From: Boris Brezillon Date: Sun, 2 Dec 2018 09:54:31 +0000 (+0100) Subject: mtd: sf: Unregister the MTD device prior to removing the spi_flash obj X-Git-Tag: v2025.01-rc5-pxa1908~3239^2~1 X-Git-Url: http://git.dujemihanovic.xyz/html/static/gitweb.css?a=commitdiff_plain;h=7371944a71690abafd0717b5d5f72c67e9f0f414;p=u-boot.git mtd: sf: Unregister the MTD device prior to removing the spi_flash obj The DM implementation of spi_flash_free() does not unregister the MTD device before removing the spi dev object. This leads to a use-after-free bug when the MTD device is later accessed by a MTD user (observed when attaching the device to UBI after env_sf_load() has called spi_flash_free()). Implement ->remove() and call spi_flash_mtd_unregister() from there. Fixes: 9fe6d8716e09 ("mtd, spi: Add MTD layer driver") Signed-off-by: Boris Brezillon Tested-by: Heiko Schocher Reviewed-by: Jagan Teki --- diff --git a/drivers/mtd/spi/sf_probe.c b/drivers/mtd/spi/sf_probe.c index 94fde2ae7a..4d7320fe8c 100644 --- a/drivers/mtd/spi/sf_probe.c +++ b/drivers/mtd/spi/sf_probe.c @@ -137,6 +137,14 @@ static int spi_flash_std_probe(struct udevice *dev) return spi_flash_probe_slave(flash); } +static int spi_flash_std_remove(struct udevice *dev) +{ +#ifdef CONFIG_SPI_FLASH_MTD + spi_flash_mtd_unregister(); +#endif + return 0; +} + static const struct dm_spi_flash_ops spi_flash_std_ops = { .read = spi_flash_std_read, .write = spi_flash_std_write, @@ -153,6 +161,7 @@ U_BOOT_DRIVER(spi_flash_std) = { .id = UCLASS_SPI_FLASH, .of_match = spi_flash_std_ids, .probe = spi_flash_std_probe, + .remove = spi_flash_std_remove, .priv_auto_alloc_size = sizeof(struct spi_flash), .ops = &spi_flash_std_ops, };