Calling eth_halt() could result in memory corruption if the stop() handler frees or modifies the priv member.
A stored value of dev_get_uclass_priv() is assumed to remain valid after the stop() handler has been called, which is not always the case (e.g. rndis over usb gadget).
Re-check the priv pointer after calling the stop() handler.
Signed-off-by: Bernhard Rosenkränzer bero@baylibre.com --- net/eth-uclass.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/net/eth-uclass.c b/net/eth-uclass.c index f41da4b37b..410f3310c7 100644 --- a/net/eth-uclass.c +++ b/net/eth-uclass.c @@ -343,6 +343,11 @@ void eth_halt(void) return;
eth_get_ops(current)->stop(current); + + priv = dev_get_uclass_priv(current); + if (!priv || !priv->running) + return; + priv->state = ETH_STATE_PASSIVE; priv->running = false; }