mtd: rfd_ftl: fix use-after-free

del_mtd_blktrans_dev() will kfree part, so after this call both part and
dev point to freed memory. Move the call to avoid use-after-free.

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20210807214538.14484-5-sean@mess.org

diff --git a/drivers/mtd/rfd_ftl.c b/drivers/mtd/rfd_ftl.c
index 7f5f6d247cae14aa3a8086f94eae327a3a1c8622..52be9f1fa9a27b4940aa8c9a3b8fe508e252e688 100644 (file)
--- a/drivers/mtd/rfd_ftl.c
+++ b/drivers/mtd/rfd_ftl.c
@@ -800,10 +800,10 @@ static void rfd_ftl_remove_dev(struct mtd_blktrans_dev *dev)
                        part->mbd.mtd->name, i, part->blocks[i].erases);
        }
 
-       del_mtd_blktrans_dev(dev);
        vfree(part->sector_map);
        kfree(part->header_cache);
        kfree(part->blocks);
+       del_mtd_blktrans_dev(dev);
 }
 
 static struct mtd_blktrans_ops rfd_ftl_tr = {