From: Purva Yeshi purvayeshi550@gmail.com
[ Upstream commit e5cdb098a3cb165d52282ffc3a6448642953ea13 ]
Fix Smatch-detected issue: drivers/iio/adc/ad_sigma_delta.c:604 ad_sd_trigger_handler() error: uninitialized symbol 'status_pos'.
The variable `status_pos` was only initialized in specific switch cases (1, 2, 3, 4), which could leave it uninitialized if `reg_size` had an unexpected value.
Fix by adding a default case to the switch block to catch unexpected values of `reg_size`. Use `dev_err_ratelimited()` for error logging and `goto irq_handled` instead of returning early.
Signed-off-by: Purva Yeshi purvayeshi550@gmail.com Link: https://patch.msgid.link/20250410170408.8585-1-purvayeshi550@gmail.com Signed-off-by: Jonathan Cameron Jonathan.Cameron@huawei.com Signed-off-by: Sasha Levin sashal@kernel.org ---
Let me analyze the commit without the kernel repository. Looking at the commit information:
**YES**
This commit should be backported to stable kernel trees. Here's my extensive analysis:
## Analysis of the Bug Fix
### 1. **Critical Bug Nature** The commit fixes a serious issue where the variable `status_pos` could be used uninitialized. This is a critical bug because: - Uninitialized variables can contain arbitrary memory values - Using an uninitialized `status_pos` in line `converted_channel = data[status_pos] & sigma_delta->info->status_ch_mask;` could lead to: - Out-of-bounds array access - Memory corruption - System crashes or undefined behavior
### 2. **Code Analysis of the Fix** The problematic code was in the `ad_sd_trigger_handler()` function:
```c switch (reg_size) { case 4: case 2: case 1: status_pos = reg_size; // ... break; case 3: status_pos = reg_size + 1; // ... break; } ```
**Problem**: If `reg_size` had any value other than 1, 2, 3, or 4, `status_pos` would remain uninitialized.
**Solution**: The fix adds a default case: ```c default: dev_err_ratelimited(&indio_dev->dev, "Unsupported reg_size: %u\n", reg_size); goto irq_handled; ```
### 3. **Risk Assessment - LOW RISK** - **Contained fix**: Only adds error handling, doesn't change existing logic - **No functional changes**: For valid `reg_size` values (1-4), behavior is identical - **Safe error handling**: Uses rate-limited logging and proper cleanup via `goto irq_handled` - **No architectural changes**: Simple defensive programming addition
### 4. **User Impact - HIGH** - **Affects all users**: Any driver using ad_sigma_delta could potentially trigger this - **Data corruption potential**: Uninitialized variable could cause incorrect channel data processing - **System stability**: Could lead to kernel panics or memory corruption - **Silent failures**: Bug might manifest as subtle data corruption rather than obvious crashes
### 5. **Stable Tree Criteria Compliance** ✅ **Important bugfix**: Prevents potential memory corruption and crashes ✅ **Small and contained**: Only adds 3 lines of defensive code ✅ **Low regression risk**: Cannot break existing functionality ✅ **Clear benefit**: Eliminates undefined behavior ✅ **No new features**: Pure bug fix
### 6. **Comparison with Similar Commits** Unlike the reference commits that were marked "NO" for backporting: - This fixes a **functional bug** (not just code style/cleanup) - Has **user-visible impact** (potential crashes vs. cosmetic improvements) - Addresses **undefined behavior** (critical vs. minor improvements) - **Security implications** (memory safety vs. readability)
### 7. **Static Analysis Tool Detection** The fact that Smatch detected this issue indicates it's a real problem that static analysis considers serious enough to flag. This type of uninitialized variable usage is a common source of security vulnerabilities and system instability.
**Conclusion**: This is a textbook example of a commit that should be backported - it fixes a real bug with serious consequences, has minimal risk of regression, and follows all stable tree guidelines.
drivers/iio/adc/ad_sigma_delta.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c index 7e21928707437..533667eefe419 100644 --- a/drivers/iio/adc/ad_sigma_delta.c +++ b/drivers/iio/adc/ad_sigma_delta.c @@ -476,6 +476,10 @@ static irqreturn_t ad_sd_trigger_handler(int irq, void *p) * byte set to zero. */ ad_sd_read_reg_raw(sigma_delta, data_reg, transfer_size, &data[1]); break; + + default: + dev_err_ratelimited(&indio_dev->dev, "Unsupported reg_size: %u\n", reg_size); + goto irq_handled; }
/*