From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andy Shevchenko Date: Thu, 28 Jan 2021 18:55:51 +0200 Subject: [PATCH v2 0/2] Console/stdio use after free In-Reply-To: <20210128131240.13190-1-nsaenzjulienne@suse.de> References: <20210128131240.13190-1-nsaenzjulienne@suse.de> Message-ID: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On Thu, Jan 28, 2021 at 02:12:38PM +0100, Nicolas Saenz Julienne wrote: > With today's master, 70c2525c0d3c ('IOMUX: Stop dropped consoles') > introduces a use after free in usb_kbd_remove(): > > - usbkbd's stdio device is de-registered with stdio_deregister_dev(), > the struct stdio_dev is freed. > > - iomux_doenv() is called, usbkbd removed from the console list, and > console_stop() is called on the struct stdio_dev pointer that no > longer exists. > > This series mitigates this by making sure the pointer is really a stdio > device prior performing the stop operation. It's not ideal, but I > couldn't figure out a nicer way to fix this. I have just sent another approach, can you test it instead, please? -- With Best Regards, Andy Shevchenko