From mboxrd@z Thu Jan  1 00:00:00 1970
From: Simon Glass <sjg@chromium.org>
Date: Wed, 20 Jan 2021 07:59:34 -0700
Subject: [PATCH 0/2] Console/stdio use after free
In-Reply-To: <1786658a26ac0ad9a716840084e98b30015385ec.camel@suse.de>
References: <20210120140454.4286-1-nsaenzjulienne@suse.de>
 <CAPnjgZ2M74u8FiM8t0X8WmkrGOQr_CLk5efS7fd3n+m9vSzTVA@mail.gmail.com>
 <1786658a26ac0ad9a716840084e98b30015385ec.camel@suse.de>
Message-ID: <CAPnjgZ2rsabi=iJrqL1+4MErwr94qmcSa1pvHqW2AG-u4KZxvw@mail.gmail.com>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

Hi Nicolas,

On Wed, 20 Jan 2021 at 07:44, Nicolas Saenz Julienne
<nsaenzjulienne@suse.de> wrote:
>
> On Wed, 2021-01-20 at 07:18 -0700, Simon Glass wrote:
> > Hi Nicolas,
> >
> > On Wed, 20 Jan 2021 at 07:04, Nicolas Saenz Julienne
> > <nsaenzjulienne@suse.de> wrote:
> > >
> > > With today's master, 70c2525c0d3c ('IOMUX: Stop dropped consoles')
> > > introduces a use after free in usb_kbd_remove():
> > >
> > > - usbkbd's stdio device is de-registered with stdio_deregister_dev(),
> > >   the struct stdio_dev is freed.
> > >
> > > - iomux_doenv() is called, usbkbd removed from the console list, and
> > >   console_stop() is called on the struct stdio_dev pointer that no
> > >   longer exists.
> > >
> > > This series mitigates this by making sure the pointer is really a stdio
> > > device prior performing the stop operation. It's not ideal, but I
> > > couldn't figure out a nicer way to fix this.
> >
> > Your 'from' address is coming through as just your email. Could you
> > please update it to include your name as well?
>
> OK, do you want me to re-send the series?

Not just for that, no.

Regards,
Simon