On 2018-01-08 14:34, Matthias Schwarzott wrote: > Am 05.01.2018 um 15:57 schrieb Brad Love: >> Both lgdt33606a_release and lgdt3306a_remove kfree state, but _release is >> called first, then _remove operates on states members before kfree'ing it. >> This can lead to random oops/GPF/etc on USB disconnect. >> > lgdt3306a_release does nothing but the kfree. So the exact same effect > can be archived by setting state->frontend.ops.release to NULL. This > need to be done already at probe time I think. > lgdt3306a_remove does this, but too late (after the call to release). > > Regards > Matthias Hi Matthias, I agree. This was my rationale in the previous patch: /patch/46328 Both methods handle the issue. I thought the previous attempt was fairly clean, but it did not pass review, so I provided this solution. Cheers, Brad >> Signed-off-by: Brad Love <brad@xxxxxxxxxxxxxxxx> >> --- >> drivers/media/dvb-frontends/lgdt3306a.c | 8 +++++++- >> 1 file changed, 7 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/media/dvb-frontends/lgdt3306a.c b/drivers/media/dvb-frontends/lgdt3306a.c >> index d370671..3642e6e 100644 >> --- a/drivers/media/dvb-frontends/lgdt3306a.c >> +++ b/drivers/media/dvb-frontends/lgdt3306a.c >> @@ -1768,7 +1768,13 @@ static void lgdt3306a_release(struct dvb_frontend *fe) >> struct lgdt3306a_state *state = fe->demodulator_priv; >> >> dbg_info("\n"); >> - kfree(state); >> + >> + /* >> + * If state->muxc is not NULL, then we are an i2c device >> + * and lgdt3306a_remove will clean up state >> + */ >> + if (!state->muxc) >> + kfree(state); >> } >> >> static const struct dvb_frontend_ops lgdt3306a_ops; >>