media: lgdt3306a: Fix a double kfree on i2c device remove

[ Upstream commit 94448e21cf08b10f7dc7acdaca387594370396b0 ]

Both lgdt33606a_release and lgdt3306a_remove kfree state, but _release is
called first, then _remove operates on states members before kfree'ing it.
This can lead to random oops/GPF/etc on USB disconnect.

Signed-off-by: Brad Love <brad@nextdimension.cc>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/media/dvb-frontends/lgdt3306a.c b/drivers/media/dvb-frontends/lgdt3306a.c
index b964ea6020c97648492f9458bb0b868ca3603e18..fbb3b2f49d2d22208640c1637b441961b0d1cfda 100644 (file)
--- a/drivers/media/dvb-frontends/lgdt3306a.c
+++ b/drivers/media/dvb-frontends/lgdt3306a.c
@@ -1767,7 +1767,13 @@ static void lgdt3306a_release(struct dvb_frontend *fe)
        struct lgdt3306a_state *state = fe->demodulator_priv;
 
        dbg_info("\n");
-       kfree(state);
+
+       /*
+        * If state->muxc is not NULL, then we are an i2c device
+        * and lgdt3306a_remove will clean up state
+        */
+       if (!state->muxc)
+               kfree(state);
 }
 
 static const struct dvb_frontend_ops lgdt3306a_ops;