[PATCH] net: Fix memory corruption in eth_halt() if the stop handler frees the priv member
Fabio Estevam
festevam at gmail.com
Mon Dec 12 22:19:23 CET 2022
Hi Bernhard,
On Mon, Dec 12, 2022 at 6:12 PM Bernhard Rosenkränzer <bero at baylibre.com> wrote:
>
> Calling eth_halt() could result in memory corruption if the stop()
> handler frees or modifies the priv member.
>
> A stored value of dev_get_uclass_priv() is assumed to remain valid
> after the stop() handler has been called, which is not always the
> case (e.g. rndis over usb gadget).
>
> Re-check the priv pointer after calling the stop() handler.
>
> Signed-off-by: Bernhard Rosenkränzer <bero at baylibre.com>
> ---
> net/eth-uclass.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/net/eth-uclass.c b/net/eth-uclass.c
> index f41da4b37b..410f3310c7 100644
> --- a/net/eth-uclass.c
> +++ b/net/eth-uclass.c
> @@ -343,6 +343,11 @@ void eth_halt(void)
> return;
>
> eth_get_ops(current)->stop(current);
> +
> + priv = dev_get_uclass_priv(current);
> + if (!priv || !priv->running)
> + return;
> +
Niel submitted the same fix:
https://lists.denx.de/pipermail/u-boot/2022-December/502055.html
More information about the U-Boot
mailing list