projects / GitHub / moto-9609 / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a9709e4)
[media] media-entity: fix backlink removal on __media_entity_remove_link()
authorMauro Carvalho Chehab <mchehab@osg.samsung.com>
Thu, 10 Dec 2015 17:29:22 +0000 (15:29 -0200)
committerMauro Carvalho Chehab <mchehab@osg.samsung.com>
Mon, 11 Jan 2016 14:18:57 +0000 (12:18 -0200)
The logic is testing if num_links==0 at the wrong place. Due to
that, a backlink may be kept without removal, causing KASAN
to complain about usage after free during either entity or
link removal.

Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
drivers/media/media-entity.c patch | blob | blame | history

diff --git a/drivers/media/media-entity.c b/drivers/media/media-entity.c
index d7243cb56c79d1ea7f4ae745abd884b91b350722..d9d42fab22ad2878df885879c0bce77a35d47d09 100644 (file)
--- a/drivers/media/media-entity.c
+++ b/drivers/media/media-entity.c
@@ -662,13 +662,13 @@ static void __media_entity_remove_link(struct media_entity *entity,
                if (link->source->entity == entity)
                        remote->num_backlinks--;
 
-               if (--remote->num_links == 0)
-                       break;
-
                /* Remove the remote link */
                list_del(&rlink->list);
                media_gobj_remove(&rlink->graph_obj);
                kfree(rlink);
+
+               if (--remote->num_links == 0)
+                       break;
        }
        list_del(&link->list);
        media_gobj_remove(&link->graph_obj);