* [PATCH v2 1/2] staging: nvec: fix use-after-free in nvec_rx_completed()
@ 2026-04-13 15:12 Alexandru Hossu
2026-04-13 15:12 ` [PATCH v2 2/2] staging: nvec: fix unconditional pm_power_off teardown Alexandru Hossu
0 siblings, 1 reply; 4+ messages in thread
From: Alexandru Hossu @ 2026-04-13 15:12 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, linux-kernel, error27, Alexandru Hossu
In nvec_rx_completed(), when an incomplete RX transfer is detected,
nvec_msg_free() is called to return the message back to the pool by
clearing its 'used' atomic flag. Immediately after this, the code
accesses nvec->rx->data[0] to check the message type.
Since nvec_msg_free() marks the pool slot as available via atomic_set(),
any concurrent or subsequent call to nvec_msg_alloc() could claim that
same slot and overwrite its data[] array. Reading nvec->rx->data[0] after
freeing the message is therefore a use-after-free.
Fix this by saving the message type byte before calling nvec_msg_free(),
then using the saved value for the battery quirk check.
Fixes: d6bdcf2e1019 ("staging: nvec: Add battery quirk to ignore incomplete responses")
Reviewed-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
v2:
- Add Fixes tag (Dan Carpenter)
- Remove obvious comment (Dan Carpenter)
- Move declaration to start of block (Dan Carpenter)
drivers/staging/nvec/nvec.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/nvec/nvec.c b/drivers/staging/nvec/nvec.c
index 952c5a849a56..2a3499dd4d63 100644
--- a/drivers/staging/nvec/nvec.c
+++ b/drivers/staging/nvec/nvec.c
@@ -494,6 +494,8 @@ static void nvec_tx_completed(struct nvec_chip *nvec)
static void nvec_rx_completed(struct nvec_chip *nvec)
{
if (nvec->rx->pos != nvec_msg_size(nvec->rx)) {
+ unsigned char msg_type = nvec->rx->data[0];
+
dev_err(nvec->dev, "RX incomplete: Expected %u bytes, got %u\n",
(uint)nvec_msg_size(nvec->rx),
(uint)nvec->rx->pos);
@@ -502,7 +504,7 @@ static void nvec_rx_completed(struct nvec_chip *nvec)
nvec->state = 0;
/* Battery quirk - Often incomplete, and likes to crash */
- if (nvec->rx->data[0] == NVEC_BAT)
+ if (msg_type == NVEC_BAT)
complete(&nvec->ec_transfer);
return;
--
2.53.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH v2 2/2] staging: nvec: fix unconditional pm_power_off teardown
2026-04-13 15:12 [PATCH v2 1/2] staging: nvec: fix use-after-free in nvec_rx_completed() Alexandru Hossu
@ 2026-04-13 15:12 ` Alexandru Hossu
2026-04-13 17:51 ` Dan Carpenter
2026-04-13 20:02 ` [PATCH v3] " Alexandru Hossu
0 siblings, 2 replies; 4+ messages in thread
From: Alexandru Hossu @ 2026-04-13 15:12 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, linux-kernel, error27, Alexandru Hossu
tegra_nvec_remove() unconditionally sets pm_power_off = NULL, even if
nvec was not the one that registered it. This breaks any other driver
that may have set pm_power_off to its own handler.
Replace the unconditional assignment with a guarded check so that
pm_power_off is only cleared if nvec was the one that set it.
Also remove the stale FIXME comment, as the guard addresses exactly
what it was asking for.
