Re: [PATCH v4 9/9] iio: temperature: ltc2983: Add support for ADT7604

[Liviu Stan]

On Wed, 27 May 2026 17:49:31 +0100 Jonathan Cameron <jic23@xxxxxxxxxx> wrote:

> On Tue, 26 May 2026 11:47:01 +0300
> Liviu Stan <liviu.stan@xxxxxxxxxx> wrote:
> 
> > On Mon, 25 May 2026 19:06:14 +0000 sashiko-bot@xxxxxxxxxx wrote:
> > 
> > > Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> > > 
> > > Pre-existing issues:
> > > - [High] Integer truncation of `num_channels` leads to an out-of-bounds write on the heap when parsing device tree children.
> > > --
> > > 
> > > commit 482bc8c51e04185002511817885173bd265542d8
> > > Author: Liviu Stan <liviu.stan@xxxxxxxxxx>
> > > 
> > > iio: temperature: ltc2983: Add support for ADT7604
> > > 
> > > This commit adds support for the ADT7604 sensor, repurposing custom RTD
> > > and thermistor sensor types as copper trace and leak detectors. It
> > > introduces new structs, parser functions, and hardware register mappings
> > > to handle these new types.
> > >   
> > > > diff --git a/drivers/iio/temperature/ltc2983.c b/drivers/iio/temperature/ltc2983.c
> > > > index 130ab7fddc2fe..fc65d8352d120 100644
> > > > --- a/drivers/iio/temperature/ltc2983.c
> > > > +++ b/drivers/iio/temperature/ltc2983.c  
> > > 
> > > [ ... ]
> > >   
> > > > @@ -1348,7 +1672,7 @@ static int ltc2983_parse_fw(struct ltc2983_data *st)
> > > >  	if (!st->sensors)
> > > >  		return -ENOMEM;
> > > >  
> > > > -	st->iio_channels = st->num_channels;
> > > > +	st->iio_channels = 0;  
> > > 
> > > [Severity: High]
> > > This is a pre-existing issue, but does st->num_channels silently truncate
> > > the number of child nodes since it is defined as a u8?
> > > 
> > > If a device tree is provided with 256 or more child nodes (e.g., 257
> > > nodes via DT overlays), device_get_child_node_count() returns 257, but
> > > st->num_channels truncates this to 1. This causes devm_kcalloc() to
> > > allocate only a 1-element array for st->sensors.
> > > 
> > > The device_for_each_child_node_scoped() loop directly following this will
> > > then iterate over the children and write into st->sensors[chan], resulting
> > > in out-of-bounds writes on the heap. Could num_channels be changed to an
> > > unsigned int to prevent this memory corruption?
> > >   
> > > >  	device_for_each_child_node_scoped(dev, child) {
> > > >  		struct ltc2983_sensor sensor;  
> > > 
> > > -- 
> > > Sashiko AI review · https://sashiko.dev/#/patchset/20260525164013.118614-1-liviu.stan@xxxxxxxxxx?part=9
> > >   
> > 
> > The hardware has 20 channels maximum, so num_channels as u8 can never overflow in practice.
> > 
> All looks good to me so applied to the testing branch of iio.git.
> 
> Thanks,
> 
> Jonathan

Thank you!

Liviu