iommu: fix KASAN use-after-free in iommu_insert_resv_region

In case the new region gets merged into another one, the nr list node is
freed.  Checking its type while completing the merge algorithm leads to
a use-after-free.  Use new->type instead.

Fixes: 4dbd258 ("iommu: Revisit iommu_insert_resv_region() implementation")
Signed-off-by: Eric Auger <[email protected]>
Reported-by: Qian Cai <[email protected]>
Reviewed-by: Jerry Snitselaar <[email protected]>
Cc: Stable <[email protected]> #v5.3+
Signed-off-by: Linus Torvalds <[email protected]>

Author: eauger

drivers/iommu/iommu.c

@@ -312,8 +312,8 @@ int iommu_insert_resv_region(struct iommu_resv_region *new,
 	list_for_each_entry_safe(iter, tmp, regions, list) {
 		phys_addr_t top_end, iter_end = iter->start + iter->length - 1;
 
-		/* no merge needed on elements of different types than @nr */
-		if (iter->type != nr->type) {
+		/* no merge needed on elements of different types than @new */
+		if (iter->type != new->type) {
 			list_move_tail(&iter->list, &stack);
 			continue;
 		}