swiotlb: fix use after free on error handling path

Don't dereference "mem" after it has been freed.  Flip the
two kfree()s around to address this bug.

Fixes: 26ffb91fa5e0 ("swiotlb: split up the global swiotlb lock")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>

diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c
index dcf1459..c50e6fe 100644 (file)
--- a/kernel/dma/swiotlb.c
+++ b/kernel/dma/swiotlb.c
@@ -979,8 +979,8 @@ static int rmem_swiotlb_device_init(struct reserved_mem *rmem,
                mem->areas = kcalloc(nareas, sizeof(*mem->areas),
                                GFP_KERNEL);
                if (!mem->areas) {
-                       kfree(mem);
                        kfree(mem->slots);
+                       kfree(mem);
                        return -ENOMEM;
                }