[PATCH] fix use-after-free Oops, resulting from a driver-core API change

[Guennadi Liakhovetski]

Commit b4028437876866aba4747a655ede00f892089e14 has broken again re-use of 
device objects across device_register() / device_unregister() cycles. Fix 
soc-camera by nullifying the struct after device_unregister().

Signed-off-by: Guennadi Liakhovetski <g.liakhovet...@gmx.de>
---
diff --git a/drivers/media/video/soc_camera.c b/drivers/media/video/soc_camera.c
index 59aa7a3..36e617b 100644
--- a/drivers/media/video/soc_camera.c
+++ b/drivers/media/video/soc_camera.c
@@ -1160,13 +1160,15 @@ void soc_camera_host_unregister(struct soc_camera_host 
*ici)
                if (icd->iface == ici->nr) {
                        /* The bus->remove will be called */
                        device_unregister(&icd->dev);
-                       /* Not before device_unregister(), .remove
-                        * needs parent to call ici->ops->remove() */
-                       icd->dev.parent = NULL;
-
-                       /* If the host module is loaded again, device_register()
-                        * would complain "already initialised" */
-                       memset(&icd->dev.kobj, 0, sizeof(icd->dev.kobj));
+                       /*
+                        * Not before device_unregister(), .remove
+                        * needs parent to call ici->ops->remove().
+                        * If the host module is loaded again, device_register()
+                        * would complain "already initialised," since 2.6.32
+                        * this is also needed to prevent use-after-free of the
+                        * device private data.
+                        */
+                       memset(&icd->dev, 0, sizeof(icd->dev));
                }
        }
 
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html