summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlper Ak <alperyasinak1@gmail.com>2026-02-09 13:30:42 +0300
committerHerbert Xu <herbert@gondor.apana.org.au>2026-02-28 12:51:58 +0900
commit889b0e2721e793eb46cf7d17b965aa3252af3ec8 (patch)
tree1523c2fb2ddb5632723a3f426d3b15ae5fa09bb2
parent8168a7b72bdee3790b126f63bd30306759206b15 (diff)
crypto: ccp - Fix use-after-free on error path
In the error path of sev_tsm_init_locked(), the code dereferences 't' after it has been freed with kfree(). The pr_err() statement attempts to access t->tio_en and t->tio_init_done after the memory has been released. Move the pr_err() call before kfree(t) to access the fields while the memory is still valid. This issue reported by Smatch static analyser Fixes:4be423572da1 ("crypto/ccp: Implement SEV-TIO PCIe IDE (phase1)") Signed-off-by: Alper Ak <alperyasinak1@gmail.com> Acked-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat
-rw-r--r--drivers/crypto/ccp/sev-dev-tsm.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/crypto/ccp/sev-dev-tsm.c b/drivers/crypto/ccp/sev-dev-tsm.c
index adc9542ae806..b07ae529b591 100644
--- a/drivers/crypto/ccp/sev-dev-tsm.c
+++ b/drivers/crypto/ccp/sev-dev-tsm.c
@@ -378,9 +378,9 @@ void sev_tsm_init_locked(struct sev_device *sev, void *tio_status_page)
return;
error_exit:
- kfree(t);
pr_err("Failed to enable SEV-TIO: ret=%d en=%d initdone=%d SEV=%d\n",
ret, t->tio_en, t->tio_init_done, boot_cpu_has(X86_FEATURE_SEV));
+ kfree(t);
}
void sev_tsm_uninit(struct sev_device *sev)
generated by cgit v1.2.3 (git 2.46.0) at 2026-03-14 23:31:52 +0000