[PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table

Next message: Jonas Karlman: "[PATCH v2 1/2] phy: rockchip: inno-hdmi: Add configure() and validate() ops"
Previous message: Miguel Ojeda: "Re: [RFC v2 0/2] add kconfirm"
Next in thread: Andy Shevchenko: "Re: [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Stepan Ionichev

Date: Sun May 10 2026 - 05:54:34 EST

bmg160_get_filter() walks bmg160_samp_freq_table[] looking for the
entry matching the bw_bits value read from the chip:

for (i = 0; i < ARRAY_SIZE(bmg160_samp_freq_table); ++i) {
if (bmg160_samp_freq_table[i].bw_bits == bw_bits)
break;
}
*val = bmg160_samp_freq_table[i].filter;

If no entry matches, i ends up equal to the array size and the next
line reads one slot past the end. bmg160_set_filter() has the same
shape, driven by 'val' instead of bw_bits.

smatch flags both:

drivers/iio/gyro/bmg160_core.c:204 bmg160_get_filter() error:
buffer overflow 'bmg160_samp_freq_table' 7 <= 7
drivers/iio/gyro/bmg160_core.c:222 bmg160_set_filter() error:
buffer overflow 'bmg160_samp_freq_table' 7 <= 7

Return -EINVAL when no entry matches.

Signed-off-by: Stepan Ionichev <sozdayvek@xxxxxxxxx>
---
drivers/iio/gyro/bmg160_core.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/drivers/iio/gyro/bmg160_core.c b/drivers/iio/gyro/bmg160_core.c
index 38394b5f3..58963f3ea 100644
--- a/drivers/iio/gyro/bmg160_core.c
+++ b/drivers/iio/gyro/bmg160_core.c
@@ -201,6 +201,9 @@ static int bmg160_get_filter(struct bmg160_data *data, int *val)
break;
}

+ if (i == ARRAY_SIZE(bmg160_samp_freq_table))
+ return -EINVAL;
+
*val = bmg160_samp_freq_table[i].filter;

return ret ? ret : IIO_VAL_INT;
@@ -218,6 +221,9 @@ static int bmg160_set_filter(struct bmg160_data *data, int val)
break;
}

+ if (i == ARRAY_SIZE(bmg160_samp_freq_table))
+ return -EINVAL;
+
ret = regmap_write(data->regmap, BMG160_REG_PMU_BW,
bmg160_samp_freq_table[i].bw_bits);
if (ret < 0) {
--
2.43.0