[PATCH 0/2] Console/stdio use after free

Nicolas Saenz Julienne nsaenzjulienne at suse.de
Mon Jan 25 17:31:25 CET 2021

Hi Andy, Simon

On Wed, 2021-01-20 at 17:57 +0200, Andy Shevchenko wrote:
> On Wed, Jan 20, 2021 at 4:05 PM Nicolas Saenz Julienne
> <nsaenzjulienne at suse.de> wrote:
> > 
> > With today's master, 70c2525c0d3c ('IOMUX: Stop dropped consoles')
> > introduces a use after free in usb_kbd_remove():
> > 
> > - usbkbd's stdio device is de-registered with stdio_deregister_dev(),
> >   the struct stdio_dev is freed.
> > 
> > - iomux_doenv() is called, usbkbd removed from the console list, and
> >   console_stop() is called on the struct stdio_dev pointer that no
> >   longer exists.
> > 
> > This series mitigates this by making sure the pointer is really a stdio
> > device prior performing the stop operation. It's not ideal, but I
> > couldn't figure out a nicer way to fix this.
> Thanks for the report and indeed this sounds like a papering over the
> real issue somewhere else.
> If we have a device in the console_list, IOMUX may access it. So,
> whenever we drop device, we must update console_list accordingly.

Sorry, but I don't have time to address this ATM. If someone else can it'd be


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210125/4c4d4567/attachment.sig>

More information about the U-Boot mailing list