mtd: rawnand: diskonchip: fix a potential double free in doc_probe

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

When nand_scan() fails, it has cleaned up related resources
in its error paths. Therefore, the following nand_cleanup()
may lead to a double-free. One possible trace is:

doc_probe
|-> nand_scan
| |-> nand_scan_with_ids
| |-> nand_scan_tail
| |-> kfree(chip->data_buf) [First free]
|
|-> nand_cleanup
|-> kfree(chip->data_buf) [Double free here]

Fix this by removing nand_cleanup() on failure of
nand_scan().

Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20231214072946.10285-1-dinghao.liu@zju.edu.cn

authored by

Dinghao Liu and committed by

Miquel Raynal 2 years ago 2b8aa4c3 b6c985dd

+6 -4

1 changed file

expand all

drivers

mtd

nand

raw

diskonchip.c

+6 -4

drivers/mtd/nand/raw/diskonchip.c

··· 1491 1491 else 1492 1492 numchips = doc2001_init(mtd); 1493 1493 1494 - if ((ret = nand_scan(nand, numchips)) || (ret = doc->late_init(mtd))) { 1495 - /* DBB note: i believe nand_cleanup is necessary here, as 1496 - buffers may have been allocated in nand_base. Check with 1497 - Thomas. FIX ME! */ 1494 + ret = nand_scan(nand, numchips); 1495 + if (ret) 1496 + goto fail; 1497 + 1498 + ret = doc->late_init(mtd); 1499 + if (ret) { 1498 1500 nand_cleanup(nand); 1499 1501 goto fail; 1500 1502 }