video: fbdev: w100fb: Reset global state

[ Upstream commit 8738ddcac644964ae128ccd3d80d48773c8d528e ]

w100fb_probe() did not reset the global state to its initial state. This
can result in invocation of iounmap() even when there was not the
appropriate successful call of ioremap(). For instance, this may be the
case if first probe fails after two successful ioremap() while second
probe fails when first ioremap() fails. The similar issue is with
w100fb_remove(). The patch fixes both bugs.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
Co-developed-by: Kirill Shilimanov <kirill.shilimanov@huawei.com>
Signed-off-by: Kirill Shilimanov <kirill.shilimanov@huawei.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/video/fbdev/w100fb.c b/drivers/video/fbdev/w100fb.c
index d96ab28..4e641a7 100644 (file)
--- a/drivers/video/fbdev/w100fb.c
+++ b/drivers/video/fbdev/w100fb.c
@@ -770,12 +770,18 @@ out:
                fb_dealloc_cmap(&info->cmap);
                kfree(info->pseudo_palette);
        }
-       if (remapped_fbuf != NULL)
+       if (remapped_fbuf != NULL) {
                iounmap(remapped_fbuf);
-       if (remapped_regs != NULL)
+               remapped_fbuf = NULL;
+       }
+       if (remapped_regs != NULL) {
                iounmap(remapped_regs);
-       if (remapped_base != NULL)
+               remapped_regs = NULL;
+       }
+       if (remapped_base != NULL) {
                iounmap(remapped_base);
+               remapped_base = NULL;
+       }
        if (info)
                framebuffer_release(info);
        return err;
@@ -795,8 +801,11 @@ static int w100fb_remove(struct platform_device *pdev)
        fb_dealloc_cmap(&info->cmap);
 
        iounmap(remapped_base);
+       remapped_base = NULL;
        iounmap(remapped_regs);
+       remapped_regs = NULL;
        iounmap(remapped_fbuf);
+       remapped_fbuf = NULL;
 
        framebuffer_release(info);