Commit 76823b79 authored by Guennadi Liakhovetski's avatar Guennadi Liakhovetski Committed by Mauro Carvalho Chehab
Browse files

V4L/DVB (13132): fix use-after-free Oops, resulting from a driver-core API change 



Commit b4028437 has broken again re-use of
device objects across device_register() / device_unregister() cycles. Fix
soc-camera by nullifying the struct after device_unregister().

Signed-off-by: default avatarGuennadi Liakhovetski <g.liakhovetski@gmx.de>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@redhat.com>
parent 07bc46e6

drivers/media/video/soc_camera.c

+9 −7
Original line number Diff line number Diff line
@@ -1160,13 +1160,15 @@ void soc_camera_host_unregister(struct soc_camera_host *ici) 
		if (icd->iface == ici->nr) {

			/* The bus->remove will be called */

			device_unregister(&icd->dev);

			/* Not before device_unregister(), .remove

			 * needs parent to call ici->ops->remove() */

			icd->dev.parent = NULL;



			/* If the host module is loaded again, device_register()

			 * would complain "already initialised" */

			memset(&icd->dev.kobj, 0, sizeof(icd->dev.kobj));

			/*

			 * Not before device_unregister(), .remove

			 * needs parent to call ici->ops->remove().

			 * If the host module is loaded again, device_register()

			 * would complain "already initialised," since 2.6.32

			 * this is also needed to prevent use-after-free of the

			 * device private data.

			 */

			memset(&icd->dev, 0, sizeof(icd->dev));

		}

	}

CRA Git | Maintained and supported by SUSTech CRA and CCSE