video: adf: use rb_erase in adf_obj_destroy.

Not calling rb_erase() can cause slab corruption, as the rb_first() call after kfree() in adf_obj_destroy() can return the same node twice unless it is erased. This problem was reproduced by unloading a kernel module that used the adf framework *after* a vsync event was registered. A crash would occur in rb_first(). (Just loading and immediately unloading the module without the vsync event worked correctly.) Change-Id: I9fa7cb5d7519691e38a281439844aa193da13d1b Signed-off-by: Alistair Strachan <alistair.strachan@imgtec.com> Cc: Jonathan Hamilton <jonathan.hamilton@imgtec.com> Cc: Greg Hackmann <ghackmann@google.com>
author: Alistair Strachan <alistair.strachan@imgtec.com> 2014-04-21 13:09:23 -0700
committer: John Stultz <john.stultz@linaro.org> 2016-02-16 13:53:21 -0800
commit: 5bd73006574639ab32df71debdb9322c9223b420 (patch)
tree: cb3d2a46777e0a802cbe43c5ff82ea1a3cdba2ac /drivers
parent: 37e5f3f7d4a15d429e2e6055d726e78b78931aba (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/video/adf/adf.c b/drivers/video/adf/adf.c
index e6ef144136c2..231881c2b355 100644
--- a/drivers/video/adf/adf.c
+++ b/drivers/video/adf/adf.c
@@ -494,6 +494,7 @@ static void adf_obj_destroy(struct adf_obj *obj, struct idr *idr)
 		struct adf_event_refcount *refcount =
 				container_of(node, struct adf_event_refcount,
 						node);
+		rb_erase(&refcount->node, &obj->event_refcount);
 		kfree(refcount);
 		node = rb_first(&obj->event_refcount);
 	}
author	Alistair Strachan <alistair.strachan@imgtec.com>	2014-04-21 13:09:23 -0700
committer	John Stultz <john.stultz@linaro.org>	2016-02-16 13:53:21 -0800
commit	5bd73006574639ab32df71debdb9322c9223b420 (patch)
tree	cb3d2a46777e0a802cbe43c5ff82ea1a3cdba2ac /drivers
parent	37e5f3f7d4a15d429e2e6055d726e78b78931aba (diff)