[PATCH v2] net: enetc: Fix use after free issue in fsl_enetc.c
If ethernet connected to SFP, like this:
&enetc_port0 { phy-connection-type = "sgmii"; sfp = <&sfp0>; managed = "in-band-status"; status = "okay"; };
Then enetc_config_phy returns -ENODEV and memory containing mdio interface is freeing. It's better to unregister and free mdio resources.
Signed-off-by: Siarhei Yasinski siarhei.yasinski@sintecs.eu --- drivers/net/fsl_enetc.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/net/fsl_enetc.c b/drivers/net/fsl_enetc.c index cd4c2c29a6..d3326054a2 100644 --- a/drivers/net/fsl_enetc.c +++ b/drivers/net/fsl_enetc.c @@ -22,6 +22,8 @@
#define ENETC_DRIVER_NAME "enetc_eth"
+static int enetc_remove(struct udevice *dev); + /* * sets the MAC address in IERB registers, this setting is persistent and * carried over to Linux. @@ -319,6 +321,7 @@ static int enetc_config_phy(struct udevice *dev) static int enetc_probe(struct udevice *dev) { struct enetc_priv *priv = dev_get_priv(dev); + int ret;
if (ofnode_valid(dev_ofnode(dev)) && !ofnode_is_available(dev_ofnode(dev))) { enetc_dbg(dev, "interface disabled\n"); @@ -350,7 +353,10 @@ static int enetc_probe(struct udevice *dev)
enetc_start_pcs(dev);
- return enetc_config_phy(dev); + ret = enetc_config_phy(dev); + if(ret) + enetc_remove(dev); + return ret; }
/*
On Fri, Sep 2, 2022 at 9:35 AM Siarhei Yasinski siarhei.yasinski@sintecs.eu wrote:
If ethernet connected to SFP, like this:
&enetc_port0 { phy-connection-type = "sgmii"; sfp = <&sfp0>; managed = "in-band-status"; status = "okay"; };
Then enetc_config_phy returns -ENODEV and memory containing mdio interface is freeing.
What do you mean freeing, can you describe the flow ?
Hello.
In device_probe function in drivers/core/device.c we see a call of probe function:
if (drv->probe) { ret = drv->probe(dev); if (ret) goto fail; }
If it returns an error, then the execution path goes to fail label and called device_free function:
fail: dev_bic_flags(dev, DM_FLAG_ACTIVATED);
device_free(dev);
return ret;
But the freed memory remains in use by mdio, because in enetc_probe function, enetc_start_pcs function is called, which registers mdio:
struct enetc_priv *priv = dev_get_priv(dev);
if (!miiphy_get_dev_by_name(priv->imdio.name)) mdio_register(&priv->imdio);
From: Ramon Fried rfried.dev@gmail.com Sent: 03 September 2022 00:38 To: Siarhei Yasinski siarhei.yasinski@sintecs.eu Cc: U-Boot Mailing List u-boot@lists.denx.de Subject: Re: [PATCH v2] net: enetc: Fix use after free issue in fsl_enetc.c [EXTERNAL EMAIL] DO NOT CLICK links or attachments unless you recognise the sender and know the content is safe
On Fri, Sep 2, 2022 at 9:35 AM Siarhei Yasinski siarhei.yasinski@sintecs.eu wrote:
If ethernet connected to SFP, like this:
&enetc_port0 { phy-connection-type = "sgmii"; sfp = <&sfp0>; managed = "in-band-status"; status = "okay"; };
Then enetc_config_phy returns -ENODEV and memory containing mdio interface is freeing.
What do you mean freeing, can you describe the flow ?
participants (2)
-
Ramon Fried -
Siarhei Yasinski