[PATCH v2] net: eth-uclass: revalidate priv after stop() in eth_halt()

[Niel Fourie]

In eth_halt(), reread and revalidate priv after calling stop(),
as it may have been freed, leaving a dangling pointer.

In the ethernet gadget implementation, the gadget device gets
probed during start() and removed during stop(), which includes
freeing `uclass_priv_` to which `priv` is pointing. Writing to
`priv` after stop() may corrupt the `fd` member of `struct
malloc_chunk`, which represents the freed block, and could cause
hard-to-debug crashes on subsequent calls to malloc()/free().

Signed-off-by: Niel Fourie <lusus at denx.de>
Cc: Ramon Fried <rfried.dev at gmail.com>
Cc: Marek Vasut <marex at denx.de>
Cc: Lukasz Majewski <lukma at denx.de>
---
Changes for v2:
- Revalidate priv instead of changing state before stop()
- Added explanational comment

This patch my be dropped if the patch which addresses the root cause
("usb: gadget: ether: split start/stop from init/halt") is accepted.

 net/eth-uclass.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/eth-uclass.c b/net/eth-uclass.c
index f41da4b37b3..7d5783b5cab 100644
--- a/net/eth-uclass.c
+++ b/net/eth-uclass.c
@@ -341,8 +341,11 @@ void eth_halt(void)
 	priv = dev_get_uclass_priv(current);
 	if (!priv || !priv->running)
 		return;
-
 	eth_get_ops(current)->stop(current);
+	/* Ethernet gadget frees priv during stop, workaround until fixed... */
+	priv = dev_get_uclass_priv(current);
+	if (!priv || !priv->running)
+		return;
 	priv->state = ETH_STATE_PASSIVE;
 	priv->running = false;
 }
-- 
2.38.1