Hello.
In device_probe function in drivers/core/device.c we see a call of probe
function:
if (drv->probe) {
ret = drv->probe(dev);
if (ret)
goto fail;
}
If it returns an error, then the execution path goes to fail label and called
device_free function:
fail:
dev_bic_flags(dev, DM_FLAG_ACTIVATED);
device_free(dev);
return ret;
But the freed memory remains in use by mdio, because in enetc_probe function,
enetc_start_pcs function is called, which registers mdio:
struct enetc_priv *priv = dev_get_priv(dev);
if (!miiphy_get_dev_by_name(priv->imdio.name))
mdio_register(&priv->imdio);
From: Ramon Fried <rfried....@gmail.com>
Sent: 03 September 2022 00:38
To: Siarhei Yasinski <siarhei.yasin...@sintecs.eu>
Cc: U-Boot Mailing List <u-boot@lists.denx.de>
Subject: Re: [PATCH v2] net: enetc: Fix use after free issue in fsl_enetc.c
[EXTERNAL EMAIL] DO NOT CLICK links or attachments unless you recognise the
sender and know the content is safe
On Fri, Sep 2, 2022 at 9:35 AM Siarhei Yasinski
<siarhei.yasin...@sintecs.eu> wrote:
>
> If ethernet connected to SFP, like this:
>
> &enetc_port0 {
> phy-connection-type = "sgmii";
> sfp = <&sfp0>;
> managed = "in-band-status";
> status = "okay";
> };
>
> Then enetc_config_phy returns -ENODEV and memory containing mdio interface is
> freeing.
What do you mean freeing, can you describe the flow ?
