nvmem: core: fix use-after-free bugs in error paths

author Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>

Sat, 30 May 2026 20:43:40 +0000 (21:43 +0100)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Fri, 5 Jun 2026 15:18:58 +0000 (17:18 +0200)
author Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Sat, 30 May 2026 20:43:40 +0000 (21:43 +0100)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 5 Jun 2026 15:18:58 +0000 (17:18 +0200)
diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c

index 311cb2e5a5c02d2c6979d7c9bbb7f94abdfbdad1..e871181751f3c2739154b3cff27ef9b90032e607 100644 (file)
--- a/drivers/nvmem/core.c
+++ b/drivers/nvmem/core.c
@@ -1468,18 +1468,16 @@ struct nvmem_cell *of_nvmem_cell_get(struct device_node *np, const char *id)
         cell_entry = nvmem_find_cell_entry_by_node(nvmem, cell_np);
         of_node_put(cell_np);
         if (!cell_entry) {
-               __nvmem_device_put(nvmem);
                 nvmem_layout_module_put(nvmem);
-               if (nvmem->layout)
-                       return ERR_PTR(-EPROBE_DEFER);
-               else
-                       return ERR_PTR(-ENOENT);
+               ret = nvmem->layout ? -EPROBE_DEFER : -ENOENT;
+               __nvmem_device_put(nvmem);
+               return ERR_PTR(ret);
         }
  
         cell = nvmem_create_cell(cell_entry, id, cell_index);
         if (IS_ERR(cell)) {
-               __nvmem_device_put(nvmem);
                 nvmem_layout_module_put(nvmem);
+               __nvmem_device_put(nvmem);
         }
  
         return cell;
@@ -1593,8 +1591,8 @@ void nvmem_cell_put(struct nvmem_cell *cell)
                 kfree_const(cell->id);
  
         kfree(cell);
-       __nvmem_device_put(nvmem);
         nvmem_layout_module_put(nvmem);
+       __nvmem_device_put(nvmem);
  }
  EXPORT_SYMBOL_GPL(nvmem_cell_put);
author	Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
	Sat, 30 May 2026 20:43:40 +0000 (21:43 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 5 Jun 2026 15:18:58 +0000 (17:18 +0200)