isif_probe() invokes iounmap() on error handling paths, but it does not
reset the global state. So, later it can invoke iounmap() even when
ioremap() fails. This is the case also for isif_remove(). The patch
resets the global state after invoking iounmap() to avoid this.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Evgeny Novikov <novikov@xxxxxxxxx>
---
drivers/media/platform/davinci/isif.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/davinci/isif.c b/drivers/media/platform/davinci/isif.c
index c98edb67cfb2..c53cecd072b1 100644
--- a/drivers/media/platform/davinci/isif.c
+++ b/drivers/media/platform/davinci/isif.c
@@ -1075,10 +1075,14 @@ static int isif_probe(struct platform_device *pdev)
release_mem_region(res->start, resource_size(res));
i--;
fail_nobase_res:
- if (isif_cfg.base_addr)
+ if (isif_cfg.base_addr) {
iounmap(isif_cfg.base_addr);
- if (isif_cfg.linear_tbl0_addr)
+ isif_cfg.base_addr = NULL;
+ }
+ if (isif_cfg.linear_tbl0_addr) {
iounmap(isif_cfg.linear_tbl0_addr);
+ isif_cfg.linear_tbl0_addr = NULL;
+ }
while (i >= 0) {
res = platform_get_resource(pdev, IORESOURCE_MEM, i);
@@ -1096,8 +1100,11 @@ static int isif_remove(struct platform_device *pdev)
int i = 0;
iounmap(isif_cfg.base_addr);
+ isif_cfg.base_addr = NULL;
iounmap(isif_cfg.linear_tbl0_addr);
+ isif_cfg.linear_tbl0_addr = NULL;
iounmap(isif_cfg.linear_tbl1_addr);
+ isif_cfg.linear_tbl1_addr = NULL;
while (i < 3) {
res = platform_get_resource(pdev, IORESOURCE_MEM, i);
if (res)
--
2.16.4
