On Tue, Jul 24, 2018 at 06:10:38PM +0300, Anton Vasilyev wrote:
> static struct ro_vpd and rw_vpd are initialized by vpd_sections_init()
> in vpd_probe() based on header's ro and rw sizes.
> In vpd_remove() vpd_section_destroy() performs deinitialization based
> on enabled flag, which is set to true by vpd_sections_init().
> This leads to call of vpd_section_destroy() on already destroyed section
> for probe-release-probe-release sequence if first probe performs
> ro_vpd initialization and second probe does not initialize it.
>
> The patch adds changing enabled flag on vpd_section_destroy and adds
> cleanup on the error path of vpd_sections_init.
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Anton Vasilyev <vasil...@ispras.ru>
Reviewed-by: Guenter Roeck <li...@roeck-us.net>
> ---
> v2: add cleanup on the error path of vpd_sections_init
> ---
> drivers/firmware/google/vpd.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/firmware/google/vpd.c b/drivers/firmware/google/vpd.c
> index e9db895916c3..1aa67bb5d8c0 100644
> --- a/drivers/firmware/google/vpd.c
> +++ b/drivers/firmware/google/vpd.c
> @@ -246,6 +246,7 @@ static int vpd_section_destroy(struct vpd_section *sec)
> sysfs_remove_bin_file(vpd_kobj, &sec->bin_attr);
> kfree(sec->raw_name);
> memunmap(sec->baseaddr);
> + sec->enabled = false;
> }
>
> return 0;
> @@ -279,8 +280,10 @@ static int vpd_sections_init(phys_addr_t physaddr)
> ret = vpd_section_init("rw", &rw_vpd,
> physaddr + sizeof(struct vpd_cbmem) +
> header.ro_size, header.rw_size);
> - if (ret)
> + if (ret) {
> + vpd_section_destroy(&ro_vpd);
> return ret;
> + }
> }
>
> return 0;
> --
> 2.18.0
>
