media: s3c-camif: Avoid inappropriate kfree()

[ Upstream commit 61334819aca018c3416ee6c330a08a49c1524fc3 ]

s3c_camif_register_video_node() works with video_device structure stored
as a field of camif_vp, so it should not be kfreed.
But there is video_device_release() on error path that do it.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface")
Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/media/platform/samsung/s3c-camif/camif-capture.c b/drivers/media/platform/samsung/s3c-camif/camif-capture.c
index 76634d242b10305b7e02cb16a4886e39d5b2afb6..0f5b3845d7b94f6af7c974d416aa589a0e391b1b 100644 (file)
--- a/drivers/media/platform/samsung/s3c-camif/camif-capture.c
+++ b/drivers/media/platform/samsung/s3c-camif/camif-capture.c
@@ -1133,12 +1133,12 @@ int s3c_camif_register_video_node(struct camif_dev *camif, int idx)
 
        ret = vb2_queue_init(q);
        if (ret)
-               goto err_vd_rel;
+               return ret;
 
        vp->pad.flags = MEDIA_PAD_FL_SINK;
        ret = media_entity_pads_init(&vfd->entity, 1, &vp->pad);
        if (ret)
-               goto err_vd_rel;
+               return ret;
 
        video_set_drvdata(vfd, vp);
 
@@ -1171,8 +1171,6 @@ err_ctrlh_free:
        v4l2_ctrl_handler_free(&vp->ctrl_handler);
 err_me_cleanup:
        media_entity_cleanup(&vfd->entity);
-err_vd_rel:
-       video_device_release(vfd);
        return ret;
 }