crypto: ccp - Fix use-after-free on error path

alperak · herbertx · commit 889b0e2721e7 · 2026-02-28T12:51:58.000+09:00
In the error path of sev_tsm_init_locked(), the code dereferences 't'
after it has been freed with kfree(). The pr_err() statement attempts
to access t-&gt;tio_en and t-&gt;tio_init_done after the memory has been
released.

Move the pr_err() call before kfree(t) to access the fields while the
memory is still valid.

This issue reported by Smatch static analyser

Fixes:4be423572da1 ("crypto/ccp: Implement SEV-TIO PCIe IDE (phase1)")
Signed-off-by: Alper Ak &lt;alperyasinak1@gmail.com&gt;
Acked-by: Tom Lendacky &lt;thomas.lendacky@amd.com&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
diff --git a/drivers/crypto/ccp/sev-dev-tsm.c b/drivers/crypto/ccp/sev-dev-tsm.c
@@ -378,9 +378,9 @@ void sev_tsm_init_locked(struct sev_device *sev, void *tio_status_page)
 	return;
 
 error_exit:
-	kfree(t);
 	pr_err("Failed to enable SEV-TIO: ret=%d en=%d initdone=%d SEV=%d\n",
 	       ret, t->tio_en, t->tio_init_done, boot_cpu_has(X86_FEATURE_SEV));
+	kfree(t);
 }
 
 void sev_tsm_uninit(struct sev_device *sev)

Original file line number	Diff line number	Diff line change
`@@ -378,9 +378,9 @@ void sev_tsm_init_locked(struct sev_device sev, void tio_status_page)`
`378`	`378`	`return;`
`379`	`379`
`380`	`380`	`error_exit:`
`381`		`- kfree(t);`
`382`	`381`	`pr_err("Failed to enable SEV-TIO: ret=%d en=%d initdone=%d SEV=%d\n",`
`383`	`382`	`ret, t->tio_en, t->tio_init_done, boot_cpu_has(X86_FEATURE_SEV));`
	`383`	`+ kfree(t);`
`384`	`384`	`}`
`385`	`385`
`386`	`386`	`void sev_tsm_uninit(struct sev_device *sev)`