From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Date: Thu, 10 Dec 2015 17:29:22 +0000 (-0200)
Subject: [media] media-entity: fix backlink removal on __media_entity_remove_link()
X-Git-Tag: v4.5-rc1~115^2~108
X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=eb83a5176801d53f9f78eff8c0bf03e627110206;p=karo-tx-linux.git

[media] media-entity: fix backlink removal on __media_entity_remove_link()

The logic is testing if num_links==0 at the wrong place. Due to
that, a backlink may be kept without removal, causing KASAN
to complain about usage after free during either entity or
link removal.

Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
---

diff --git a/drivers/media/media-entity.c b/drivers/media/media-entity.c
index d7243cb56c79..d9d42fab22ad 100644
--- a/drivers/media/media-entity.c
+++ b/drivers/media/media-entity.c
@@ -662,13 +662,13 @@ static void __media_entity_remove_link(struct media_entity *entity,
 		if (link->source->entity == entity)
 			remote->num_backlinks--;
 
-		if (--remote->num_links == 0)
-			break;
-
 		/* Remove the remote link */
 		list_del(&rlink->list);
 		media_gobj_remove(&rlink->graph_obj);
 		kfree(rlink);
+
+		if (--remote->num_links == 0)
+			break;
 	}
 	list_del(&link->list);
 	media_gobj_remove(&link->graph_obj);