tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

crypto: ccp - Fix use-after-free on error path

In the error path of sev_tsm_init_locked(), the code dereferences 't'
after it has been freed with kfree(). The pr_err() statement attempts
to access t->tio_en and t->tio_init_done after the memory has been
released.

Move the pr_err() call before kfree(t) to access the fields while the
memory is still valid.

This issue reported by Smatch static analyser

Fixes:4be423572da1 ("crypto/ccp: Implement SEV-TIO PCIe IDE (phase1)")
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

authored by

Alper Ak and committed by
Herbert Xu 889b0e27 8168a7b7

+1 -1
+1 -1
drivers/crypto/ccp/sev-dev-tsm.c
··· 378 378 return; 379 379 380 380 error_exit: 381 - kfree(t); 382 381 pr_err("Failed to enable SEV-TIO: ret=%d en=%d initdone=%d SEV=%d\n", 383 382 ret, t->tio_en, t->tio_init_done, boot_cpu_has(X86_FEATURE_SEV)); 383 + kfree(t); 384 384 } 385 385 386 386 void sev_tsm_uninit(struct sev_device *sev)