[PATCH v2] net: enetc: Fix use after free issue in fsl_enetc.c

[Siarhei Yasinski]

Hello.

In device_probe function in drivers/core/device.c we see a call of probe function:

        if (drv->probe) {
                ret = drv->probe(dev);
                if (ret)
                        goto fail;
        }

If it returns an error, then the execution path goes to fail label and called device_free function:

fail:
        dev_bic_flags(dev, DM_FLAG_ACTIVATED);

        device_free(dev);

        return ret;

But the freed memory remains in use by mdio, because in enetc_probe function, enetc_start_pcs function is called, which registers mdio:

        struct enetc_priv *priv = dev_get_priv(dev);

                if (!miiphy_get_dev_by_name(priv->imdio.name))
                        mdio_register(&priv->imdio);


From: Ramon Fried <rfried.dev at gmail.com>
Sent: 03 September 2022 00:38
To: Siarhei Yasinski <siarhei.yasinski at sintecs.eu>
Cc: U-Boot Mailing List <u-boot at lists.denx.de>
Subject: Re: [PATCH v2] net: enetc: Fix use after free issue in fsl_enetc.c 
 
[EXTERNAL EMAIL] DO NOT CLICK links or attachments unless you recognise the sender and know the content is safe

On Fri, Sep 2, 2022 at 9:35 AM Siarhei Yasinski
<siarhei.yasinski at sintecs.eu> wrote:
>
> If ethernet connected to SFP, like this:
>
> &enetc_port0 {
>         phy-connection-type = "sgmii";
>         sfp = <&sfp0>;
>         managed = "in-band-status";
>         status = "okay";
> };
>
> Then enetc_config_phy returns -ENODEV and memory containing mdio interface is freeing.
What do you mean freeing, can you describe the flow ?