On Wed, Jan 20, 2021 at 4:05 PM Nicolas Saenz Julienne
<nsaenzjulie...@suse.de> wrote:
>
> With today's master, 70c2525c0d3c ('IOMUX: Stop dropped consoles')
> introduces a use after free in usb_kbd_remove():
>
> - usbkbd's stdio device is de-registered with stdio_deregister_dev(),
> the struct stdio_dev is freed.
>
> - iomux_doenv() is called, usbkbd removed from the console list, and
> console_stop() is called on the struct stdio_dev pointer that no
> longer exists.
>
> This series mitigates this by making sure the pointer is really a stdio
> device prior performing the stop operation. It's not ideal, but I
> couldn't figure out a nicer way to fix this.
Thanks for the report and indeed this sounds like a papering over the
real issue somewhere else.
If we have a device in the console_list, IOMUX may access it. So,
whenever we drop device, we must update console_list accordingly.
--
With Best Regards,
Andy Shevchenko
