video: adf: use rb_erase in adf_obj_destroy.

Not calling rb_erase() can cause slab corruption, as the rb_first() call after kfree() in adf_obj_destroy() can return the same node twice unless it is erased. This problem was reproduced by unloading a kernel module that used the adf framework *after* a vsync event was registered. A crash would occur in rb_first(). (Just loading and immediately unloading the module without the vsync event worked correctly.) Change-Id: I9fa7cb5d7519691e38a281439844aa193da13d1b Signed-off-by: Alistair Strachan <alistair.strachan@imgtec.com> Cc: Jonathan Hamilton <jonathan.hamilton@imgtec.com> Cc: Greg Hackmann <ghackmann@google.com>
2026-06-07 11:26:02 +09:00 · 2014-04-21 13:09:23 -07:00
parent 37e5f3f7d4
commit 5bd7300657
1 changed files with 1 additions and 0 deletions
--- a/drivers/video/adf/adf.c
+++ b/drivers/video/adf/adf.c
@@ -494,6 +494,7 @@ static void adf_obj_destroy(struct adf_obj *obj, struct idr *idr)
 		struct adf_event_refcount *refcount =
 				container_of(node, struct adf_event_refcount,
 						node);
+		rb_erase(&refcount->node, &obj->event_refcount);
 		kfree(refcount);
 		node = rb_first(&obj->event_refcount);
 	}