From nobody Mon Jun  8 08:35:27 2026
Received: from smtp.kernel.org
 (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B165D3403EA;
	Sat, 30 May 2026 20:43:52 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=100.103.45.18
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780173833; cv=none;
 b=F7BaKA1byrSEaHEeTrIVV3cg0Wdh4KFCxL2lvoQhGQcN8wevqZeHCyucfg448z8MqtZzAbWuCyAjeHQ+NGcSJ4B+TCp+LOTv3JLB0pwIaVomYQiKt9IKFNg7ZOuj3ZsoWbtlPnusQlC0NtIPCmNcmBB8TD/4MAfRUcelZzaDZ8c=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780173833; c=relaxed/simple;
	bh=QI3ukdgzn9oHtvVOdq3G5jrrDf/hk6qMFVNn95PXs6w=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=eZJgQuvaoGnx6DZyo4ivLJoA3++it2szV16bqdel/ytRw8G6mnUepxmy74TNfPcLYy9TcJHiNxyBK7sBd3LYxV2QbhmiuYc/RWx3guPs7L1z0n0vZHkAgeQxQHL/4Lp1w41FKBqEd7RlCNAE0cYd6YFN9JEjIIOY2XLmc9cJuLY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=g9VYEzBi; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="g9VYEzBi"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 125211F00898;
	Sat, 30 May 2026 20:43:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780173832;
	bh=hpMYg9af1pGzvuZiChTfHI2TaVJJnId4BcvefQrMcws=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=g9VYEzBibwBclm0bULayQCINiCUNdD/V2GBTFZAMtB4F0vgk6W17a7lXQszAN7wf4
	 q2Eh7z01NdLsJC5vK83Z7Awi/eEAd4HyWdngA3Xj4DREIZHaTZzksA64rk0NamkkYp
	 rELFUS5Iht5wZFF0WjSQCOAyBYhdUpeIkOYu5hfgDQp/RkDN+vlVEbllo2i7d+/Ijc
	 trueC9/xCdsLwj7AGRwyC8cg7h/jxpjPPnTYV4//JNugPqv++TrUVjjTxpiBmXvAgS
	 5rVT/v9lvEmC5wGf4G3iGBgfY4Y68eAwG1gdS2lO0V8/S5wPKOWfCEK0DXrNeqosJZ
	 5ROuOOhh/Ijeg==
From: srini@kernel.org
To: gregkh@linuxfoundation.org
Cc: linux-kernel@vger.kernel.org,
	Andre Heider <a.heider@gmail.com>,
	Stable@vger.kernel.org,
	Miquel Raynal <miquel.raynal@bootlin.com>,
	Srinivas Kandagatla <srini@kernel.org>
Subject: [PATCH 1/2] nvmem: layouts: onie-tlv: fix hang on unknown types
Date: Sat, 30 May 2026 21:43:39 +0100
Message-ID: <20260530204340.116743-2-srini@kernel.org>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260530204340.116743-1-srini@kernel.org>
References: <20260530204340.116743-1-srini@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Andre Heider <a.heider@gmail.com>

The EEPROM on my board has a vendor specific entry of type 0x41. When
stumbling upon that, this driver hangs in an endless loop.

Fix it by keep incrementing the offset on unknown entries, so the loop
will eventually stop.

