From 94448e21cf08b10f7dc7acdaca387594370396b0 Mon Sep 17 00:00:00 2001
From: Brad Love <brad@nextdimension.cc>
Date: Fri, 5 Jan 2018 09:57:13 -0500
Subject: [PATCH] media: lgdt3306a: Fix a double kfree on i2c device remove
Git-commit: 94448e21cf08b10f7dc7acdaca387594370396b0
Patch-mainline: v4.17-rc1
References: bsc#1051510

Both lgdt33606a_release and lgdt3306a_remove kfree state, but _release is
called first, then _remove operates on states members before kfree'ing it.
This can lead to random oops/GPF/etc on USB disconnect.

Signed-off-by: Brad Love <brad@nextdimension.cc>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Acked-by: Takashi Iwai <tiwai@suse.de>

---
 drivers/media/dvb-frontends/lgdt3306a.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/media/dvb-frontends/lgdt3306a.c
+++ b/drivers/media/dvb-frontends/lgdt3306a.c
@@ -1767,7 +1767,13 @@ static void lgdt3306a_release(struct dvb
 	struct lgdt3306a_state *state = fe->demodulator_priv;
 
 	dbg_info("\n");
-	kfree(state);
+
+	/*
+	 * If state->muxc is not NULL, then we are an i2c device
+	 * and lgdt3306a_remove will clean up state
+	 */
+	if (!state->muxc)
+		kfree(state);
 }
 
 static const struct dvb_frontend_ops lgdt3306a_ops;