spi: offload: fix use after free

Fix a use after free bug in devm_spi_offload_get() where a pointer
was dereferenced after being freed. Instead, add a new local variable
to avoid needing to use the resource pointer to access the offload
pointer.

Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202502112344.7ggtFzyn-lkp@intel.com/
Fixes: 5a19e1985d01 ("spi: axi-spi-engine: implement offload support")
Signed-off-by: David Lechner <dlechner@baylibre.com>
Link: https://patch.msgid.link/20250212-spi-offload-fixes-v1-2-e192c69e3bb3@baylibre.com
Signed-off-by: Mark Brown <broonie@kernel.org>

drivers/spi/spi-offload.c

@@ -108,6 +108,7 @@ struct spi_offload *devm_spi_offload_get(struct device *dev,
 					 const struct spi_offload_config *config)
 {
 	struct spi_controller_and_offload *resource;
+	struct spi_offload *offload;
 	int ret;
 
 	if (!spi || !config)
@@ -120,18 +121,20 @@ struct spi_offload *devm_spi_offload_get(struct device *dev,
 	if (!resource)
 		return ERR_PTR(-ENOMEM);
 
-	resource->controller = spi->controller;
+	offload = spi->controller->get_offload(spi, config);
-	resource->offload = spi->controller->get_offload(spi, config);
+	if (IS_ERR(offload)) {
-	if (IS_ERR(resource->offload)) {
 		kfree(resource);
-		return resource->offload;
+		return offload;
 	}
 
+	resource->controller = spi->controller;
+	resource->offload = offload;
+
 	ret = devm_add_action_or_reset(dev, spi_offload_put, resource);
 	if (ret)
 		return ERR_PTR(ret);
 
-	return resource->offload;
+	return offload;
 }
 EXPORT_SYMBOL_GPL(devm_spi_offload_get);