[media] media-entity: fix backlink removal on __media_entity_remove_link()

The logic is testing if num_links==0 at the wrong place. Due to
that, a backlink may be kept without removal, causing KASAN
to complain about usage after free during either entity or
link removal.

Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>

1 files changed, 3 insertions, 3 deletions

diff --git a/drivers/media/media-entity.c b/drivers/media/media-entity.c
index d7243cb56c79..d9d42fab22ad 100644
--- a/drivers/media/media-entity.c
+++ b/drivers/media/media-entity.c
@@ -662,13 +662,13 @@ static void __media_entity_remove_link(struct media_entity *entity,
 		if (link->source->entity == entity)
 			remote->num_backlinks--;
 
-		if (--remote->num_links == 0)
-			break;
-
 		/* Remove the remote link */
 		list_del(&rlink->list);
 		media_gobj_remove(&rlink->graph_obj);
 		kfree(rlink);
+
+		if (--remote->num_links == 0)
+			break;
 	}
 	list_del(&link->list);
 	media_gobj_remove(&link->graph_obj);