From: Guennadi Liakhovetski Date: Mon, 5 Oct 2009 15:54:54 +0000 (-0300) Subject: V4L/DVB (13132): fix use-after-free Oops, resulting from a driver-core API change X-Git-Tag: MMI-PSA29.97-13-9~25942^2~18 X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=76823b791d867c2ab563c237f188d0cbb4ced6e1;p=GitHub%2FMotorolaMobilityLLC%2Fkernel-slsi.git V4L/DVB (13132): fix use-after-free Oops, resulting from a driver-core API change Commit b4028437876866aba4747a655ede00f892089e14 has broken again re-use of device objects across device_register() / device_unregister() cycles. Fix soc-camera by nullifying the struct after device_unregister(). Signed-off-by: Guennadi Liakhovetski Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/media/video/soc_camera.c b/drivers/media/video/soc_camera.c index 59aa7a3694c2..36e617bd13c7 100644 --- a/drivers/media/video/soc_camera.c +++ b/drivers/media/video/soc_camera.c @@ -1160,13 +1160,15 @@ void soc_camera_host_unregister(struct soc_camera_host *ici) if (icd->iface == ici->nr) { /* The bus->remove will be called */ device_unregister(&icd->dev); - /* Not before device_unregister(), .remove - * needs parent to call ici->ops->remove() */ - icd->dev.parent = NULL; - - /* If the host module is loaded again, device_register() - * would complain "already initialised" */ - memset(&icd->dev.kobj, 0, sizeof(icd->dev.kobj)); + /* + * Not before device_unregister(), .remove + * needs parent to call ici->ops->remove(). + * If the host module is loaded again, device_register() + * would complain "already initialised," since 2.6.32 + * this is also needed to prevent use-after-free of the + * device private data. + */ + memset(&icd->dev, 0, sizeof(icd->dev)); } }