soc: apple: rtkit: Fix use-after-free in apple_rtkit_crashlog_rx()

This code calls kfree(bfr); and then passes "bfr" to rtk->ops->crashed()
which is a use after free.  The ->crashed function pointer is implemented
by apple_nvme_rtkit_crashed() and it doesn't use the "bfr" pointer so
this doesn't cause a problem.  But it still looks sketchy as can be.

Fix this by moving kfree() after the last usage of bfr.

Fixes: c559645 ("soc: apple: rtkit: Pass the crashlog to the crashed() callback")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Reviewed-by: Eric Curtin <ecurtin@redhat.com>
Signed-off-by: Janne Grunau <j@jannau.net>

Author: harshimogalapalli

drivers/soc/apple/rtkit.c

@@ -388,7 +388,6 @@ static void apple_rtkit_crashlog_rx(struct apple_rtkit *rtk, u64 msg)
 		apple_rtkit_memcpy(rtk, bfr, &rtk->crashlog_buffer, 0,
 				   rtk->crashlog_buffer.size);
 		apple_rtkit_crashlog_dump(rtk, bfr, rtk->crashlog_buffer.size);
-		kfree(bfr);
 	} else {
 		dev_err(rtk->dev,
 			"RTKit: Couldn't allocate crashlog shadow buffer\n");
@@ -397,6 +396,8 @@ static void apple_rtkit_crashlog_rx(struct apple_rtkit *rtk, u64 msg)
 	rtk->crashed = true;
 	if (rtk->ops->crashed)
 		rtk->ops->crashed(rtk->cookie, bfr, rtk->crashlog_buffer.size);
+
+	kfree(bfr);
 }
 
 static void apple_rtkit_ioreport_rx(struct apple_rtkit *rtk, u64 msg)