Fixes: 3f8d52ba1c49 ("staging: nvec: Remove nvec_power module")
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
v2:
- Drop nvec_power_handle = NULL; after pm_power_off = NULL is set,
nvec_power_off() is unreachable via pm_power_off, so there is no
dangling-pointer risk there (Dan Carpenter)
drivers/staging/nvec/nvec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/nvec/nvec.c b/drivers/staging/nvec/nvec.c
index 2a3499dd4d63..88c416ee0381 100644
--- a/drivers/staging/nvec/nvec.c
+++ b/drivers/staging/nvec/nvec.c
@@ -906,8 +906,8 @@ static void tegra_nvec_remove(struct platform_device *pdev)
nvec_unregister_notifier(nvec, &nvec->nvec_status_notifier);
cancel_work_sync(&nvec->rx_work);
cancel_work_sync(&nvec->tx_work);
- /* FIXME: needs check whether nvec is responsible for power off */
- pm_power_off = NULL;
+ if (pm_power_off == nvec_power_off)
+ pm_power_off = NULL;
}
#ifdef CONFIG_PM_SLEEP
--
2.53.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH v2 2/2] staging: nvec: fix unconditional pm_power_off teardown
2026-04-13 15:12 ` [PATCH v2 2/2] staging: nvec: fix unconditional pm_power_off teardown Alexandru Hossu
@ 2026-04-13 17:51 ` Dan Carpenter
2026-04-13 20:02 ` [PATCH v3] " Alexandru Hossu
1 sibling, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2026-04-13 17:51 UTC (permalink / raw)
To: Alexandru Hossu; +Cc: gregkh, linux-staging, linux-kernel
On Mon, Apr 13, 2026 at 05:12:36PM +0200, Alexandru Hossu wrote:
> tegra_nvec_remove() unconditionally sets pm_power_off = NULL, even if
> nvec was not the one that registered it. This breaks any other driver
> that may have set pm_power_off to its own handler.
>
> Replace the unconditional assignment with a guarded check so that
> pm_power_off is only cleared if nvec was the one that set it.
>
> Also remove the stale FIXME comment, as the guard addresses exactly
> what it was asking for.
>
> Fixes: 3f8d52ba1c49 ("staging: nvec: Remove nvec_power module")
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
> ---
> v2:
> - Drop nvec_power_handle = NULL; after pm_power_off = NULL is set,
> nvec_power_off() is unreachable via pm_power_off, so there is no
> dangling-pointer risk there (Dan Carpenter)
Thanks!
Reviewed-by: Dan Carpenter <error27@gmail.com>
regards,
dan carpenter
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH v3] staging: nvec: fix unconditional pm_power_off teardown
2026-04-13 15:12 ` [PATCH v2 2/2] staging: nvec: fix unconditional pm_power_off teardown Alexandru Hossu
2026-04-13 17:51 ` Dan Carpenter
@ 2026-04-13 20:02 ` Alexandru Hossu
1 sibling, 0 replies; 4+ messages in thread
From: Alexandru Hossu @ 2026-04-13 20:02 UTC (permalink / raw)
To: gregkh
Cc: linux-staging, linux-kernel, error27, linux-tegra, marvin24,
Alexandru Hossu
tegra_nvec_remove() unconditionally sets pm_power_off = NULL, even if
nvec was not the one that registered it. This breaks any other driver
that may have set pm_power_off to its own handler.
Replace the unconditional assignment with a guarded check so that
pm_power_off is only cleared if nvec was the one that set it.
Also remove the stale FIXME comment, as the guard addresses exactly
what it was asking for.
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
v3:
- Drop incorrect Fixes tag
v2:
- Drop nvec_power_handle = NULL; after pm_power_off is cleared,
nvec_power_off() is unreachable via pm_power_off so there is no
dangling-pointer risk (Dan Carpenter)
drivers/staging/nvec/nvec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/nvec/nvec.c b/drivers/staging/nvec/nvec.c
index 2a3499dd4d63..88c416ee0381 100644
--- a/drivers/staging/nvec/nvec.c
+++ b/drivers/staging/nvec/nvec.c
@@ -906,8 +906,8 @@ static void tegra_nvec_remove(struct platform_device *pdev)
nvec_unregister_notifier(nvec, &nvec->nvec_status_notifier);
cancel_work_sync(&nvec->rx_work);
cancel_work_sync(&nvec->tx_work);
- /* FIXME: needs check whether nvec is responsible for power off */
- pm_power_off = NULL;
+ if (pm_power_off == nvec_power_off)
+ pm_power_off = NULL;
}
#ifdef CONFIG_PM_SLEEP
--
2.53.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-14 5:55 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-13 15:12 [PATCH v2 1/2] staging: nvec: fix use-after-free in nvec_rx_completed() Alexandru Hossu
2026-04-13 15:12 ` [PATCH v2 2/2] staging: nvec: fix unconditional pm_power_off teardown Alexandru Hossu
2026-04-13 17:51 ` Dan Carpenter
2026-04-13 20:02 ` [PATCH v3] " Alexandru Hossu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox