| Message ID | 20241031014626.2313077-1-quzicheng@huawei.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | iio: fix infinite loop for gain_to_scaletables() | expand |
Thanks again Zicheng! On 31/10/2024 03:46, Zicheng Qu wrote: > In iio_gts_build_avail_time_table(), it is checked that gts->num_itime is > non-zero, but gts->num_itime is not checked in gain_to_scaletables(). The > variable time_idx is initialized as gts->num_itime - 1. This implies that > time_idx might initially be set to -1 (0 - 1 = -1). Consequently, using > while (time_idx--) could lead to an infinite loop. > > Cc: stable@vger.kernel.org # v6.6+ > Fixes: 38416c28e168 ("iio: light: Add gain-time-scale helpers") > Signed-off-by: Zicheng Qu <quzicheng@huawei.com> > --- > drivers/iio/industrialio-gts-helper.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/iio/industrialio-gts-helper.c b/drivers/iio/industrialio-gts-helper.c > index 59d7615c0f56..f3acd392f4fc 100644 > --- a/drivers/iio/industrialio-gts-helper.c > +++ b/drivers/iio/industrialio-gts-helper.c > @@ -205,7 +205,7 @@ static int gain_to_scaletables(struct iio_gts *gts, int **gains, int **scales) > memcpy(all_gains, gains[time_idx], gain_bytes); > new_idx = gts->num_hwgain; > > - while (time_idx--) { > + while (time_idx-- > 0) { > for (j = 0; j < gts->num_hwgain; j++) { > int candidate = gains[time_idx][j]; > int chk; This, too, brings the question if supporting 0 times is worth. At least this shows that it'd be nice to cover the "only times, no hw-gains" and "no times, only hw-gains" cases in the Kunit tests... Anyways - Thanks! Reviewed-by: Matti Vaittinen <mazziesaccount@gmail.com> Yours, -- Matti
On Thu, 31 Oct 2024 09:25:16 +0200 Matti Vaittinen <mazziesaccount@gmail.com> wrote: > Thanks again Zicheng! > > On 31/10/2024 03:46, Zicheng Qu wrote: > > In iio_gts_build_avail_time_table(), it is checked that gts->num_itime is > > non-zero, but gts->num_itime is not checked in gain_to_scaletables(). The > > variable time_idx is initialized as gts->num_itime - 1. This implies that > > time_idx might initially be set to -1 (0 - 1 = -1). Consequently, using > > while (time_idx--) could lead to an infinite loop. > > > > Cc: stable@vger.kernel.org # v6.6+ > > Fixes: 38416c28e168 ("iio: light: Add gain-time-scale helpers") > > Signed-off-by: Zicheng Qu <quzicheng@huawei.com> > > --- > > drivers/iio/industrialio-gts-helper.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/iio/industrialio-gts-helper.c b/drivers/iio/industrialio-gts-helper.c > > index 59d7615c0f56..f3acd392f4fc 100644 > > --- a/drivers/iio/industrialio-gts-helper.c > > +++ b/drivers/iio/industrialio-gts-helper.c > > @@ -205,7 +205,7 @@ static int gain_to_scaletables(struct iio_gts *gts, int **gains, int **scales) > > memcpy(all_gains, gains[time_idx], gain_bytes); > > new_idx = gts->num_hwgain; > > > > - while (time_idx--) { > > + while (time_idx-- > 0) { > > for (j = 0; j < gts->num_hwgain; j++) { > > int candidate = gains[time_idx][j]; > > int chk; > > This, too, brings the question if supporting 0 times is worth. > > At least this shows that it'd be nice to cover the "only times, no > hw-gains" and "no times, only hw-gains" cases in the Kunit tests... > > Anyways - Thanks! > > Reviewed-by: Matti Vaittinen <mazziesaccount@gmail.com> Applied > > Yours, > -- Matti > >
diff --git a/drivers/iio/industrialio-gts-helper.c b/drivers/iio/industrialio-gts-helper.c index 59d7615c0f56..f3acd392f4fc 100644 --- a/drivers/iio/industrialio-gts-helper.c +++ b/drivers/iio/industrialio-gts-helper.c @@ -205,7 +205,7 @@ static int gain_to_scaletables(struct iio_gts *gts, int **gains, int **scales) memcpy(all_gains, gains[time_idx], gain_bytes); new_idx = gts->num_hwgain; - while (time_idx--) { + while (time_idx-- > 0) { for (j = 0; j < gts->num_hwgain; j++) { int candidate = gains[time_idx][j]; int chk;
In iio_gts_build_avail_time_table(), it is checked that gts->num_itime is non-zero, but gts->num_itime is not checked in gain_to_scaletables(). The variable time_idx is initialized as gts->num_itime - 1. This implies that time_idx might initially be set to -1 (0 - 1 = -1). Consequently, using while (time_idx--) could lead to an infinite loop. Cc: stable@vger.kernel.org # v6.6+ Fixes: 38416c28e168 ("iio: light: Add gain-time-scale helpers") Signed-off-by: Zicheng Qu <quzicheng@huawei.com> --- drivers/iio/industrialio-gts-helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)