Re: [PATCH 1/3] iio: adc: ti-ads1298: add bounds check to pga_settings index

From: Jonathan Cameron

Date: Fri May 15 2026 - 10:51:44 EST

On Thu, 14 May 2026 18:23:20 +0200
Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:

> From: Sam Daly <sam@xxxxxxxxxx>
>
> ads1298_pga_settings has 7 elements but ADS1298_MASK_CH_PGA can yield
> values 0-7. If it yields a value >= 7, this causes an out-of-bounds
> array access. Add a bounds check and return -EINVAL if the index
> is out of range.
>
I'll add something about the other value be reserved whilst applying.

Note that Sashiko has found a more involved similar case (I haven't
checked it)

https://sashiko.dev/#/patchset/2026051420-strudel-graves-f6cd%40gregkh

Whilst ideally we should harden drivers against faulty values from
hardware, sometimes (like that one) it gets rather involved to actually
do! Hence I'm not suggesting we actually fix that one but if anyone
does want to take a look - go ahead.

Jonathan


> Assisted-by: gkh_clanker_2000
> Cc: stable <stable@xxxxxxxxxx>
> Cc: Jonathan Cameron <jic23@xxxxxxxxxx>
> Cc: David Lechner <dlechner@xxxxxxxxxxxx>
> Cc: "Nuno Sá" <nuno.sa@xxxxxxxxxx>
> Cc: Andy Shevchenko <andy@xxxxxxxxxx>
> Signed-off-by: Sam Daly <sam@xxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> ---
> drivers/iio/adc/ti-ads1298.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/iio/adc/ti-ads1298.c b/drivers/iio/adc/ti-ads1298.c
> index ae30b47e4514..731792f06993 100644
> --- a/drivers/iio/adc/ti-ads1298.c
> +++ b/drivers/iio/adc/ti-ads1298.c
> @@ -279,6 +279,7 @@ static const u8 ads1298_pga_settings[] = { 6, 1, 2, 3, 4, 8, 12 };
> static int ads1298_get_scale(struct ads1298_private *priv,
> int channel, int *val, int *val2)
> {
> + unsigned int pga_idx;
> int ret;
> unsigned int regval;
> u8 gain;
> @@ -302,7 +303,11 @@ static int ads1298_get_scale(struct ads1298_private *priv,
> if (ret)
> return ret;
>
> - gain = ads1298_pga_settings[FIELD_GET(ADS1298_MASK_CH_PGA, regval)];
> + pga_idx = FIELD_GET(ADS1298_MASK_CH_PGA, regval);
> + if (pga_idx >= ARRAY_SIZE(ads1298_pga_settings))
> + return -EINVAL;
> +
> + gain = ads1298_pga_settings[pga_idx];
> *val /= gain; /* Full scale is VREF / gain */
>
> *val2 = ADS1298_BITS_PER_SAMPLE - 1; /* Signed, hence the -1 */