aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorHans Verkuil <hverkuil@xs4all.nl>2011-01-11 15:48:21 -0500
committerMauro Carvalho Chehab <mchehab@redhat.com>2011-01-19 08:52:14 -0500
commit672dcd54774ea1b03da8f2baa1cdbf827927fc85 (patch)
tree051843ebf49c9437e740b7f271554ffdebf8e52f /drivers
parent46b633779b299c7fb3d78f153a5034055f99cd45 (diff)
[media] v4l2-device: fix 'use-after-freed' oops
Fix a bug in v4l2_device_unregister where the sd pointer can be dereferenced after it was freed. Normally the i2c adapter is removed before this function is called. Removing the adapter will also unregister all subdevs on that adapter, so generally v4l2_device_unregister has nothing to do. However, in the case of a platform i2c bus that bus is generally not freed. In that case, after freeing the i2c subdevice the code will fall into the second block when it tests if the subdev is a SPI device. But by that time the subdev is already freed and the kernel oopses. The fix is trivial: continue with the loop after freeing the i2c or spi subdevice. Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Reported-by: Daniel Drake <dsd@laptop.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/media/video/v4l2-device.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/media/video/v4l2-device.c b/drivers/media/video/v4l2-device.c
index b24f002ffa67..ce64fe16bc60 100644
--- a/drivers/media/video/v4l2-device.c
+++ b/drivers/media/video/v4l2-device.c
@@ -100,6 +100,7 @@ void v4l2_device_unregister(struct v4l2_device *v4l2_dev)
100 is a platform bus, then it is never deleted. */ 100 is a platform bus, then it is never deleted. */
101 if (client) 101 if (client)
102 i2c_unregister_device(client); 102 i2c_unregister_device(client);
103 continue;
103 } 104 }
104#endif 105#endif
105#if defined(CONFIG_SPI) 106#if defined(CONFIG_SPI)
@@ -108,6 +109,7 @@ void v4l2_device_unregister(struct v4l2_device *v4l2_dev)
108 109
109 if (spi) 110 if (spi)
110 spi_unregister_device(spi); 111 spi_unregister_device(spi);
112 continue;
111 } 113 }
112#endif 114#endif
113 } 115 }