@@ -166,16 +166,13 @@ void mtk_vcodec_dbgfs_remove(struct mtk_vcodec_dev *vcodec_dev, int ctx_id)
struct mtk_vcodec_dbgfs_inst *dbgfs_inst;
list_for_each_entry(dbgfs_inst, &vcodec_dev->dbgfs.dbgfs_head, node) {
- if (dbgfs_inst && dbgfs_inst->inst_id == ctx_id) {
+ if (dbgfs_inst->inst_id == ctx_id) {
vcodec_dev->dbgfs.inst_count--;
- break;
+ list_del(&dbgfs_inst->node);
+ kfree(dbgfs_inst);
+ return;
}
}
-
- if (dbgfs_inst) {
- list_del(&dbgfs_inst->node);
- kfree(dbgfs_inst);
- }
}
EXPORT_SYMBOL_GPL(mtk_vcodec_dbgfs_remove);
The list iterator "dbgfs_inst" is always non-NULL. This means that the test for NULL inside the loop is unnecessary and it also means that the test for NULL outside the loop will not work. If we do not find the item on the list with the correct the ctx_id then it will free invalid memory leading to a crash. Fixes: cd403a6a0419 ("media: mediatek: vcodec: Add a debugfs file to get different useful information") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> --- .../media/platform/mediatek/vcodec/mtk_vcodec_dbgfs.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-)