V4L/DVB (13132): fix use-after-free Oops, resulting from a driver-core API change

Commit b4028437876866aba4747a655ede00f892089e14 has broken again re-use of device objects across device_register() / device_unregister() cycles. Fix soc-camera by nullifying the struct after device_unregister(). Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
author: Guennadi Liakhovetski <g.liakhovetski@gmx.de> 2009-10-05 11:54:54 -0400
committer: Mauro Carvalho Chehab <mchehab@redhat.com> 2009-11-07 09:55:07 -0500
commit: 76823b791d867c2ab563c237f188d0cbb4ced6e1 (patch)
tree: 8dd614f79437063fda0f4860caf61255506f880a /drivers/media
parent: 07bc46e6671b4533a5e56607ddec9de9079c1844 (diff)
1 files changed, 9 insertions, 7 deletions
diff --git a/drivers/media/video/soc_camera.c b/drivers/media/video/soc_camera.c
index 59aa7a3694c..36e617bd13c 100644
--- a/drivers/media/video/soc_camera.c
+++ b/drivers/media/video/soc_camera.c
@@ -1160,13 +1160,15 @@ void soc_camera_host_unregister(struct soc_camera_host *ici)
                if (icd->iface == ici->nr) {
                        /* The bus->remove will be called */
                        device_unregister(&icd->dev);
-                        /* Not before device_unregister(), .remove
+                        /*
-                         * needs parent to call ici->ops->remove() */
+                         * Not before device_unregister(), .remove
-                        icd->dev.parent = NULL;
+                         * needs parent to call ici->ops->remove().
+                         * If the host module is loaded again, device_register()
-                        /* If the host module is loaded again, device_register()
+                         * would complain "already initialised," since 2.6.32
-                         * would complain "already initialised" */
+                         * this is also needed to prevent use-after-free of the
-                        memset(&icd->dev.kobj, 0, sizeof(icd->dev.kobj));
+                         * device private data.
+                         */
+                        memset(&icd->dev, 0, sizeof(icd->dev));
                }
        }
author	Guennadi Liakhovetski <g.liakhovetski@gmx.de>	2009-10-05 11:54:54 -0400
committer	Mauro Carvalho Chehab <mchehab@redhat.com>	2009-11-07 09:55:07 -0500
commit	76823b791d867c2ab563c237f188d0cbb4ced6e1 (patch)
tree	8dd614f79437063fda0f4860caf61255506f880a /drivers/media
parent	07bc46e6671b4533a5e56607ddec9de9079c1844 (diff)

diff --git a/drivers/media/video/soc_camera.c b/drivers/media/video/soc_camera.c index 59aa7a3694c..36e617bd13c 100644 --- a/drivers/media/video/soc_camera.c +++ b/drivers/media/video/soc_camera.c
@@ -1160,13 +1160,15 @@ void soc_camera_host_unregister(struct soc_camera_host *ici)
1160	if (icd->iface == ici->nr) {	1160	if (icd->iface == ici->nr) {
1161	/* The bus->remove will be called */	1161	/* The bus->remove will be called */
1162	device_unregister(&icd->dev);	1162	device_unregister(&icd->dev);
1163	/* Not before device_unregister(), .remove	1163	/*
1164	* needs parent to call ici->ops->remove() */	1164	* Not before device_unregister(), .remove
1165	icd->dev.parent = NULL;	1165	* needs parent to call ici->ops->remove().
1166		1166	* If the host module is loaded again, device_register()
1167	/* If the host module is loaded again, device_register()	1167	* would complain "already initialised," since 2.6.32
1168	* would complain "already initialised" */	1168	* this is also needed to prevent use-after-free of the
1169	memset(&icd->dev.kobj, 0, sizeof(icd->dev.kobj));	1169	* device private data.
		1170	*/
		1171	memset(&icd->dev, 0, sizeof(icd->dev));
1170	}	1172	}
1171	}	1173	}
1172		1174