mtd: rawnand: diskonchip: fix a potential double free in doc_probe

When nand_scan() fails, it has cleaned up related resources
in its error paths. Therefore, the following nand_cleanup()
may lead to a double-free. One possible trace is:

doc_probe
  |-> nand_scan
  |     |-> nand_scan_with_ids
  |           |-> nand_scan_tail
  |                 |-> kfree(chip->data_buf) [First free]
  |
  |-> nand_cleanup
        |-> kfree(chip->data_buf) [Double free here]

Fix this by removing nand_cleanup() on failure of
nand_scan().

Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20231214072946.10285-1-dinghao.liu@zju.edu.cn

Author: dinghaoliu

drivers/mtd/nand/raw/diskonchip.c

@@ -1491,10 +1491,12 @@ static int __init doc_probe(unsigned long physadr)
 	else
 		numchips = doc2001_init(mtd);
 
-	if ((ret = nand_scan(nand, numchips)) || (ret = doc->late_init(mtd))) {
-		/* DBB note: i believe nand_cleanup is necessary here, as
-		   buffers may have been allocated in nand_base.  Check with
-		   Thomas. FIX ME! */
+	ret = nand_scan(nand, numchips);
+	if (ret)
+		goto fail;
+
+	ret = doc->late_init(mtd);
+	if (ret) {
 		nand_cleanup(nand);
 		goto fail;
 	}