From d2c3a9ad53012bb3fd918fa0bd851da2bc092d8b Mon Sep 17 00:00:00 2001
From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Date: Thu, 28 Sep 2023 11:33:53 +0300
Subject: [PATCH 0639/1085] media: rp1: cfe: Fix use of freed memory on errors

cfe_probe_complete() calls cfe_put() on both success and fail code paths.
This works for the success path, but causes the cfe_device struct to be
freed, even if it will be used later in the teardown code.

Fix this by making the ref handling a bit saner: Let the video nodes
have the refs as they do now, but also keep a ref in the "main" driver,
released only at cfe_remove() time. This way the driver does not depend
on the video nodes keeping the refs.

Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
---
 drivers/media/platform/raspberrypi/rp1_cfe/cfe.c | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

--- a/drivers/media/platform/raspberrypi/rp1_cfe/cfe.c
+++ b/drivers/media/platform/raspberrypi/rp1_cfe/cfe.c
@@ -1837,17 +1837,10 @@ static int cfe_probe_complete(struct cfe
 		goto unregister;
 	}
 
-	/*
-	 * Release the initial reference, all references are now owned by the
-	 * video devices.
-	 */
-	cfe_put(cfe);
 	return 0;
 
 unregister:
 	cfe_unregister_nodes(cfe);
-	cfe_put(cfe);
-
 	return ret;
 }
 
@@ -2129,6 +2122,8 @@ static int cfe_remove(struct platform_de
 
 	v4l2_device_unregister(&cfe->v4l2_dev);
 
+	cfe_put(cfe);
+
 	return 0;
 }