From eb83a5176801d53f9f78eff8c0bf03e627110206 Mon Sep 17 00:00:00 2001
From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Date: Thu, 10 Dec 2015 15:29:22 -0200
Subject: [media] media-entity: fix backlink removal on
 __media_entity_remove_link()

The logic is testing if num_links==0 at the wrong place. Due to
that, a backlink may be kept without removal, causing KASAN
to complain about usage after free during either entity or
link removal.

Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>

diff --git a/drivers/media/media-entity.c b/drivers/media/media-entity.c
index d7243cb..d9d42fa 100644
--- a/drivers/media/media-entity.c
+++ b/drivers/media/media-entity.c
@@ -662,13 +662,13 @@ static void __media_entity_remove_link(struct media_entity *entity,
 		if (link->source->entity == entity)
 			remote->num_backlinks--;
 
-		if (--remote->num_links == 0)
-			break;
-
 		/* Remove the remote link */
 		list_del(&rlink->list);
 		media_gobj_remove(&rlink->graph_obj);
 		kfree(rlink);
+
+		if (--remote->num_links == 0)
+			break;
 	}
 	list_del(&link->list);
 	media_gobj_remove(&link->graph_obj);
-- 
cgit v0.10.2