From patchwork Sat Dec  6 00:25:32 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Benjamin Larsson <benjamin@southpole.se>
X-Patchwork-Id: 27346
Received: from mail.tu-berlin.de ([130.149.7.33])
	by www.linuxtv.org with esmtp (Exim 4.72)
	(envelope-from <linux-media-owner@vger.kernel.org>)
	id 1Xx3C1-0006lK-Ug; Sat, 06 Dec 2014 01:25:49 +0100
X-tubIT-Incoming-IP: 209.132.180.67
Received: from vger.kernel.org ([209.132.180.67])
	by mail.tu-berlin.de (exim-4.72/mailfrontend-5) with esmtp
	id 1Xx3C0-0000dr-6w; Sat, 06 Dec 2014 01:25:49 +0100
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752298AbaLFAZo (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other);
	Fri, 5 Dec 2014 19:25:44 -0500
Received: from smtp.bredband2.com ([83.219.192.166]:38561 "EHLO
	smtp.bredband2.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752227AbaLFAZn (ORCPT
	<rfc822; linux-media@vger.kernel.org>); Fri, 5 Dec 2014 19:25:43 -0500
Received: from localhost.localdomain (92-244-23-216.customers.ownit.se
	[92.244.23.216]) (Authenticated sender: ed8153)
	by smtp.bredband2.com (Postfix) with ESMTPA id 0B16C61BB1
	for <linux-media@vger.kernel.org>;
	Sat,  6 Dec 2014 01:25:33 +0100 (CET)
From: Benjamin Larsson <benjamin@southpole.se>
Cc: Linux Media Mailing List <linux-media@vger.kernel.org>
Subject: [PATCH 2/3] mn88472: make sure the private data struct is nulled
	after free
Date: Sat,  6 Dec 2014 01:25:32 +0100
Message-Id: <1417825533-13081-2-git-send-email-benjamin@southpole.se>
X-Mailer: git-send-email 2.1.0
In-Reply-To: <1417825533-13081-1-git-send-email-benjamin@southpole.se>
References: <1417825533-13081-1-git-send-email-benjamin@southpole.se>
To: unlisted-recipients:; (no To-header on input)
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org
X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409,
	Antispam-Data: 2014.12.6.1519
X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report='
	MULTIPLE_RCPTS 0.1, HTML_00_01 0.05, HTML_00_10 0.05,
	BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1000_LESS 0,
	BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0,
	BODY_SIZE_7000_LESS 0, BODY_SIZE_900_999 0, REFERENCES 0,
	TO_UNDISCLOSED_RECIPIENTS 0, URI_ENDS_IN_HTML 0, __ANY_URI 0,
	__CP_URI_IN_BODY 0, __HAS_FROM 0, __HAS_MSGID 0,
	__HAS_X_MAILER 0, __HAS_X_MAILING_LIST 0, __IN_REP_TO 0,
	__MIME_TEXT_ONLY 0, __PHISH_SPEAR_STRUCTURE_1 0,
	__PHISH_SPEAR_STRUCTURE_2 0, __REFERENCES 0, __SANE_MSGID 0,
	__SUBJ_ALPHA_END 0, __TO_MALFORMED_3 0, __URI_NO_WWW 0,
	__URI_NS '

Using this driver with the attach dvb model might trigger a use
after free when unloading the driver. With this change the driver
will always fail on unload instead of randomly crash depending
on if the memory has been reused or not.

Signed-off-by: Benjamin Larsson <benjamin@southpole.se>
Nacked-by: Hans Verkuil <hans.verkuil@cisco.com>
---
 drivers/staging/media/mn88472/mn88472.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/staging/media/mn88472/mn88472.c b/drivers/staging/media/mn88472/mn88472.c
index 36ef39b..a9d5f0a 100644
--- a/drivers/staging/media/mn88472/mn88472.c
+++ b/drivers/staging/media/mn88472/mn88472.c
@@ -489,6 +489,7 @@ static int mn88472_remove(struct i2c_client *client)
 
 	regmap_exit(dev->regmap[0]);
 
+	memset(dev, 0, sizeof(*dev));
 	kfree(dev);
 
 	return 0;