From 5bd73006574639ab32df71debdb9322c9223b420 Mon Sep 17 00:00:00 2001
From: Alistair Strachan <alistair.strachan@imgtec.com>
Date: Mon, 21 Apr 2014 13:09:23 -0700
Subject: [PATCH] video: adf: use rb_erase in adf_obj_destroy.

Not calling rb_erase() can cause slab corruption, as the rb_first() call
after kfree() in adf_obj_destroy() can return the same node twice unless
it is erased.

This problem was reproduced by unloading a kernel module that used the
adf framework *after* a vsync event was registered. A crash would occur
in rb_first(). (Just loading and immediately unloading the module without
the vsync event worked correctly.)

Change-Id: I9fa7cb5d7519691e38a281439844aa193da13d1b
Signed-off-by: Alistair Strachan <alistair.strachan@imgtec.com>
Cc: Jonathan Hamilton <jonathan.hamilton@imgtec.com>
Cc: Greg Hackmann <ghackmann@google.com>
---
 drivers/video/adf/adf.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/video/adf/adf.c b/drivers/video/adf/adf.c
index e6ef144136c2..231881c2b355 100644
--- a/drivers/video/adf/adf.c
+++ b/drivers/video/adf/adf.c
@@ -494,6 +494,7 @@ static void adf_obj_destroy(struct adf_obj *obj, struct idr *idr)
 		struct adf_event_refcount *refcount =
 				container_of(node, struct adf_event_refcount,
 						node);
+		rb_erase(&refcount->node, &obj->event_refcount);
 		kfree(refcount);
 		node = rb_first(&obj->event_refcount);
 	}
-- 
2.34.1