helene_probe() allocates the private data with devm_kzalloc(), so the
memory is managed by the i2c client's device and will be released
automatically on driver detach.

However, helene_probe() copies helene_tuner_ops into fe->ops.tuner_ops,
including the .release callback.  helene_release() frees fe->tuner_priv
with kfree(), which is correct for the non-devm helene_attach() paths,
but not for the devm allocation used by helene_probe().

Clear the .release callback in the i2c probe path after copying the
tuner ops, so the devm-managed private data is not freed by
helene_release().

This issue was found by a static analysis tool I am developing.

Fixes: 817dc4b579d8 ("media: helene: add I2C device probe function")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
 drivers/media/dvb-frontends/helene.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/media/dvb-frontends/helene.c b/drivers/media/dvb-frontends/helene.c
index 1402d124544e..1ff8c06d06fb 100644
--- a/drivers/media/dvb-frontends/helene.c
+++ b/drivers/media/dvb-frontends/helene.c
@@ -1091,6 +1091,7 @@ static int helene_probe(struct i2c_client *client)
 
 	memcpy(&fe->ops.tuner_ops, &helene_tuner_ops,
 	       sizeof(struct dvb_tuner_ops));
+	fe->ops.tuner_ops.release = NULL;
 	fe->tuner_priv = priv;
 	i2c_set_clientdata(client, priv);
 
-- 
2.43.0