swiotlb: fix use after free on error handling path

Don't dereference "mem" after it has been freed. Flip the two kfree()s around to address this bug. Fixes: 26ffb91fa5e0 ("swiotlb: split up the global swiotlb lock") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Christoph Hellwig <hch@lst.de>
2022-07-15 11:19:50 +03:00 · 2022-07-15 11:19:50 +03:00 · 4a97739474
commit 4a97739474
parent 20347fca71
1 changed files with 1 additions and 1 deletions
--- a/kernel/dma/swiotlb.c
+++ b/kernel/dma/swiotlb.c
@ -979,8 +979,8 @@ static int rmem_swiotlb_device_init(struct reserved_mem *rmem,
 		mem->areas = kcalloc(nareas, sizeof(*mem->areas),
 				GFP_KERNEL);
 		if (!mem->areas) {
-			kfree(mem);
 			kfree(mem->slots);
+			kfree(mem);
 			return -ENOMEM;
 		}