soc: apple: rtkit: Fix use-after-free in apple_rtkit_crashlog_rx()

This code calls kfree(bfr); and then passes "bfr" to rtk->ops->crashed()
which is a use after free.  The ->crashed function pointer is implemented
by apple_nvme_rtkit_crashed() and it doesn't use the "bfr" pointer so
this doesn't cause a problem.  But it still looks sketchy as can be.

Fix this by moving kfree() after the last usage of bfr.

Fixes: bf8b4e49777d ("soc: apple: rtkit: Pass the crashlog to the crashed() callback")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Reviewed-by: Eric Curtin <ecurtin@redhat.com>
Link: https://lore.kernel.org/r/20250212085853.1357906-1-harshit.m.mogalapalli@oracle.com
Signed-off-by: Sven Peter <sven@svenpeter.dev>

diff --git a/drivers/soc/apple/rtkit.c b/drivers/soc/apple/rtkit.c
index f190619674592bfc7b303b0779bb8754bb12c5b1..2f5f878bf899b806351cbd73b12eeb12a7a53946 100644 (file)
--- a/drivers/soc/apple/rtkit.c
+++ b/drivers/soc/apple/rtkit.c
@@ -370,7 +370,6 @@ static void apple_rtkit_crashlog_rx(struct apple_rtkit *rtk, u64 msg)
                apple_rtkit_memcpy(rtk, bfr, &rtk->crashlog_buffer, 0,
                                   rtk->crashlog_buffer.size);
                apple_rtkit_crashlog_dump(rtk, bfr, rtk->crashlog_buffer.size);
-               kfree(bfr);
        } else {
                dev_err(rtk->dev,
                        "RTKit: Couldn't allocate crashlog shadow buffer\n");
@@ -379,6 +378,8 @@ static void apple_rtkit_crashlog_rx(struct apple_rtkit *rtk, u64 msg)
        rtk->crashed = true;
        if (rtk->ops->crashed)
                rtk->ops->crashed(rtk->cookie, bfr, rtk->crashlog_buffer.size);
+
+       kfree(bfr);
 }
 
 static void apple_rtkit_ioreport_rx(struct apple_rtkit *rtk, u64 msg)