intel_th_device_add_resources() stores a kmemdup()'d resource array in
thdev->resource. The array is released from the device release callback
via intel_th_device_release() -> intel_th_device_free().

If device_add() fails in intel_th_subdevice_alloc(), the error path first
frees thdev->resource manually and then calls put_device(). Since the
device has been initialized and has a release callback, put_device() can
drop the final reference and call intel_th_device_free(), which frees
thdev->resource again.

Fix the error path by letting the release callback handle thdev->resource
and jumping directly to put_device() after device_add() failure.

This issue was found by a static analysis tool I am developing.

Fixes: a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
 drivers/hwtracing/intel_th/core.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/drivers/hwtracing/intel_th/core.c b/drivers/hwtracing/intel_th/core.c
index 3924e63e2eee..1d33c9e42c59 100644
--- a/drivers/hwtracing/intel_th/core.c
+++ b/drivers/hwtracing/intel_th/core.c
@@ -683,7 +683,7 @@ intel_th_subdevice_alloc(struct intel_th *th,
 
 	err = device_add(&thdev->dev);
 	if (err)
-		goto fail_free_res;
+		goto fail_put_device;
 
 	/* need switch driver to be loaded to enumerate the rest */
 	if (subdev->type == INTEL_TH_SWITCH && !req) {
@@ -694,9 +694,6 @@ intel_th_subdevice_alloc(struct intel_th *th,
 
 	return thdev;
 
-fail_free_res:
-	kfree(thdev->resource);
-
 fail_put_device:
 	put_device(&thdev->dev);
 
-- 
2.43.0