device_property_read_u32(dev, "average-samples", &st->avg_samples);` with no runtime bounds checking (drivers/iio/adc/spear_adc.c:319). While the binding restricts it to 0..15 (Documentation/devicetree/bindings/iio/adc/st,spear600-adc.yaml:43), the driver cannot rely on DT schema validation being present or enforced at runtime. - The fix: The patch adds `#include ` and replaces the shift macros with masks using `GENMASK` and `FIELD_PREP`, ensuring values are masked to their field width before being merged: - Replaces `#define SPEAR_ADC_STATUS_CHANNEL_NUM(x) ((x) << 1)` (drivers/iio/adc/spear_adc.c:32) with `#define SPEAR_ADC_STATUS_CHANNEL_NUM_MASK GENMASK(3, 1)` and uses `FIELD_PREP` when composing the register. - Replaces `#define SPEAR_ADC_STATUS_AVG_SAMPLE(x) ((x) << 5)` (drivers/iio/adc/spear_adc.c:34) with `#define SPEAR_ADC_STATUS_AVG_SAMPLE_MASK GENMASK(8, 5)` and uses `FIELD_PREP`. - In `spear_adc_read_raw()`, it now uses `FIELD_PREP(SPEAR_ADC_STATUS_CHANNEL_NUM_MASK, chan->channel)` and `FIELD_PREP(SPEAR_ADC_STATUS_AVG_SAMPLE_MASK, st->avg_samples)` instead of raw shifts when building `status`. - Scope and risk: The change is small and localized to a single driver and code path used for starting a conversion. It introduces no new features or architectural changes. The new include `` is standard in supported stable kernels and `FIELD_PREP/GENMASK` are widely used in-tree. Masking the channel is also a safe improvement (even though `chan->channel` is in-range), keeping register writes robust. - User impact: Prevents accidental toggling of unrelated control bits (notably Vref selection) and writing ones to reserved/unknown bits if DT passes an out-of-range `average-samples`. This is a clear functional bug that can affect users with misconfigured or legacy DTs. - Stable criteria: - Fixes a real bug (register bit clobbering; can produce incorrect ADC behavior). - Minimal and contained change. - No functional side effects beyond enforcing correct bitfields. - Touches a single IIO ADC driver, not core subsystems. - Commit message explains rationale; even without an explicit “Cc: stable” tag, it meets stable backport rules. Conclusion: This is a straightforward, low-risk bug fix that prevents corruption of control bits when programming the ADC status register. It should be backported to stable. drivers/iio/adc/spear_adc.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/iio/adc/spear_adc.c b/drivers/iio/adc/spear_adc.c index e3a865c79686e..df100dce77da4 100644 --- a/drivers/iio/adc/spear_adc.c +++ b/drivers/iio/adc/spear_adc.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include #include @@ -29,9 +30,9 @@ /* Bit definitions for SPEAR_ADC_STATUS */ #define SPEAR_ADC_STATUS_START_CONVERSION BIT(0) -#define SPEAR_ADC_STATUS_CHANNEL_NUM(x) ((x) << 1) +#define SPEAR_ADC_STATUS_CHANNEL_NUM_MASK GENMASK(3, 1) #define SPEAR_ADC_STATUS_ADC_ENABLE BIT(4) -#define SPEAR_ADC_STATUS_AVG_SAMPLE(x) ((x) << 5) +#define SPEAR_ADC_STATUS_AVG_SAMPLE_MASK GENMASK(8, 5) #define SPEAR_ADC_STATUS_VREF_INTERNAL BIT(9) #define SPEAR_ADC_DATA_MASK 0x03ff @@ -157,8 +158,8 @@ static int spear_adc_read_raw(struct iio_dev *indio_dev, case IIO_CHAN_INFO_RAW: mutex_lock(&st->lock); - status = SPEAR_ADC_STATUS_CHANNEL_NUM(chan->channel) | - SPEAR_ADC_STATUS_AVG_SAMPLE(st->avg_samples) | + status = FIELD_PREP(SPEAR_ADC_STATUS_CHANNEL_NUM_MASK, chan->channel) | + FIELD_PREP(SPEAR_ADC_STATUS_AVG_SAMPLE_MASK, st->avg_samples) | SPEAR_ADC_STATUS_START_CONVERSION | SPEAR_ADC_STATUS_ADC_ENABLE; if (st->vref_external == 0) -- 2.51.0[PATCH AUTOSEL 6.17-5.4] iio: adc: spear_adc: mask SPEAR_ADC_STATUS channel and avg sample before setting registerSasha Levin undefinedpatches@lists.linux.dev, stable@vger.kernel.org undefined undefined undefined undefined undefined undefined undefined undefined