From 6b6cf2b5debd42de39afd8ac84b60faeca62cfaf Mon Sep 17 00:00:00 2001
From: Dmitry Osipenko <digetx@gmail.com>
Date: Tue, 18 Aug 2020 02:50:48 +0300
Subject: mfd: core: Fix double-free in mfd_remove_devices_fn()

The pdev.mfd_cell is released by platform_device_release(), which is
invoked by platform_device_unregister(). Hence mfd_remove_devices_fn()
shouldn't release the cell variable. The double-free bug is reported KASAN
during of MFD driver module removal.

Fixes: 466a62d7642f ("mfd: core: Make a best effort attempt to match devices with the correct of_nodes")
Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
---
 drivers/mfd/mfd-core.c | 2 --
 1 file changed, 2 deletions(-)

(limited to 'drivers')

diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c
index c3651f06684f..c50718e3db58 100644
--- a/drivers/mfd/mfd-core.c
+++ b/drivers/mfd/mfd-core.c
@@ -370,8 +370,6 @@ static int mfd_remove_devices_fn(struct device *dev, void *data)
 	regulator_bulk_unregister_supply_alias(dev, cell->parent_supplies,
 					       cell->num_parent_supplies);
 
-	kfree(cell);
-
 	platform_device_unregister(pdev);
 	return 0;
 }
-- 
cgit v1.2.3