media: vim2m: fix two double-free issues

vim2m_device_release() will be called by video_unregister_device() to release
various objects.

There are two double-free issue,
1. dev->m2m_dev will be freed twice in error_m2m path/vim2m_device_release
2. the error_v4l2 and error_free path in vim2m_probe() will release
   same objects, since vim2m_device_release has done.

Fixes: ea6c7e34f3b2 ("media: vim2m: replace devm_kzalloc by kzalloc")

Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

diff --git a/drivers/media/platform/vim2m.c b/drivers/media/platform/vim2m.c
index 243c82b..acd3bd4 100644 (file)
--- a/drivers/media/platform/vim2m.c
+++ b/drivers/media/platform/vim2m.c
@@ -1359,7 +1359,7 @@ static int vim2m_probe(struct platform_device *pdev)
                                                 MEDIA_ENT_F_PROC_VIDEO_SCALER);
        if (ret) {
                v4l2_err(&dev->v4l2_dev, "Failed to init mem2mem media controller\n");
-               goto error_m2m;
+               goto error_dev;
        }
 
        ret = media_device_register(&dev->mdev);
@@ -1373,11 +1373,11 @@ static int vim2m_probe(struct platform_device *pdev)
 #ifdef CONFIG_MEDIA_CONTROLLER
 error_m2m_mc:
        v4l2_m2m_unregister_media_controller(dev->m2m_dev);
-error_m2m:
-       v4l2_m2m_release(dev->m2m_dev);
 #endif
 error_dev:
        video_unregister_device(&dev->vfd);
+       /* vim2m_device_release called by video_unregister_device to release various objects */
+       return ret;
 error_v4l2:
        v4l2_device_unregister(&dev->v4l2_dev);
 error_free: