From patchwork Mon Dec 12 20:44:11 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Bernhard_Rosenkr=C3=A4nzer?=
 <bero@baylibre.com>
X-Patchwork-Id: 1715148
X-Patchwork-Delegate: trini@ti.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=85.214.62.61; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=baylibre-com.20210112.gappssmtp.com
 header.i=@baylibre-com.20210112.gappssmtp.com header.a=rsa-sha256
 header.s=20210112 header.b=2egdGO/k;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4NWDq84YK5z23yr
	for <incoming@patchwork.ozlabs.org>; Tue, 13 Dec 2022 08:12:34 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 803FF851AF;
	Mon, 12 Dec 2022 22:12:26 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=none (p=none dis=none) header.from=baylibre.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key;
 unprotected) header.d=baylibre-com.20210112.gappssmtp.com
 header.i=@baylibre-com.20210112.gappssmtp.com header.b="2egdGO/k";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 22C1E85440; Mon, 12 Dec 2022 21:44:17 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no
 version=3.4.2
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com
 [IPv6:2a00:1450:4864:20::62b])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 96D318497E
 for <u-boot@lists.denx.de>; Mon, 12 Dec 2022 21:44:14 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=none (p=none dis=none) header.from=baylibre.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=bero@baylibre.com
Received: by mail-ej1-x62b.google.com with SMTP id qk9so31385202ejc.3
 for <u-boot@lists.denx.de>; Mon, 12 Dec 2022 12:44:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=baylibre-com.20210112.gappssmtp.com; s=20210112;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:from:to:cc:subject:date:message-id:reply-to;
 bh=wxJA0Y4k4aW9JE4bmnxA2v5/xH1EcjDEzzWkXOKNnhc=;
 b=2egdGO/k5/Jej7lsfWnuNPG7T0DO+xb5yYnGJOODWyF747c58uAvW0uoysGYvUqw1v
 11ww6+OcUeyubgx+9sJHqI/FRMeCvuy5B2tQr6BVjffgU9pa9pTKRxMd7Vd4Z5zaBkMA
 OUXKLWzFakShA2fxlXsXTwd7hWCspY2vnc9qGpnA+dU05ql/6ns9hNNGc1awQ7xlmeIk
 ZvnbwRnVMjEFF4LgqF4qXbhPvTuu+Vqzdksh+MgVy5r284VBkvsm/CEFlwK7/Tk3PsGN
 PjZECHDhO4euaTYTGV23m6v9WpfMQ0p/9eQ3q+2HQhKFWH5QlzSlriQ8MucnV5ysvUgv
 Fdaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=wxJA0Y4k4aW9JE4bmnxA2v5/xH1EcjDEzzWkXOKNnhc=;
 b=IQ7JWd2KTWycD7kETUyxowmSTJq77CZLCK6154vCe3Zg9h0qNDAgaJtpnaaUYs7kTs
 PI9FE4ku08/S7ZoDIcHrkW4lNYleTDfD+jgPSDR0jisIOhKr3pq0Y10+uO4DgBP7N82O
 X7qBQQQs4yOT9btc60TAdAYvkjVmCQipAJqpwlVQFNxyIiglQmvs/YI/dTkwRtwxBCtm
 jaQGrQsv3Ufn2lV3C6zwbzI9dO3Vl6Yn6SkjdMqgTYLaZKNhFMy//JgeCBy3rQBI/Sj5
 GOYGIo+NLsvG4a6d2qZM0QVGQB78JCU0dFicFt3cEl9W1Y5gcWEGjBYodJqxknM+h48F
 MG/g==
X-Gm-Message-State: ANoB5pm5H6u+8uDbj9T+RWWV7S8nmPwDdBiz+Xrs2f2A+mm/XrvKLkaN
 E0P1BWNlQrEZXRVdtZvNa5MCUftto6vlm+8ItXs=
X-Google-Smtp-Source: 
 AA0mqf65j1TMQO0pO+rYfPt6RhXu/YntvPMBubOvFkPR8ttSzBrkkTaeewQ4FqjiBqkOVgiGiYxv0A==
X-Received: by 2002:a17:906:7193:b0:7c1:39e:db7e with SMTP id
 h19-20020a170906719300b007c1039edb7emr19765481ejk.59.1670877853922;
 Mon, 12 Dec 2022 12:44:13 -0800 (PST)
Received: from predatorhelios.fritz.box
 (dynamic-077-181-151-110.77.181.pool.telefonica.de. [77.181.151.110])
 by smtp.gmail.com with ESMTPSA id
 6-20020a170906300600b007c099174a12sm3722472ejz.178.2022.12.12.12.44.13
 for <u-boot@lists.denx.de>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 12 Dec 2022 12:44:13 -0800 (PST)
From: =?utf-8?q?Bernhard_Rosenkr=C3=A4nzer?= <bero@baylibre.com>
To: u-boot@lists.denx.de
Subject: [PATCH] net: Fix memory corruption in eth_halt() if the stop handler
 frees the priv member
Date: Mon, 12 Dec 2022 21:44:11 +0100
Message-Id: <20221212204411.2247170-1-bero@baylibre.com>
X-Mailer: git-send-email 2.38.1
MIME-Version: 1.0
X-Mailman-Approved-At: Mon, 12 Dec 2022 22:12:24 +0100
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

Calling eth_halt() could result in memory corruption if the stop()
handler frees or modifies the priv member.

A stored value of dev_get_uclass_priv() is assumed to remain valid
after the stop() handler has been called, which is not always the
case (e.g. rndis over usb gadget).

Re-check the priv pointer after calling the stop() handler.

Signed-off-by: Bernhard Rosenkränzer <bero@baylibre.com>
---
 net/eth-uclass.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/eth-uclass.c b/net/eth-uclass.c
index f41da4b37b..410f3310c7 100644
--- a/net/eth-uclass.c
+++ b/net/eth-uclass.c
@@ -343,6 +343,11 @@ void eth_halt(void)
 		return;
 
 	eth_get_ops(current)->stop(current);
+
+	priv = dev_get_uclass_priv(current);
+	if (!priv || !priv->running)
+		return;
+
 	priv->state = ETH_STATE_PASSIVE;
 	priv->running = false;
 }