Fixes: d3c0d12f6474 ("nvmem: layouts: onie-tlv: Add new layout driver")
Cc: Stable@vger.kernel.org
Signed-off-by: Andre Heider <a.heider@gmail.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
---
 drivers/nvmem/layouts/onie-tlv.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/nvmem/layouts/onie-tlv.c b/drivers/nvmem/layouts/onie-=
tlv.c
index 0967a32319a2..8b0f3c1b8a0e 100644
--- a/drivers/nvmem/layouts/onie-tlv.c
+++ b/drivers/nvmem/layouts/onie-tlv.c
@@ -119,7 +119,7 @@ static int onie_tlv_add_cells(struct device *dev, struc=
t nvmem_device *nvmem,
=20
 		cell.name =3D onie_tlv_cell_name(tlv.type);
 		if (!cell.name)
-			continue;
+			goto next;
=20
 		cell.offset =3D hdr_len + offset + sizeof(tlv.type) + sizeof(tlv.len);
 		cell.bytes =3D tlv.len;
@@ -132,6 +132,7 @@ static int onie_tlv_add_cells(struct device *dev, struc=
t nvmem_device *nvmem,
 			return ret;
 		}
=20
+next:
 		offset +=3D sizeof(tlv) + tlv.len;
 	}
=20
--=20
2.53.0
From nobody Mon Jun  8 08:35:27 2026
Received: from smtp.kernel.org
 (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9AB9035203E;
	Sat, 30 May 2026 20:43:54 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=100.103.45.18
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780173835; cv=none;
 b=YMgb2Ygs15gBkjGGeo5cU3KR6dtzI0NxPdPjLniwwmiw9bu6ggaYwK75P8q5nbq+A9wfc6fXSz/9En13iluQF6i4kGL5xxWUb6V2No9/uY5G/V1wsByQPVaBer8nzRwmOkf5cwNKPnlzMSffV+0TTC4izBn+RMMX7qCz9jZFnGQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780173835; c=relaxed/simple;
	bh=NBiNNOZ7ppkAGEMCPKXAcUmyiX2x8UQCji/NKXqzUlQ=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=QvuSXq9UADpFx7auD184m1yREW5/pYl512caJZHILywJF0Rv+eGzLu6li78TnwJ8jzl8tDScGyekaJonLZuG3oTxO7HGB64Ui++hKT8a3yhP4DdHFexajIYmAWf6llakJiSjEUo4WLkJoE9Q9jriVI9aX694/6b95UNI4ZC8mLg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=NnpHussE; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="NnpHussE"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 038801F00893;
	Sat, 30 May 2026 20:43:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780173834;
	bh=6rRzrKY+Y0EORNDYkmctl/wGL7UatyXvPKDCbTQlR+4=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=NnpHussEiAuq8A/wIXQjlrlB87kDxZ+5GHiKB7Hjzq57ONLtD1lLki9bOhWVGUQLo
	 iZcD81BJd9VjvnwZpCgBJ6GbHoMOEJQPpDIpt9EpmDzvdkEg4469buJEKK7SR6kLPy
	 ycMYvxK8N6Zwt/j7NNPCrruTDQbpwLY9lwJeFd0mNMg7mBNFljTg6l8umFvHWSIOQD
	 00VYMP/7MyQ0NSwF/IfxzLMeLEhyP5FS54oIat1Jz8EUozly7tDt/dWkG+171kIytD
	 1H2Np+xI7y6K0Ycc/h9WpmryI2K5HCzmmnQkMb4w35qgS0EhqnMK/I8Hrn+gGmwIyY
	 Jfmc3kzRZBKrg==
From: srini@kernel.org
To: gregkh@linuxfoundation.org
Cc: linux-kernel@vger.kernel.org,
	Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>,
	stable@vger.kernel.org,
	Srinivas Kandagatla <srini@kernel.org>
Subject: [PATCH 2/2] nvmem: core: fix use-after-free bugs in error paths
Date: Sat, 30 May 2026 21:43:40 +0100
Message-ID: <20260530204340.116743-3-srini@kernel.org>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260530204340.116743-1-srini@kernel.org>
References: <20260530204340.116743-1-srini@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>

Fix several instances of error paths in which we call
__nvmem_device_put() - which may end up freeing the underlying memory
and other resources - and then keep on using the nvmem structure. Always
put the reference to the nvmem device as the last step before returning
the error code.

Cc: stable@vger.kernel.org
Fixes: 7ae6478b304b ("nvmem: core: rework nvmem cell instance creation")
Fixes: e888d445ac33 ("nvmem: resolve cells from DT at registration time")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
---
 drivers/nvmem/core.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c
index 311cb2e5a5c0..e871181751f3 100644
--- a/drivers/nvmem/core.c
+++ b/drivers/nvmem/core.c
@@ -1468,18 +1468,16 @@ struct nvmem_cell *of_nvmem_cell_get(struct device_=
node *np, const char *id)
 	cell_entry =3D nvmem_find_cell_entry_by_node(nvmem, cell_np);
 	of_node_put(cell_np);
 	if (!cell_entry) {
-		__nvmem_device_put(nvmem);
 		nvmem_layout_module_put(nvmem);
-		if (nvmem->layout)
-			return ERR_PTR(-EPROBE_DEFER);
-		else
-			return ERR_PTR(-ENOENT);
+		ret =3D nvmem->layout ? -EPROBE_DEFER : -ENOENT;
+		__nvmem_device_put(nvmem);
+		return ERR_PTR(ret);
 	}
=20
 	cell =3D nvmem_create_cell(cell_entry, id, cell_index);
 	if (IS_ERR(cell)) {
-		__nvmem_device_put(nvmem);
 		nvmem_layout_module_put(nvmem);
+		__nvmem_device_put(nvmem);
 	}
=20
 	return cell;
@@ -1593,8 +1591,8 @@ void nvmem_cell_put(struct nvmem_cell *cell)
 		kfree_const(cell->id);
=20
 	kfree(cell);
-	__nvmem_device_put(nvmem);
 	nvmem_layout_module_put(nvmem);
+	__nvmem_device_put(nvmem);
 }
 EXPORT_SYMBOL_GPL(nvmem_cell_put);
=20
--=20
2.53.0