[PATCH] dm: spi: Fix spi_free_slave() freed memory write

Wed Dec 16 12:11:52 CET 2020

Remove setting slave->dev to NULL after the device_remove() call.

The slave pointer points to dev->parent_priv, which has already
been freed by device_free(), called from device_remove() in the
preceding line. Writing to slave->dev may cause corruption of the
dlmalloc free chunk forward pointer of the previously freed chunk.

Signed-off-by: Niel Fourie <lusus at denx.de>
Cc: Simon Glass <sjg at chromium.org>
---
 drivers/spi/spi-uclass.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/spi/spi-uclass.c b/drivers/spi/spi-uclass.c
index 55a8eed8901..a16ac9280fd 100644
--- a/drivers/spi/spi-uclass.c
+++ b/drivers/spi/spi-uclass.c
@@ -428,7 +428,6 @@ struct spi_slave *spi_setup_slave(unsigned int busnum, unsigned int cs,
 void spi_free_slave(struct spi_slave *slave)
 {
 	device_remove(slave->dev, DM_REMOVE_NORMAL);
-	slave->dev = NULL;
 }
 
 int spi_slave_ofdata_to_platdata(struct udevice *dev,
-- 
2.28.0

