media: lgdt3306a: Fix a double kfree on i2c device remove

Both lgdt33606a_release and lgdt3306a_remove kfree state, but _release is called first, then _remove operates on states members before kfree'ing it. This can lead to random oops/GPF/etc on USB disconnect. Signed-off-by: N Brad Love <brad@nextdimension.cc> Signed-off-by: N Mauro Carvalho Chehab <mchehab@s-opensource.com>

media: lgdt3306a: Fix a double kfree on i2c device remove
Both lgdt33606a_release and lgdt3306a_remove kfree state, but _release is called first, then _remove operates on states members before kfree'ing it. This can lead to random oops/GPF/etc on USB disconnect. Signed-off-by: N Brad Love <brad@nextdimension.cc> Signed-off-by: N Mauro Carvalho Chehab <mchehab@s-opensource.com>
94448e21 · Brad Love · Mauro Carvalho Chehab · 835d6617 · 94448e21
隐藏空白更改
内联并排

Showing with 7 addition and 1 deletion

drivers/media/dvb-frontends/lgdt3306a.c drivers/media/dvb-frontends/lgdt3306a.c +7 -1

未找到文件。
--- a/drivers/media/dvb-frontends/lgdt3306a.c
+++ b/drivers/media/dvb-frontends/lgdt3306a.c
@@ -1814,7 +1814,13 @@ static void lgdt3306a_release(struct dvb_frontend *fe)
 	struct lgdt3306a_state *state = fe->demodulator_priv;
 	dbg_info("\n");
-	kfree(state);
+	/*
+	 * If state->muxc is not NULL, then we are an i2c device
+	 * and lgdt3306a_remove will clean up state
+	 */
+	if (!state->muxc)
+		kfree(state);
 }
 static const struct dvb_frontend_ops lgdt3306a_ops;