mtd: rawnand: diskonchip: fix a potential double free in doc_probe

When nand_scan() fails, it has cleaned up related resources
in its error paths. Therefore, the following nand_cleanup()
may lead to a double-free. One possible trace is:

doc_probe
  |-> nand_scan
  |     |-> nand_scan_with_ids
  |           |-> nand_scan_tail
  |                 |-> kfree(chip->data_buf) [First free]
  |
  |-> nand_cleanup
        |-> kfree(chip->data_buf) [Double free here]

Fix this by removing nand_cleanup() on failure of
nand_scan().

Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20231214072946.10285-1-dinghao.liu@zju.edu.cn

diff --git a/drivers/mtd/nand/raw/diskonchip.c b/drivers/mtd/nand/raw/diskonchip.c
index 5d2ddb037a9a249668208510ecd7d63be69d61b2..5243fab9face0034ecf54838345624b816f91906 100644 (file)
--- a/drivers/mtd/nand/raw/diskonchip.c
+++ b/drivers/mtd/nand/raw/diskonchip.c
@@ -1491,10 +1491,12 @@ static int __init doc_probe(unsigned long physadr)
        else
                numchips = doc2001_init(mtd);
 
-       if ((ret = nand_scan(nand, numchips)) || (ret = doc->late_init(mtd))) {
-               /* DBB note: i believe nand_cleanup is necessary here, as
-                  buffers may have been allocated in nand_base.  Check with
-                  Thomas. FIX ME! */
+       ret = nand_scan(nand, numchips);
+       if (ret)
+               goto fail;
+
+       ret = doc->late_init(mtd);
+       if (ret) {
                nand_cleanup(nand);
                goto fail;
        }