rtc: class: fix double free in rtc_register_device() error path

Commit 59cca865f21e ("drivers/rtc/class.c: fix device_register() error
handling") correctly noted that naked kfree() should not be used after
failed device_register() call, however, while it added the needed
put_device() it forgot to remove the original kfree() causing double-free.

Cc: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Reviewed-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>

diff --git a/drivers/rtc/class.c b/drivers/rtc/class.c
index ea2a315df6b7bb5fb8fcae65cf4d21ce054f94b0..eb82ec2a21bd845eb07e3b2db872c8a63d18ae8c 100644 (file)
--- a/drivers/rtc/class.c
+++ b/drivers/rtc/class.c
@@ -234,8 +234,9 @@ struct rtc_device *rtc_device_register(const char *name, struct device *dev,
 
        err = device_register(&rtc->dev);
        if (err) {
+               /* This will free both memory and the ID */
                put_device(&rtc->dev);
-               goto exit_kfree;
+               goto exit;
        }
 
        rtc_dev_add_device(rtc);
@@ -247,9 +248,6 @@ struct rtc_device *rtc_device_register(const char *name, struct device *dev,
 
        return rtc;
 
-exit_kfree:
-       kfree(rtc);
-
 exit_ida:
        ida_simple_remove(&rtc_ida, id);