V4L/DVB (13132): fix use-after-free Oops, resulting from a driver-core API change

Commit b402843787 has broken again re-use of device objects across device_register() / device_unregister() cycles. Fix soc-camera by nullifying the struct after device_unregister(). Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2009-10-05 12:54:54 -03:00 · 2009-10-05 12:54:54 -03:00 · 76823b791d
commit 76823b791d
parent 07bc46e667
1 changed files with 9 additions and 7 deletions
--- a/drivers/media/video/soc_camera.c
+++ b/drivers/media/video/soc_camera.c
@ -1160,13 +1160,15 @@ void soc_camera_host_unregister(struct soc_camera_host *ici)
 		if (icd->iface == ici->nr) {
 			/* The bus->remove will be called */
 			device_unregister(&icd->dev);
-			/* Not before device_unregister(), .remove
-			 * needs parent to call ici->ops->remove() */
-			icd->dev.parent = NULL;
-
-			/* If the host module is loaded again, device_register()
-			 * would complain "already initialised" */
-			memset(&icd->dev.kobj, 0, sizeof(icd->dev.kobj));
+			/*
+			 * Not before device_unregister(), .remove
+			 * needs parent to call ici->ops->remove().
+			 * If the host module is loaded again, device_register()
+			 * would complain "already initialised," since 2.6.32
+			 * this is also needed to prevent use-after-free of the
+			 * device private data.
+			 */
+			memset(&icd->dev, 0, sizeof(icd->dev));
 		}
 	}