[PATCH] dm: spi: Fix spi_free_slave() freed memory write
Remove setting slave->dev to NULL after the device_remove() call.
The slave pointer points to dev->parent_priv, which has already been freed by device_free(), called from device_remove() in the preceding line. Writing to slave->dev may cause corruption of the dlmalloc free chunk forward pointer of the previously freed chunk.
Signed-off-by: Niel Fourie lusus@denx.de Cc: Simon Glass sjg@chromium.org --- drivers/spi/spi-uclass.c | 1 - 1 file changed, 1 deletion(-)
diff --git a/drivers/spi/spi-uclass.c b/drivers/spi/spi-uclass.c index 55a8eed8901..a16ac9280fd 100644 --- a/drivers/spi/spi-uclass.c +++ b/drivers/spi/spi-uclass.c @@ -428,7 +428,6 @@ struct spi_slave *spi_setup_slave(unsigned int busnum, unsigned int cs, void spi_free_slave(struct spi_slave *slave) { device_remove(slave->dev, DM_REMOVE_NORMAL); - slave->dev = NULL; }
int spi_slave_ofdata_to_platdata(struct udevice *dev,
On Wed, 16 Dec 2020 at 04:12, Niel Fourie lusus@denx.de wrote:
Remove setting slave->dev to NULL after the device_remove() call.
The slave pointer points to dev->parent_priv, which has already been freed by device_free(), called from device_remove() in the preceding line. Writing to slave->dev may cause corruption of the dlmalloc free chunk forward pointer of the previously freed chunk.
Signed-off-by: Niel Fourie lusus@denx.de Cc: Simon Glass sjg@chromium.org
drivers/spi/spi-uclass.c | 1 - 1 file changed, 1 deletion(-)
Reviewed-by: Simon Glass sjg@chromium.org
On Wed, 16 Dec 2020 at 04:12, Niel Fourie lusus@denx.de wrote:
Remove setting slave->dev to NULL after the device_remove() call.
The slave pointer points to dev->parent_priv, which has already been freed by device_free(), called from device_remove() in the preceding line. Writing to slave->dev may cause corruption of the dlmalloc free chunk forward pointer of the previously freed chunk.
Signed-off-by: Niel Fourie lusus@denx.de Cc: Simon Glass sjg@chromium.org
drivers/spi/spi-uclass.c | 1 - 1 file changed, 1 deletion(-)
Reviewed-by: Simon Glass sjg@chromium.org
Applied to u-boot-dm/next, thanks!
participants (2)
-
Niel Fourie -
Simon Glass