media: mediatek: vcodec: Fix potential crash in mtk_vcodec_dbgfs_remove()

The list iterator "dbgfs_inst" is always non-NULL.  This means that the
test for NULL inside the loop is unnecessary and it also means that the
test for NULL outside the loop will not work.  If we do not find the item
on the list with the correct the ctx_id then it will free invalid memory
leading to a crash.

Fixes: cd403a6a0419 ("media: mediatek: vcodec: Add a debugfs file to get different useful information")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>

diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dbgfs.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dbgfs.c
index b5cdbbf..2ebf68d 100644 (file)
--- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dbgfs.c
+++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dbgfs.c
@@ -168,14 +168,11 @@ void mtk_vcodec_dbgfs_remove(struct mtk_vcodec_dev *vcodec_dev, int ctx_id)
        list_for_each_entry(dbgfs_inst, &vcodec_dev->dbgfs.dbgfs_head, node) {
                if (dbgfs_inst->inst_id == ctx_id) {
                        vcodec_dev->dbgfs.inst_count--;
-                       break;
+                       list_del(&dbgfs_inst->node);
+                       kfree(dbgfs_inst);
+                       return;
                }
        }
-
-       if (dbgfs_inst) {
-               list_del(&dbgfs_inst->node);
-               kfree(dbgfs_inst);
-       }
 }
 EXPORT_SYMBOL_GPL(mtk_vcodec_dbgfs_remove);