio.git and marked for stable.
> > 
> > Note that as this is all a bit fiddly in the ideal world I'd like some
> > more eyes on this and will be happy to add tags or indeed pull the patch
> > in response to any reviews in the next few days.
> > 
> > Sashiko is now 'happy' I think and it found a lot more issues than I identified
> > in earlier versions.
> >   
> Actually scratch that - these both need Fixes tags.  Please reply to each email
> with whatever seems most likely.  I know it can be hard to find the point where
> a complex bug got introduced but we should still be providing some guidance
> on how far to backport.
> 
Thanks for the tags, applied to the fixes-togreg branch of iio.git and marked
for stable.

Jonathan

> Thanks,
> 
> Jonathan
> 
> > Thanks,
> > 
> > Jonathan  
> 
>