On Fri, 19 Jul 2019 00:10:28 -0400
Sasha Levin <sashal@xxxxxxxxxx> wrote:
> From: Young Xiao <92siuyang@xxxxxxxxx>
>
> [ Upstream commit 936d3e536dcf88ce80d27bdb637009b13dba6d8c ]
>
> The incorrect limit for the for_each_set_bit loop was noticed whilst fixing
> this other case. Note that as we only have 3 possible entries a the moment
> and the value was set to 4, the bug would not have any effect currently.
> It will bite fairly soon though, so best fix it now.
>
> See commit ef4b4856593f ("iio:core: Fix bug in length of event info_mask and
> catch unhandled bits set in masks.") for details.
>
> Signed-off-by: Young Xiao <92siuyang@xxxxxxxxx>
> Reviewed-by: Alexandru Ardelean <alexandru.ardelean@xxxxxxxxxx>
> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@xxxxxxxxxx>
> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
As the patch states, this bug doesn't have any impact. It would only
be triggered by a buggy driver setting a bit in that mask that makes no
sense.
So it's good to fix in upstream, but debatable if it's worth porting back
to stable.
I don't have a strong opinion on this one and again, it should do no
harm.
Jonathan
> ---
> drivers/iio/industrialio-core.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
> index 97b7266ee0ff..b0f952984983 100644
> --- a/drivers/iio/industrialio-core.c
> +++ b/drivers/iio/industrialio-core.c
> @@ -1116,6 +1116,8 @@ static int iio_device_add_info_mask_type_avail(struct iio_dev *indio_dev,
> char *avail_postfix;
>
> for_each_set_bit(i, infomask, sizeof(*infomask) * 8) {
> + if (i >= ARRAY_SIZE(iio_chan_info_postfix))
> + return -EINVAL;
> avail_postfix = kasprintf(GFP_KERNEL,
> "%s_available",
> iio_chan_info_postfix[i]);
