iio: adc: xilinx-ams: fix out-of-bounds channel lookup in event handling

ams_event_to_channel() may return a pointer past the end of
dev->channels when no matching scan_index is found. This can lead
to invalid memory access in ams_handle_event().

Add a bounds check in ams_event_to_channel() and return NULL when
no channel is found. Also guard the caller to safely handle this
case.

Fixes: d5c70627a794 ("iio: adc: Add Xilinx AMS driver")
Signed-off-by: Guilherme Ivo Bozi <guilherme.bozi@usp.br>
Reviewed-by: Salih Erim <salih.erim@amd.com>
Tested-by: Salih Erim <salih.erim@amd.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>

diff --git a/drivers/iio/adc/xilinx-ams.c b/drivers/iio/adc/xilinx-ams.c
index 124470c92529782db85590ea8c632e2419460c08..6191cd1b29a510187c025a897efcc8b85643b4c1 100644 (file)
--- a/drivers/iio/adc/xilinx-ams.c
+++ b/drivers/iio/adc/xilinx-ams.c
@@ -871,6 +871,9 @@ static const struct iio_chan_spec *ams_event_to_channel(struct iio_dev *dev,
                if (dev->channels[i].scan_index == scan_index)
                        break;
 
+       if (i == dev->num_channels)
+               return NULL;
+
        return &dev->channels[i];
 }
 
@@ -1012,6 +1015,8 @@ static void ams_handle_event(struct iio_dev *indio_dev, u32 event)
        const struct iio_chan_spec *chan;
 
        chan = ams_event_to_channel(indio_dev, event);
+       if (!chan)
+               return;
 
        if (chan->type == IIO_TEMP) {
                /*