mtd: rawnand: diskonchip: fix a potential double free in doc_probe

dinghaoliu · miquelraynal · commit 2b8aa4c3e6a5 · 2023-12-14T16:42:01.000+01:00
When nand_scan() fails, it has cleaned up related resources in its error paths. Therefore, the following nand_cleanup() may lead to a double-free. One possible trace is: doc_probe |-> nand_scan | |-> nand_scan_with_ids | |-> nand_scan_tail | |-> kfree(chip->data_buf) [First free] | |-> nand_cleanup |-> kfree(chip->data_buf) [Double free here] Fix this by removing nand_cleanup() on failure of nand_scan(). Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn> Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> Link: https://lore.kernel.org/linux-mtd/20231214072946.10285-1-dinghao.liu@zju.edu.cn
diff --git a/drivers/mtd/nand/raw/diskonchip.c b/drivers/mtd/nand/raw/diskonchip.c
@@ -1491,10 +1491,12 @@ static int __init doc_probe(unsigned long physadr)
 	else
 		numchips = doc2001_init(mtd);
 
-	if ((ret = nand_scan(nand, numchips)) || (ret = doc->late_init(mtd))) {
-		/* DBB note: i believe nand_cleanup is necessary here, as
-		   buffers may have been allocated in nand_base.  Check with
-		   Thomas. FIX ME! */
+	ret = nand_scan(nand, numchips);
+	if (ret)
+		goto fail;
+
+	ret = doc->late_init(mtd);
+	if (ret) {
 		nand_cleanup(nand);
 		goto fail;
 	}
