From: David Lechner Date: Wed, 22 Oct 2025 15:15:05 +0000 (-0500) Subject: iio: adc: ad7124: fix possible OOB array access X-Git-Tag: v6.19-rc1~65^2~58^2~44 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=97289f6accca405d63149e56774912c8be85f76b;p=thirdparty%2Fkernel%2Flinux.git iio: adc: ad7124: fix possible OOB array access Reorder the channel bounds check before using it to index into the channels array in ad7124_release_config_slot(). This prevents reading past the end of the array. The value read from invalid memory was not used, so this was mostly harmless, but we still should not be reading out of bounds in the first place. Reported-by: Dan Carpenter Closes: https://lore.kernel.org/linux-iio/aPi6V-hcaKReSNWK@stanley.mountain/ Fixes: 9065197e0d41 ("iio: adc: ad7124: change setup reg allocation strategy") Signed-off-by: David Lechner Reviewed-by: Marcelo Schmitt Signed-off-by: Jonathan Cameron --- diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c index 9d58ced7371d0..ed828a82acb71 100644 --- a/drivers/iio/adc/ad7124.c +++ b/drivers/iio/adc/ad7124.c @@ -586,13 +586,18 @@ static int ad7124_request_config_slot(struct ad7124_state *st, u8 channel) static void ad7124_release_config_slot(struct ad7124_state *st, u8 channel) { - unsigned int slot = st->channels[channel].cfg.cfg_slot; + unsigned int slot; /* - * All of these conditions can happen at probe when all channels are - * disabled. Otherwise, they should not happen normally. + * All of these early return conditions can happen at probe when all + * channels are disabled. Otherwise, they should not happen normally. */ - if (channel >= st->num_channels || slot == AD7124_CFG_SLOT_UNASSIGNED || + if (channel >= st->num_channels) + return; + + slot = st->channels[channel].cfg.cfg_slot; + + if (slot == AD7124_CFG_SLOT_UNASSIGNED || st->cfg_slot_use_count[slot] == 0) return;