[PATCH 2/2] lgdt3306a: Fix a double kfree on i2c device remove

Brad Love Fri, 05 Jan 2018 06:58:17 -0800

Both lgdt33606a_release and lgdt3306a_remove kfree state, but _release is
called first, then _remove operates on states members before kfree'ing it.
This can lead to random oops/GPF/etc on USB disconnect.


Signed-off-by: Brad Love <b...@nextdimension.cc>
---
 drivers/media/dvb-frontends/lgdt3306a.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/media/dvb-frontends/lgdt3306a.c 
b/drivers/media/dvb-frontends/lgdt3306a.c
index d370671..3642e6e 100644
--- a/drivers/media/dvb-frontends/lgdt3306a.c
+++ b/drivers/media/dvb-frontends/lgdt3306a.c
@@ -1768,7 +1768,13 @@ static void lgdt3306a_release(struct dvb_frontend *fe)
        struct lgdt3306a_state *state = fe->demodulator_priv;
 
        dbg_info("\n");
-       kfree(state);
+
+       /*
+        * If state->muxc is not NULL, then we are an i2c device
+        * and lgdt3306a_remove will clean up state
+        */
+       if (!state->muxc)
+               kfree(state);
 }
 
 static const struct dvb_frontend_ops lgdt3306a_ops;
-- 
2.7.4

[PATCH 2/2] lgdt3306a: Fix a double kfree on i2c device remove

Reply via email to