Re: [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table

Next message: Andy Shevchenko: "Re: [PATCH v2] iio: adc: ti-ads1298: Fix incorrect timeout comment"
Previous message: Erikas Bitovtas: "Re: [PATCH v5 5/8] clk: qcom: gcc-msm8939: mark Venus core GDSCs as hardware controlled"
In reply to: Stepan Ionichev: "[PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table"
Next in thread: Stepan Ionichev: "Re: [PATCH] iio: gyro: bmg160: bail out when bandwidth/filter is not in table"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Shevchenko

Date: Sun May 10 2026 - 06:15:38 EST

On Sun, May 10, 2026 at 07:35:00AM +0500, Stepan Ionichev wrote:
> bmg160_get_filter() walks bmg160_samp_freq_table[] looking for the
> entry matching the bw_bits value read from the chip:
>
> for (i = 0; i < ARRAY_SIZE(bmg160_samp_freq_table); ++i) {
> if (bmg160_samp_freq_table[i].bw_bits == bw_bits)
> break;
> }
> *val = bmg160_samp_freq_table[i].filter;
>
> If no entry matches, i ends up equal to the array size and the next
> line reads one slot past the end. bmg160_set_filter() has the same
> shape, driven by 'val' instead of bw_bits.
>
> smatch flags both:
>
> drivers/iio/gyro/bmg160_core.c:204 bmg160_get_filter() error:
> buffer overflow 'bmg160_samp_freq_table' 7 <= 7
> drivers/iio/gyro/bmg160_core.c:222 bmg160_set_filter() error:
> buffer overflow 'bmg160_samp_freq_table' 7 <= 7
>
> Return -EINVAL when no entry matches.

Have you checked the mailing list archive? I have a weak memory of seeing this
or something similar in the (recent) past...

--
With Best Regards,
Andy Shevchenko