From fc314300ddbd60861b556318413662d6844a111d Mon Sep 17 00:00:00 2001 From: Niel Fourie Date: Wed, 16 Dec 2020 12:11:52 +0100 Subject: [PATCH] dm: spi: Fix spi_free_slave() freed memory write Remove setting slave->dev to NULL after the device_remove() call. The slave pointer points to dev->parent_priv, which has already been freed by device_free(), called from device_remove() in the preceding line. Writing to slave->dev may cause corruption of the dlmalloc free chunk forward pointer of the previously freed chunk. Signed-off-by: Niel Fourie Cc: Simon Glass Reviewed-by: Simon Glass --- drivers/spi/spi-uclass.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/spi/spi-uclass.c b/drivers/spi/spi-uclass.c index acef09d6f4..a392a93aa1 100644 --- a/drivers/spi/spi-uclass.c +++ b/drivers/spi/spi-uclass.c @@ -435,7 +435,6 @@ struct spi_slave *spi_setup_slave(unsigned int busnum, unsigned int cs, void spi_free_slave(struct spi_slave *slave) { device_remove(slave->dev, DM_REMOVE_NORMAL); - slave->dev = NULL; } int spi_slave_of_to_plat(struct udevice *dev, struct dm_spi_slave_plat *plat) -- 2.39.5