22 Nov
2018
22 Nov
'18
8:06 a.m.
On Tue, Nov 20, 2018 at 2:37 AM Boris Brezillon boris.brezillon@bootlin.com wrote:
The DM implementation of spi_flash_free() does not unregister the MTD device before removing the spi dev object. This leads to a use-after-free bug when the MTD device is later accessed by a MTD user (observed when attaching the device to UBI after env_sf_load() has called spi_flash_free()).
Implement ->remove() and call spi_flash_mtd_unregister() from there.
Fixes: 9fe6d8716e09 ("mtd, spi: Add MTD layer driver") Signed-off-by: Boris Brezillon boris.brezillon@bootlin.com
Reviewed-by: Jagan Teki jagan@openedev.com