dm: spi: Fix spi_free_slave() freed memory write

Remove setting slave->dev to NULL after the device_remove() call.

The slave pointer points to dev->parent_priv, which has already
been freed by device_free(), called from device_remove() in the
preceding line. Writing to slave->dev may cause corruption of the
dlmalloc free chunk forward pointer of the previously freed chunk.

Signed-off-by: Niel Fourie <lusus@denx.de>
Cc: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>

diff --git a/drivers/spi/spi-uclass.c b/drivers/spi/spi-uclass.c
index acef09d..a392a93 100644 (file)
--- a/drivers/spi/spi-uclass.c
+++ b/drivers/spi/spi-uclass.c
@@ -435,7 +435,6 @@ struct spi_slave *spi_setup_slave(unsigned int busnum, unsigned int cs,
 void spi_free_slave(struct spi_slave *slave)
 {
        device_remove(slave->dev, DM_REMOVE_NORMAL);
-       slave->dev = NULL;
 }
 
 int spi_slave_of_to_plat(struct udevice *dev, struct dm_spi_slave_plat *plat)