[PATCH 0/4] nvmem: fixes for next rc

[PATCH 0/4] nvmem: fixes for next rc

[Srinivas Kandagatla]

Hi Greg,

Here are couple of nvmem fixes on the mailing list which are good to go in
next rc. Could you please take them thru the char-misc tree.

Thanks,
srini

Axel Lin (2):
  nvmem: core: Handle shift bits in-place if cell->nbits is non-zero
  nvmem: core: Fix memory leak in nvmem_cell_write

Maxime Ripard (1):
  nvmem: sunxi: Check for memory allocation failure

ZhengShunQian (1):
  nvmem: core: fix the out-of-range leak in read/write()

 drivers/nvmem/core.c      |  8 ++++----
 drivers/nvmem/sunxi_sid.c | 11 ++++++++++-
 2 files changed, 14 insertions(+), 5 deletions(-)

-- 
1.9.1

[PATCH 1/4] nvmem: core: fix the out-of-range leak in read/write()

[Srinivas Kandagatla]

From: ZhengShunQian <zhengsq@rock-chips.com>

The position to read/write must be less than max
register size.

Signed-off-by: ZhengShunQian <zhengsq@rock-chips.com>
Acked-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
---
 drivers/nvmem/core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c
index d3c6676..f4af8e5 100644
--- a/drivers/nvmem/core.c
+++ b/drivers/nvmem/core.c
@@ -67,7 +67,7 @@ static ssize_t bin_attr_nvmem_read(struct file *filp, struct kobject *kobj,
 	int rc;
 
 	/* Stop the user from reading */
-	if (pos > nvmem->size)
+	if (pos >= nvmem->size)
 		return 0;
 
 	if (pos + count > nvmem->size)
@@ -92,7 +92,7 @@ static ssize_t bin_attr_nvmem_write(struct file *filp, struct kobject *kobj,
 	int rc;
 
 	/* Stop the user from writing */
-	if (pos > nvmem->size)
+	if (pos >= nvmem->size)
 		return 0;
 
 	if (pos + count > nvmem->size)
-- 
1.9.1

[PATCH 2/4] nvmem: core: Handle shift bits in-place if cell->nbits is non-zero

[Srinivas Kandagatla]

From: Axel Lin <axel.lin@ingics.com>

It's pointless to test (cell->bit_offset || cell->bit_offset).
nvmem_shift_read_buffer_in_place() should be called when
(cell->bit_offset || cell->nbits).

Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
---
 drivers/nvmem/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c
index f4af8e5..676607c 100644
--- a/drivers/nvmem/core.c
+++ b/drivers/nvmem/core.c
@@ -825,7 +825,7 @@ static int __nvmem_cell_read(struct nvmem_device *nvmem,
 		return rc;
 
 	/* shift bits in-place */
-	if (cell->bit_offset || cell->bit_offset)
+	if (cell->bit_offset || cell->nbits)
 		nvmem_shift_read_buffer_in_place(cell, buf);
 
 	*len = cell->bytes;
-- 
1.9.1

[PATCH 3/4] nvmem: core: Fix memory leak in nvmem_cell_write

[Srinivas Kandagatla]

From: Axel Lin <axel.lin@ingics.com>

A tmp buffer is allocated if cell->bit_offset || cell->nbits.
So the tmp buffer needs to be freed at the same condition to avoid leak.

Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
---
 drivers/nvmem/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c
index 676607c..6fd4e5a 100644
--- a/drivers/nvmem/core.c
+++ b/drivers/nvmem/core.c
@@ -938,7 +938,7 @@ int nvmem_cell_write(struct nvmem_cell *cell, void *buf, size_t len)
 	rc = regmap_raw_write(nvmem->regmap, cell->offset, buf, cell->bytes);
 
 	/* free the tmp buffer */
-	if (cell->bit_offset)
+	if (cell->bit_offset || cell->nbits)
 		kfree(buf);
 
 	if (IS_ERR_VALUE(rc))
-- 
1.9.1

[PATCH 4/4] nvmem: sunxi: Check for memory allocation failure

[Srinivas Kandagatla]

From: Maxime Ripard <maxime.ripard@free-electrons.com>

The sunxi_sid driver doesn't check for kmalloc return status before
derefencing the returned pointer, which could lead to a NULL pointer
dereference if kmalloc failed. Check for its return code to make sure it
deosn't happen.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
---
 drivers/nvmem/sunxi_sid.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/drivers/nvmem/sunxi_sid.c b/drivers/nvmem/sunxi_sid.c
index 14777dd..cfa3b85 100644
--- a/drivers/nvmem/sunxi_sid.c
+++ b/drivers/nvmem/sunxi_sid.c
@@ -103,7 +103,7 @@ static int sunxi_sid_probe(struct platform_device *pdev)
 	struct nvmem_device *nvmem;
 	struct regmap *regmap;
 	struct sunxi_sid *sid;
-	int i, size;
+	int ret, i, size;
 	char *randomness;
 
 	sid = devm_kzalloc(dev, sizeof(*sid), GFP_KERNEL);
@@ -131,6 +131,11 @@ static int sunxi_sid_probe(struct platform_device *pdev)
 		return PTR_ERR(nvmem);
 
 	randomness = kzalloc(sizeof(u8) * size, GFP_KERNEL);
+	if (!randomness) {
+		ret = -EINVAL;
+		goto err_unreg_nvmem;
+	}
+
 	for (i = 0; i < size; i++)
 		randomness[i] = sunxi_sid_read_byte(sid, i);
 
@@ -140,6 +145,10 @@ static int sunxi_sid_probe(struct platform_device *pdev)
 	platform_set_drvdata(pdev, nvmem);
 
 	return 0;
+
+err_unreg_nvmem:
+	nvmem_unregister(nvmem);
+	return ret;
 }
 
 static int sunxi_sid_remove(struct platform_device *pdev)
-- 
1.9.1

[PATCH 4/4] nvmem: sunxi: Check for memory allocation failure

[Greg KH]

On Wed, Sep 30, 2015 at 01:36:31PM +0100, Srinivas Kandagatla wrote:
> From: Maxime Ripard <maxime.ripard@free-electrons.com>
> 
> The sunxi_sid driver doesn't check for kmalloc return status before
> derefencing the returned pointer, which could lead to a NULL pointer
> dereference if kmalloc failed. Check for its return code to make sure it
> deosn't happen.
> 
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
> ---
>  drivers/nvmem/sunxi_sid.c | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)

No signed-off-by: from you on this patch?

:(

[PATCH 4/4] nvmem: sunxi: Check for memory allocation failure

[Srinivas Kandagatla]

On 04/10/15 12:04, Greg KH wrote:
> On Wed, Sep 30, 2015 at 01:36:31PM +0100, Srinivas Kandagatla wrote:
>> From: Maxime Ripard <maxime.ripard@free-electrons.com>
>>
>> The sunxi_sid driver doesn't check for kmalloc return status before
>> derefencing the returned pointer, which could lead to a NULL pointer
>> dereference if kmalloc failed. Check for its return code to make sure it
>> deosn't happen.
>>
>> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
>> Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
>> ---
>>   drivers/nvmem/sunxi_sid.c | 11 ++++++++++-
>>   1 file changed, 10 insertions(+), 1 deletion(-)
>
> No signed-off-by: from you on this patch?
>

Oops!! My bad I missed the sign-off.

Thanks for taking this patch, I will make sure I will recheck this 
before sending.

--srini

> :(
>