* [PATCH 0/2] nvmem: fixes for 7.1
@ 2026-05-30 20:43 srini
2026-05-30 20:43 ` [PATCH 1/2] nvmem: layouts: onie-tlv: fix hang on unknown types srini
2026-05-30 20:43 ` [PATCH 2/2] nvmem: core: fix use-after-free bugs in error paths srini
0 siblings, 2 replies; 3+ messages in thread
From: srini @ 2026-05-30 20:43 UTC (permalink / raw)
To: gregkh; +Cc: linux-kernel, Srinivas Kandagatla
From: Srinivas Kandagatla <srini@kernel.org>
Hi Greg,
Here are some fixes in nvmem which can go for 7.1 release
Could you please queue these as 7.1 material.
Fixes include
- a use-after fix bug fix
- fix hang in onie-tlv
Thanks for all the help,
Srini
Andre Heider (1):
nvmem: layouts: onie-tlv: fix hang on unknown types
Bartosz Golaszewski (1):
nvmem: core: fix use-after-free bugs in error paths
drivers/nvmem/core.c | 12 +++++-------
drivers/nvmem/layouts/onie-tlv.c | 3 ++-
2 files changed, 7 insertions(+), 8 deletions(-)
--
2.53.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/2] nvmem: layouts: onie-tlv: fix hang on unknown types
2026-05-30 20:43 [PATCH 0/2] nvmem: fixes for 7.1 srini
@ 2026-05-30 20:43 ` srini
2026-05-30 20:43 ` [PATCH 2/2] nvmem: core: fix use-after-free bugs in error paths srini
1 sibling, 0 replies; 3+ messages in thread
From: srini @ 2026-05-30 20:43 UTC (permalink / raw)
To: gregkh
Cc: linux-kernel, Andre Heider, Stable, Miquel Raynal,
Srinivas Kandagatla
From: Andre Heider <a.heider@gmail.com>
The EEPROM on my board has a vendor specific entry of type 0x41. When
stumbling upon that, this driver hangs in an endless loop.
Fix it by keep incrementing the offset on unknown entries, so the loop
will eventually stop.
Fixes: d3c0d12f6474 ("nvmem: layouts: onie-tlv: Add new layout driver")
Cc: Stable@vger.kernel.org
Signed-off-by: Andre Heider <a.heider@gmail.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
---
drivers/nvmem/layouts/onie-tlv.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/nvmem/layouts/onie-tlv.c b/drivers/nvmem/layouts/onie-tlv.c
index 0967a32319a2..8b0f3c1b8a0e 100644
--- a/drivers/nvmem/layouts/onie-tlv.c
+++ b/drivers/nvmem/layouts/onie-tlv.c
@@ -119,7 +119,7 @@ static int onie_tlv_add_cells(struct device *dev, struct nvmem_device *nvmem,
cell.name = onie_tlv_cell_name(tlv.type);
if (!cell.name)
- continue;
+ goto next;
cell.offset = hdr_len + offset + sizeof(tlv.type) + sizeof(tlv.len);
cell.bytes = tlv.len;
@@ -132,6 +132,7 @@ static int onie_tlv_add_cells(struct device *dev, struct nvmem_device *nvmem,
return ret;
}
+next:
offset += sizeof(tlv) + tlv.len;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] nvmem: core: fix use-after-free bugs in error paths
2026-05-30 20:43 [PATCH 0/2] nvmem: fixes for 7.1 srini
2026-05-30 20:43 ` [PATCH 1/2] nvmem: layouts: onie-tlv: fix hang on unknown types srini
@ 2026-05-30 20:43 ` srini
1 sibling, 0 replies; 3+ messages in thread
From: srini @ 2026-05-30 20:43 UTC (permalink / raw)
To: gregkh; +Cc: linux-kernel, Bartosz Golaszewski, stable, Srinivas Kandagatla
From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Fix several instances of error paths in which we call
__nvmem_device_put() - which may end up freeing the underlying memory
and other resources - and then keep on using the nvmem structure. Always
put the reference to the nvmem device as the last step before returning
the error code.
Cc: stable@vger.kernel.org
Fixes: 7ae6478b304b ("nvmem: core: rework nvmem cell instance creation")
Fixes: e888d445ac33 ("nvmem: resolve cells from DT at registration time")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
---
drivers/nvmem/core.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c
index 311cb2e5a5c0..e871181751f3 100644
--- a/drivers/nvmem/core.c
+++ b/drivers/nvmem/core.c
@@ -1468,18 +1468,16 @@ struct nvmem_cell *of_nvmem_cell_get(struct device_node *np, const char *id)
cell_entry = nvmem_find_cell_entry_by_node(nvmem, cell_np);
of_node_put(cell_np);
if (!cell_entry) {
- __nvmem_device_put(nvmem);
nvmem_layout_module_put(nvmem);
- if (nvmem->layout)
- return ERR_PTR(-EPROBE_DEFER);
- else
- return ERR_PTR(-ENOENT);
+ ret = nvmem->layout ? -EPROBE_DEFER : -ENOENT;
+ __nvmem_device_put(nvmem);
+ return ERR_PTR(ret);
}
cell = nvmem_create_cell(cell_entry, id, cell_index);
if (IS_ERR(cell)) {
- __nvmem_device_put(nvmem);
nvmem_layout_module_put(nvmem);
+ __nvmem_device_put(nvmem);
}
return cell;
@@ -1593,8 +1591,8 @@ void nvmem_cell_put(struct nvmem_cell *cell)
kfree_const(cell->id);
kfree(cell);
- __nvmem_device_put(nvmem);
nvmem_layout_module_put(nvmem);
+ __nvmem_device_put(nvmem);
}
EXPORT_SYMBOL_GPL(nvmem_cell_put);
--
2.53.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-30 20:43 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-30 20:43 [PATCH 0/2] nvmem: fixes for 7.1 srini
2026-05-30 20:43 ` [PATCH 1/2] nvmem: layouts: onie-tlv: fix hang on unknown types srini
2026-05-30 20:43 ` [PATCH 2/2] nvmem: core: fix use-after-free bugs in error paths srini
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.