iio: adc: ad7124: fix possible OOB array access

Reorder the channel bounds check before using it to index into the
channels array in ad7124_release_config_slot(). This prevents reading
past the end of the array.

The value read from invalid memory was not used, so this was mostly
harmless, but we still should not be reading out of bounds in the first
place.

Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/linux-iio/aPi6V-hcaKReSNWK@stanley.mountain/
Fixes: 9065197e0d41 ("iio: adc: ad7124: change setup reg allocation strategy")
Signed-off-by: David Lechner <dlechner@baylibre.com>
Reviewed-by: Marcelo Schmitt <marcelo.schmitt@analog.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

1 files changed, 9 insertions, 4 deletions

diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c
index 9d58ced7371d..ed828a82acb7 100644
--- a/drivers/iio/adc/ad7124.c
+++ b/drivers/iio/adc/ad7124.c
@@ -586,13 +586,18 @@ static int ad7124_request_config_slot(struct ad7124_state *st, u8 channel)
 
 static void ad7124_release_config_slot(struct ad7124_state *st, u8 channel)
 {
-	unsigned int slot = st->channels[channel].cfg.cfg_slot;
+	unsigned int slot;
 
 	/*
-	 * All of these conditions can happen at probe when all channels are
-	 * disabled. Otherwise, they should not happen normally.
+	 * All of these early return conditions can happen at probe when all
+	 * channels are disabled. Otherwise, they should not happen normally.
 	 */
-	if (channel >= st->num_channels || slot == AD7124_CFG_SLOT_UNASSIGNED ||
+	if (channel >= st->num_channels)
+		return;
+
+	slot = st->channels[channel].cfg.cfg_slot;
+
+	if (slot == AD7124_CFG_SLOT_UNASSIGNED ||
 	    st->cfg_slot_use_count[slot] == 0)
 		return;