swiotlb: fix use after free on error handling path

Don't dereference "mem" after it has been freed. Flip the two kfree()s around to address this bug. Fixes: 26ffb91fa5e0 ("swiotlb: split up the global swiotlb lock") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Christoph Hellwig <hch@lst.de>

swiotlb: fix use after free on error handling path
Don't dereference "mem" after it has been freed. Flip the two kfree()s around to address this bug. Fixes: 26ffb91fa5e0 ("swiotlb: split up the global swiotlb lock") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Christoph Hellwig <hch@lst.de>
4a977394 · Dan Carpenter · Christoph Hellwig · 20347fca · 4a977394
Commit 4a977394 authored Jul 15, 2022 by Dan Carpenter Committed by Christoph Hellwig Jul 18, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

kernel/dma/swiotlb.c kernel/dma/swiotlb.c +1 -1

No files found.
--- a/kernel/dma/swiotlb.c
+++ b/kernel/dma/swiotlb.c
@@ -979,8 +979,8 @@ static int rmem_swiotlb_device_init(struct reserved_mem *rmem,
 		mem->areas = kcalloc(nareas, sizeof(*mem->areas),
 				GFP_KERNEL);
 		if (!mem->areas) {
-			kfree(mem);
 			kfree(mem->slots);
+			kfree(mem);
 			return -ENOMEM;
 		}