Hi Andy, Simon
On Wed, 2021-01-20 at 17:57 +0200, Andy Shevchenko wrote:
On Wed, Jan 20, 2021 at 4:05 PM Nicolas Saenz Julienne nsaenzjulienne@suse.de wrote:
With today's master, 70c2525c0d3c ('IOMUX: Stop dropped consoles') introduces a use after free in usb_kbd_remove():
- usbkbd's stdio device is de-registered with stdio_deregister_dev(),
the struct stdio_dev is freed.
- iomux_doenv() is called, usbkbd removed from the console list, and
console_stop() is called on the struct stdio_dev pointer that no longer exists.
This series mitigates this by making sure the pointer is really a stdio device prior performing the stop operation. It's not ideal, but I couldn't figure out a nicer way to fix this.
Thanks for the report and indeed this sounds like a papering over the real issue somewhere else. If we have a device in the console_list, IOMUX may access it. So, whenever we drop device, we must update console_list accordingly.
Sorry, but I don't have time to address this ATM. If someone else can it'd be nice.
Regards, Nicolas