Hi Andy, Simon
On Wed, 2021-01-20 at 17:57 +0200, Andy Shevchenko wrote:
> On Wed, Jan 20, 2021 at 4:05 PM Nicolas Saenz Julienne
> <nsaenzjulie...@suse.de> wrote:
> >
> > With today's master, 70c2525c0d3c ('IOMUX: Stop dropped consoles')
> > introduces a use after free in usb_kbd_remove():
> >
> > - usbkbd's stdio device is de-registered with stdio_deregister_dev(),
> > the struct stdio_dev is freed.
> >
> > - iomux_doenv() is called, usbkbd removed from the console list, and
> > console_stop() is called on the struct stdio_dev pointer that no
> > longer exists.
> >
> > This series mitigates this by making sure the pointer is really a stdio
> > device prior performing the stop operation. It's not ideal, but I
> > couldn't figure out a nicer way to fix this.
>
> Thanks for the report and indeed this sounds like a papering over the
> real issue somewhere else.
> If we have a device in the console_list, IOMUX may access it. So,
> whenever we drop device, we must update console_list accordingly.Sorry, but I don't have time to address this ATM. If someone else can it'd be nice. Regards, Nicolas
signature.asc
Description: This is a digitally signed message part
