[media] v4l2-device: fix 'use-after-freed' oops

Fix a bug in v4l2_device_unregister where the sd pointer can be dereferenced
after it was freed.

Normally the i2c adapter is removed before this function is called. Removing
the adapter will also unregister all subdevs on that adapter, so generally
v4l2_device_unregister has nothing to do. However, in the case of a platform
i2c bus that bus is generally not freed.

In that case, after freeing the i2c subdevice the code will fall into the
second block when it tests if the subdev is a SPI device. But by that time
the subdev is already freed and the kernel oopses.

The fix is trivial: continue with the loop after freeing the i2c or spi
subdevice.
Signed-off-by: NHans Verkuil <hverkuil@xs4all.nl>
Reported-by: NDaniel Drake <dsd@laptop.org>
Signed-off-by: NMauro Carvalho Chehab <mchehab@redhat.com>

drivers/media/video/v4l2-device.c

@@ -100,6 +100,7 @@ void v4l2_device_unregister(struct v4l2_device *v4l2_dev)
 			   is a platform bus, then it is never deleted. */
 			if (client)
 				i2c_unregister_device(client);
+			continue;
 		}
 #endif
 #if defined(CONFIG_SPI)
@@ -108,6 +109,7 @@ void v4l2_device_unregister(struct v4l2_device *v4l2_dev)
 
 			if (spi)
 				spi_unregister_device(spi);
+			continue;
 		}
 #endif
 	}