From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri, 15 Jul 2022 08:19:50 +0000 (+0300)
Subject: swiotlb: fix use after free on error handling path
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=4a97739474c402e0a14cf6a432f1920262f6811c;p=linux.git

swiotlb: fix use after free on error handling path

Don't dereference "mem" after it has been freed.  Flip the
two kfree()s around to address this bug.

Fixes: 26ffb91fa5e0 ("swiotlb: split up the global swiotlb lock")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
---

diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c
index dcf1459ce7239..c50e6fe20f37b 100644
--- a/kernel/dma/swiotlb.c
+++ b/kernel/dma/swiotlb.c
@@ -979,8 +979,8 @@ static int rmem_swiotlb_device_init(struct reserved_mem *rmem,
 		mem->areas = kcalloc(nareas, sizeof(*mem->areas),
 				GFP_KERNEL);
 		if (!mem->areas) {
-			kfree(mem);
 			kfree(mem->slots);
+			kfree(mem);
 			return -ENOMEM;
 		}