[PATCH v3 1/3] iio: adc: xilinx-ams: fix out-of-bounds channel lookup in event handling
Guilherme Ivo Bozi
guilherme.bozi at usp.br
Tue May 12 08:40:05 PDT 2026
Hi Salih,
Replies are inline.
On Tue, May 12, 2026 at 11:22 AM Salih Erim <salih.erim at amd.com> wrote:
>
> Hi Guilherme,
>
> Replies are inline.
>
> On 4/14/2026 11:40 PM, Guilherme Ivo Bozi wrote:
> > ams_event_to_channel() may return a pointer past the end of
> > dev->channels when no matching scan_index is found. This can lead
> > to invalid memory access in ams_handle_event().
> >
> > Add a bounds check in ams_event_to_channel() and return NULL when
> > no channel is found. Also guard the caller to safely handle this
> > case.
> >
> > Fixes: d5c70627a794 ("iio: adc: Add Xilinx AMS driver")
> > Signed-off-by: Guilherme Ivo Bozi <guilherme.bozi at usp.br>
> > ---
> > drivers/iio/adc/xilinx-ams.c | 5 +++++
> > 1 file changed, 5 insertions(+)
> >
> > diff --git a/drivers/iio/adc/xilinx-ams.c b/drivers/iio/adc/xilinx-ams.c
> > index 124470c92529..6191cd1b29a5 100644
> > --- a/drivers/iio/adc/xilinx-ams.c
> > +++ b/drivers/iio/adc/xilinx-ams.c
> > @@ -871,6 +871,9 @@ static const struct iio_chan_spec *ams_event_to_channel(struct iio_dev *dev,
> > if (dev->channels[i].scan_index == scan_index)
> > break;
> >
> > + if (i == dev->num_channels)
> > + return NULL;
> > +
> The added lines use spaces for indentation instead of tabs.
I checked both locally and the raw mbox from lore.kernel.org, and the
indentation uses TAB characters consistently (^I in the diff).
To verify, I inspected the relevant hunk using cat -A:
^I^Iif (dev->channels[i].scan_index == scan_index)
^I^I^Ibreak;
+^Iif (i == dev->num_channels)
+^I^Ireturn NULL;
^Ireturn &dev->channels[i];
I could not observe any indentation issues locally or from the raw mbox.
>
> Salih
>
--
Guilherme Ivo
More information about the linux-arm-kernel
mailing list