From patchwork Mon Oct  5 08:11:15 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
X-Patchwork-Id: 51701
X-Patchwork-Delegate: dougsland@redhat.com
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n958HAe7028878
	for <patchwork-media@patchwork.kernel.org>;
	Mon, 5 Oct 2009 08:17:11 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1758593AbZJEIL5 (ORCPT
	<rfc822;patchwork-media@patchwork.kernel.org>);
	Mon, 5 Oct 2009 04:11:57 -0400
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1758550AbZJEIL5
	(ORCPT <rfc822;linux-media-outgoing>);
	Mon, 5 Oct 2009 04:11:57 -0400
Received: from mail.gmx.net ([213.165.64.20]:34686 "HELO mail.gmx.net"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP
	id S1758524AbZJEIL4 (ORCPT <rfc822;linux-media@vger.kernel.org>);
	Mon, 5 Oct 2009 04:11:56 -0400
Received: (qmail invoked by alias); 05 Oct 2009 08:11:08 -0000
Received: from p57BD1E2C.dip0.t-ipconnect.de (EHLO axis700.grange)
	[87.189.30.44]
	by mail.gmx.net (mp064) with SMTP; 05 Oct 2009 10:11:08 +0200
X-Authenticated: #20450766
X-Provags-ID: V01U2FsdGVkX18xfKp1q/0xsHkVuPoGpkRTvmVDpvUGH/2efdGtOH
	Kvc5RPThdxBHa9
Received: from lyakh (helo=localhost)
	by axis700.grange with local-esmtp (Exim 4.63)
	(envelope-from <g.liakhovetski@gmx.de>) id 1Muif5-0001ME-2S
	for linux-media@vger.kernel.org; Mon, 05 Oct 2009 10:11:15 +0200
Date: Mon, 5 Oct 2009 10:11:15 +0200 (CEST)
From: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
To: Linux Media Mailing List <linux-media@vger.kernel.org>
Subject: [PATCH] fix use-after-free Oops, resulting from a driver-core API
	change
Message-ID: <Pine.LNX.4.64.0910051005490.4337@axis700.grange>
MIME-Version: 1.0
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.55
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org


diff --git a/drivers/media/video/soc_camera.c b/drivers/media/video/soc_camera.c
index 59aa7a3..36e617b 100644
--- a/drivers/media/video/soc_camera.c
+++ b/drivers/media/video/soc_camera.c
@@ -1160,13 +1160,15 @@ void soc_camera_host_unregister(struct soc_camera_host *ici)
 		if (icd->iface == ici->nr) {
 			/* The bus->remove will be called */
 			device_unregister(&icd->dev);
-			/* Not before device_unregister(), .remove
-			 * needs parent to call ici->ops->remove() */
-			icd->dev.parent = NULL;
-
-			/* If the host module is loaded again, device_register()
-			 * would complain "already initialised" */
-			memset(&icd->dev.kobj, 0, sizeof(icd->dev.kobj));
+			/*
+			 * Not before device_unregister(), .remove
+			 * needs parent to call ici->ops->remove().
+			 * If the host module is loaded again, device_register()
+			 * would complain "already initialised," since 2.6.32
+			 * this is also needed to prevent use-after-free of the
+			 * device private data.
+			 */
+			memset(&icd->dev, 0, sizeof(icd->dev));
 		}
 	}