spi/heap: address Copilot review feedback on #4360

furi_hal_spi.c (TX-only DMA path):
On timeout the cleanup unconditionally released spi_dma_completed
while LL_DMA_DisableIT_TC was issued *after*. A late or pending DMA
completion ISR would then call furi_semaphore_release() on an already
full binary semaphore and crash furi_check. Disable TC IRQ and clear
the pending TC flag before releasing the semaphore so the ISR cannot
double-release.

memmgr_heap.c (memmgr_heap_get_block_size):
Add heapVALIDATE_BLOCK_POINTER(pxLink) to match vPortFree(). Without
it a caller passing an invalid pointer through this public API would
read out of bounds before the configASSERT fires.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: WonderMr

furi/core/memmgr_heap.c

@@ -550,6 +550,7 @@ size_t memmgr_heap_get_block_size(void* pv) {
     puc -= xHeapStructSize;
     pxLink = (void*)puc;
 
+    heapVALIDATE_BLOCK_POINTER(pxLink);
     configASSERT(heapBLOCK_IS_ALLOCATED(pxLink) != 0);
 
     return (pxLink->xBlockSize & ~heapBLOCK_ALLOCATED_BITMASK) - xHeapStructSize;

targets/f7/furi_hal/furi_hal_spi.c

@@ -297,10 +297,20 @@ bool furi_hal_spi_bus_trx_dma(
             ret = false;
             FURI_LOG_E(TAG, "DMA timeout\r\n");
         }
+
+        // Disable TC IRQ and clear pending TC flag BEFORE releasing the
+        // semaphore. On timeout the ISR may still fire and would try to
+        // re-release the binary semaphore, crashing furi_check.
+        LL_DMA_DisableIT_TC(SPI_DMA_RX_DEF);
+#if SPI_DMA_RX_CHANNEL == LL_DMA_CHANNEL_6
+        LL_DMA_ClearFlag_TC6(SPI_DMA);
+#else
+#error Update this code. Would you kindly?
+#endif
+
         // release semaphore, because we are using it as a flag
         furi_semaphore_release(spi_dma_completed);
 
-        LL_DMA_DisableIT_TC(SPI_DMA_RX_DEF);
         LL_DMA_DisableChannel(SPI_DMA_TX_DEF);
         LL_DMA_DisableChannel(SPI_DMA_RX_DEF);
         if(!dma_tx_was_enabled) {