diff options
| author | Boris Brezillon <boris.brezillon@bootlin.com> | 2018-12-02 10:54:31 +0100 |
|---|---|---|
| committer | Jagan Teki <jagan@amarulasolutions.com> | 2018-12-06 00:45:36 +0530 |
| commit | 7371944a71690abafd0717b5d5f72c67e9f0f414 (patch) | |
| tree | 8b0af337984c07dccfc170962406e10986da187c /drivers | |
| parent | 4a5594fa20d0fa6479f477d2bd67967aca201c2f (diff) | |
mtd: sf: Unregister the MTD device prior to removing the spi_flash obj
The DM implementation of spi_flash_free() does not unregister the MTD
device before removing the spi dev object. This leads to a use-after-free
bug when the MTD device is later accessed by a MTD user (observed when
attaching the device to UBI after env_sf_load() has called
spi_flash_free()).
Implement ->remove() and call spi_flash_mtd_unregister() from there.
Fixes: 9fe6d8716e09 ("mtd, spi: Add MTD layer driver")
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Tested-by: Heiko Schocher <hs@denx.de>
Reviewed-by: Jagan Teki <jagan@openedev.com>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/mtd/spi/sf_probe.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/drivers/mtd/spi/sf_probe.c b/drivers/mtd/spi/sf_probe.c index 94fde2ae7a..4d7320fe8c 100644 --- a/drivers/mtd/spi/sf_probe.c +++ b/drivers/mtd/spi/sf_probe.c @@ -137,6 +137,14 @@ static int spi_flash_std_probe(struct udevice *dev) return spi_flash_probe_slave(flash); } +static int spi_flash_std_remove(struct udevice *dev) +{ +#ifdef CONFIG_SPI_FLASH_MTD + spi_flash_mtd_unregister(); +#endif + return 0; +} + static const struct dm_spi_flash_ops spi_flash_std_ops = { .read = spi_flash_std_read, .write = spi_flash_std_write, @@ -153,6 +161,7 @@ U_BOOT_DRIVER(spi_flash_std) = { .id = UCLASS_SPI_FLASH, .of_match = spi_flash_std_ids, .probe = spi_flash_std_probe, + .remove = spi_flash_std_remove, .priv_auto_alloc_size = sizeof(struct spi_flash), .ops = &spi_flash_std_ops, }; |