From: Zicheng Qu <quzicheng@xxxxxxxxxx> commit 7452f8a0814bb73f739ee0dab60f099f3361b151 upstream. In iio_gts_build_avail_time_table(), it is checked that gts->num_itime is non-zero, but gts->num_itime is not checked in gain_to_scaletables(). The variable time_idx is initialized as gts->num_itime - 1. This implies that time_idx might initially be set to -1 (0 - 1 = -1). Consequently, using while (time_idx--) could lead to an infinite loop. Cc: stable@xxxxxxxxxxxxxxx # v6.6+ Fixes: 38416c28e168 ("iio: light: Add gain-time-scale helpers") Signed-off-by: Zicheng Qu <quzicheng@xxxxxxxxxx> Reviewed-by: Matti Vaittinen <mazziesaccount@xxxxxxxxx> Link: https://patch.msgid.link/20241031014626.2313077-1-quzicheng@xxxxxxxxxx Signed-off-by: Jonathan Cameron <Jonathan.Cameron@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/iio/industrialio-gts-helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/iio/industrialio-gts-helper.c +++ b/drivers/iio/industrialio-gts-helper.c @@ -205,7 +205,7 @@ static int gain_to_scaletables(struct ii memcpy(all_gains, gains[time_idx], gain_bytes); new_idx = gts->num_hwgain; - while (time_idx--) { + while (time_idx-- > 0) { for (j = 0; j < gts->num_hwgain; j++) { int candidate = gains[time_idx][j]; int chk; Patches currently in stable-queue which might be from quzicheng@xxxxxxxxxx are queue-6.12/iio-gts-fix-infinite-loop-for-gain_to_scaletables.patch queue-6.12/iio-fix-fwnode_handle-in-__fwnode_iio_channel_get_by_name.patch queue-6.12/ad7780-fix-division-by-zero-in-ad7780_write_raw.patch queue-6.12/iio-adc-ad7923-fix-buffer-overflow-for-tx_buf-and-ring_xfer.patch