V4L/DVB (13132): fix use-after-free Oops, resulting from a driver-core API change
Commit b4028437876866aba4747a655ede00f892089e14 has broken again re-use of
device objects across device_register() / device_unregister() cycles. Fix
soc-camera by nullifying the struct after device_unregister().
Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
diff --git a/drivers/media/video/soc_camera.c b/drivers/media/video/soc_camera.c
index 59aa7a3..36e617bd 100644
--- a/drivers/media/video/soc_camera.c
+++ b/drivers/media/video/soc_camera.c
@@ -1160,13 +1160,15 @@
if (icd->iface == ici->nr) {
/* The bus->remove will be called */
device_unregister(&icd->dev);
- /* Not before device_unregister(), .remove
- * needs parent to call ici->ops->remove() */
- icd->dev.parent = NULL;
-
- /* If the host module is loaded again, device_register()
- * would complain "already initialised" */
- memset(&icd->dev.kobj, 0, sizeof(icd->dev.kobj));
+ /*
+ * Not before device_unregister(), .remove
+ * needs parent to call ici->ops->remove().
+ * If the host module is loaded again, device_register()
+ * would complain "already initialised," since 2.6.32
+ * this is also needed to prevent use-after-free of the
+ * device private data.
+ */
+ memset(&icd->dev, 0, sizeof(icd->dev));
}
}