From: Niel Fourie Date: Wed, 16 Dec 2020 11:11:52 +0000 (+0100) Subject: dm: spi: Fix spi_free_slave() freed memory write X-Git-Tag: v2025.01-rc5-pxa1908~2072^2~4^2~2 X-Git-Url: http://git.dujemihanovic.xyz/%22http:/www.sics.se/static/%7B%7B?a=commitdiff_plain;h=fc314300ddbd60861b556318413662d6844a111d;p=u-boot.git dm: spi: Fix spi_free_slave() freed memory write Remove setting slave->dev to NULL after the device_remove() call. The slave pointer points to dev->parent_priv, which has already been freed by device_free(), called from device_remove() in the preceding line. Writing to slave->dev may cause corruption of the dlmalloc free chunk forward pointer of the previously freed chunk. Signed-off-by: Niel Fourie Cc: Simon Glass Reviewed-by: Simon Glass --- diff --git a/drivers/spi/spi-uclass.c b/drivers/spi/spi-uclass.c index acef09d6f4..a392a93aa1 100644 --- a/drivers/spi/spi-uclass.c +++ b/drivers/spi/spi-uclass.c @@ -435,7 +435,6 @@ struct spi_slave *spi_setup_slave(unsigned int busnum, unsigned int cs, void spi_free_slave(struct spi_slave *slave) { device_remove(slave->dev, DM_REMOVE_NORMAL); - slave->dev = NULL; } int spi_slave_of_to_plat(struct udevice *dev, struct dm_spi_slave_plat *plat)