From: Alistair Strachan <alistair.strachan@imgtec.com>
Date: Mon, 21 Apr 2014 20:09:23 +0000 (-0700)
Subject: video: adf: use rb_erase in adf_obj_destroy.
X-Git-Tag: firefly_0821_release~2958^2~212
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=5bd73006574639ab32df71debdb9322c9223b420;p=firefly-linux-kernel-4.4.55.git

video: adf: use rb_erase in adf_obj_destroy.

Not calling rb_erase() can cause slab corruption, as the rb_first() call
after kfree() in adf_obj_destroy() can return the same node twice unless
it is erased.

This problem was reproduced by unloading a kernel module that used the
adf framework *after* a vsync event was registered. A crash would occur
in rb_first(). (Just loading and immediately unloading the module without
the vsync event worked correctly.)

Change-Id: I9fa7cb5d7519691e38a281439844aa193da13d1b
Signed-off-by: Alistair Strachan <alistair.strachan@imgtec.com>
Cc: Jonathan Hamilton <jonathan.hamilton@imgtec.com>
Cc: Greg Hackmann <ghackmann@google.com>
---

diff --git a/drivers/video/adf/adf.c b/drivers/video/adf/adf.c
index e6ef144136c2..231881c2b355 100644
--- a/drivers/video/adf/adf.c
+++ b/drivers/video/adf/adf.c
@@ -494,6 +494,7 @@ static void adf_obj_destroy(struct adf_obj *obj, struct idr *idr)
 		struct adf_event_refcount *refcount =
 				container_of(node, struct adf_event_refcount,
 						node);
+		rb_erase(&refcount->node, &obj->event_refcount);
 		kfree(refcount);
 		node = rb_first(&obj->event_refcount);
 	}