diff options
author | Guennadi Liakhovetski <g.liakhovetski@gmx.de> | 2009-10-05 11:54:54 -0400 |
---|---|---|
committer | Mauro Carvalho Chehab <mchehab@redhat.com> | 2009-11-07 09:55:07 -0500 |
commit | 76823b791d867c2ab563c237f188d0cbb4ced6e1 (patch) | |
tree | 8dd614f79437063fda0f4860caf61255506f880a | |
parent | 07bc46e6671b4533a5e56607ddec9de9079c1844 (diff) |
V4L/DVB (13132): fix use-after-free Oops, resulting from a driver-core API change
Commit b4028437876866aba4747a655ede00f892089e14 has broken again re-use of
device objects across device_register() / device_unregister() cycles. Fix
soc-camera by nullifying the struct after device_unregister().
Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
-rw-r--r-- | drivers/media/video/soc_camera.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/drivers/media/video/soc_camera.c b/drivers/media/video/soc_camera.c index 59aa7a3694c2..36e617bd13c7 100644 --- a/drivers/media/video/soc_camera.c +++ b/drivers/media/video/soc_camera.c | |||
@@ -1160,13 +1160,15 @@ void soc_camera_host_unregister(struct soc_camera_host *ici) | |||
1160 | if (icd->iface == ici->nr) { | 1160 | if (icd->iface == ici->nr) { |
1161 | /* The bus->remove will be called */ | 1161 | /* The bus->remove will be called */ |
1162 | device_unregister(&icd->dev); | 1162 | device_unregister(&icd->dev); |
1163 | /* Not before device_unregister(), .remove | 1163 | /* |
1164 | * needs parent to call ici->ops->remove() */ | 1164 | * Not before device_unregister(), .remove |
1165 | icd->dev.parent = NULL; | 1165 | * needs parent to call ici->ops->remove(). |
1166 | 1166 | * If the host module is loaded again, device_register() | |
1167 | /* If the host module is loaded again, device_register() | 1167 | * would complain "already initialised," since 2.6.32 |
1168 | * would complain "already initialised" */ | 1168 | * this is also needed to prevent use-after-free of the |
1169 | memset(&icd->dev.kobj, 0, sizeof(icd->dev.kobj)); | 1169 | * device private data. |
1170 | */ | ||
1171 | memset(&icd->dev, 0, sizeof(icd->dev)); | ||
1170 | } | 1172 | } |
1171 | } | 1173 | } |
1172 | 1174 | ||