V4L/DVB (13132): fix use-after-free Oops, resulting from a driver-core API change
authorGuennadi Liakhovetski <g.liakhovetski@gmx.de>
Mon, 5 Oct 2009 15:54:54 +0000 (12:54 -0300)
committerMauro Carvalho Chehab <mchehab@redhat.com>
Sat, 7 Nov 2009 14:55:07 +0000 (12:55 -0200)
Commit b4028437876866aba4747a655ede00f892089e14 has broken again re-use of
device objects across device_register() / device_unregister() cycles. Fix
soc-camera by nullifying the struct after device_unregister().

Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
drivers/media/video/soc_camera.c

index 59aa7a3694c2f2300b9cb4616ec6177f175edb55..36e617bd13c73778d6c945ef78f95491bf305f08 100644 (file)
@@ -1160,13 +1160,15 @@ void soc_camera_host_unregister(struct soc_camera_host *ici)
                if (icd->iface == ici->nr) {
                        /* The bus->remove will be called */
                        device_unregister(&icd->dev);
-                       /* Not before device_unregister(), .remove
-                        * needs parent to call ici->ops->remove() */
-                       icd->dev.parent = NULL;
-
-                       /* If the host module is loaded again, device_register()
-                        * would complain "already initialised" */
-                       memset(&icd->dev.kobj, 0, sizeof(icd->dev.kobj));
+                       /*
+                        * Not before device_unregister(), .remove
+                        * needs parent to call ici->ops->remove().
+                        * If the host module is loaded again, device_register()
+                        * would complain "already initialised," since 2.6.32
+                        * this is also needed to prevent use-after-free of the
+                        * device private data.
+                        */
+                       memset(&icd->dev, 0, sizeof(icd->dev));
                }
        }