media: mediatek: vcodec: Fix potential crash in mtk_vcodec_dbgfs_remove()

The list iterator "dbgfs_inst" is always non-NULL.  This means that the
test for NULL inside the loop is unnecessary and it also means that the
test for NULL outside the loop will not work.  If we do not find the item
on the list with the correct the ctx_id then it will free invalid memory
leading to a crash.

Fixes: cd403a6a0419 ("media: mediatek: vcodec: Add a debugfs file to get different useful information")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>

diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dbgfs.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dbgfs.c
index b5cdbbfcc388dbe63aea12e70065df47226b09cb..2ebf68d33d57ae35134738d2b60525656b21e78c 100644 (file)
--- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dbgfs.c
+++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dbgfs.c
@@ -168,14 +168,11 @@ void mtk_vcodec_dbgfs_remove(struct mtk_vcodec_dev *vcodec_dev, int ctx_id)
        list_for_each_entry(dbgfs_inst, &vcodec_dev->dbgfs.dbgfs_head, node) {
                if (dbgfs_inst->inst_id == ctx_id) {
                        vcodec_dev->dbgfs.inst_count--;
-                       break;
+                       list_del(&dbgfs_inst->node);
+                       kfree(dbgfs_inst);
+                       return;
                }
        }
-
-       if (dbgfs_inst) {
-               list_del(&dbgfs_inst->node);
-               kfree(dbgfs_inst);
-       }
 }
 EXPORT_SYMBOL_GPL(mtk_vcodec_dbgfs_remove);