From: Niel Fourie <lusus@denx.de>
Date: Wed, 16 Dec 2020 11:11:52 +0000 (+0100)
Subject: dm: spi: Fix spi_free_slave() freed memory write
X-Git-Tag: v2025.01-rc5-pxa1908~2072^2~4^2~2
X-Git-Url: http://git.dujemihanovic.xyz/img/static/gitweb.css?a=commitdiff_plain;h=fc314300ddbd60861b556318413662d6844a111d;p=u-boot.git

dm: spi: Fix spi_free_slave() freed memory write

Remove setting slave->dev to NULL after the device_remove() call.

The slave pointer points to dev->parent_priv, which has already
been freed by device_free(), called from device_remove() in the
preceding line. Writing to slave->dev may cause corruption of the
dlmalloc free chunk forward pointer of the previously freed chunk.

Signed-off-by: Niel Fourie <lusus@denx.de>
Cc: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
---

diff --git a/drivers/spi/spi-uclass.c b/drivers/spi/spi-uclass.c
index acef09d6f4..a392a93aa1 100644
--- a/drivers/spi/spi-uclass.c
+++ b/drivers/spi/spi-uclass.c
@@ -435,7 +435,6 @@ struct spi_slave *spi_setup_slave(unsigned int busnum, unsigned int cs,
 void spi_free_slave(struct spi_slave *slave)
 {
 	device_remove(slave->dev, DM_REMOVE_NORMAL);
-	slave->dev = NULL;
 }
 
 int spi_slave_of_to_plat(struct udevice *dev, struct dm_spi_slave_plat *plat)