From patchwork Thu Dec 10 17:33:56 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mauro Carvalho Chehab X-Patchwork-Id: 7820921 Return-Path: X-Original-To: patchwork-linux-media@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id EBFC3BEEE1 for ; Thu, 10 Dec 2015 17:34:21 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 3EA8320524 for ; Thu, 10 Dec 2015 17:34:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D6C6520592 for ; Thu, 10 Dec 2015 17:34:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755042AbbLJReM (ORCPT ); Thu, 10 Dec 2015 12:34:12 -0500 Received: from bombadil.infradead.org ([198.137.202.9]:34785 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754999AbbLJReK (ORCPT ); Thu, 10 Dec 2015 12:34:10 -0500 Received: from 201.47.149.17.dynamic.adsl.gvt.net.br ([201.47.149.17] helo=smtp.w2.samsung.com) by bombadil.infradead.org with esmtpsa (Exim 4.80.1 #2 (Red Hat Linux)) id 1a756X-0007Ms-PO; Thu, 10 Dec 2015 17:34:10 +0000 Received: from mchehab by smtp.w2.samsung.com with local (Exim 4.86) (envelope-from ) id 1a756M-0005Z4-Uj; Thu, 10 Dec 2015 15:33:58 -0200 From: Mauro Carvalho Chehab Cc: Mauro Carvalho Chehab , Linux Media Mailing List , Mauro Carvalho Chehab Subject: [PATCH] [media] media-entity: fix backlink removal on __media_entity_remove_link() Date: Thu, 10 Dec 2015 15:33:56 -0200 Message-Id: X-Mailer: git-send-email 2.5.0 To: unlisted-recipients:; (no To-header on input) Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The logic is testing if num_links==0 at the wrong place. Due to that, a backlink may be kept without removal, causing KASAN to complain about usage after free during either entity or link removal. Signed-off-by: Mauro Carvalho Chehab --- drivers/media/media-entity.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/media/media-entity.c b/drivers/media/media-entity.c index d7243cb56c79..d9d42fab22ad 100644 --- a/drivers/media/media-entity.c +++ b/drivers/media/media-entity.c @@ -662,13 +662,13 @@ static void __media_entity_remove_link(struct media_entity *entity, if (link->source->entity == entity) remote->num_backlinks--; - if (--remote->num_links == 0) - break; - /* Remove the remote link */ list_del(&rlink->list); media_gobj_remove(&rlink->graph_obj); kfree(rlink); + + if (--remote->num_links == 0) + break; } list_del(&link->list); media_gobj_remove(&link->graph_obj);