platform/x86: ISST: fix use-after-free in tpmi_sst_dev_remove()

In tpmi_sst_dev_remove(), tpmi_sst is dereferenced after being freed.
Fix this by reordering the kfree() post the dereference.

Fixes: 9d1d36268f3d ("platform/x86: ISST: Support partitioned systems")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Link: https://lore.kernel.org/r/20240517144946.289615-1-harshit.m.mogalapalli@oracle.com
Signed-off-by: Hans de Goede <hdegoede@redhat.com>

diff --git a/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c b/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
index 7bac7841ff0abaa101252428601b23752beace07..7fa360073f6ef48c2d6607c7f75c022ce9dbdf4e 100644 (file)
--- a/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
+++ b/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
@@ -1610,8 +1610,8 @@ void tpmi_sst_dev_remove(struct auxiliary_device *auxdev)
        tpmi_sst->partition_mask_current &= ~BIT(plat_info->partition);
        /* Free the package instance when the all partitions are removed */
        if (!tpmi_sst->partition_mask_current) {
-               kfree(tpmi_sst);
                isst_common.sst_inst[tpmi_sst->package_id] = NULL;
+               kfree(tpmi_sst);
        }
        mutex_unlock(&isst_tpmi_dev_lock);
 }