[PATCH] Bluetooth: btintel: fix dereference after free in btintel_ppag_callback()
From: Konstantin Meskhidze
Date: Thu Aug 17 2023 - 05:37:10 EST
'buffer.pointer' is freed and then dereferenced via 'p' pointer at
'bt_dev_warn' function call.
Fixes: c585a92b2f9c ("Bluetooth: btintel: Set Per Platform Antenna Gain(PPAG)")
Co-developed-by: Ivanov Mikhail <ivanov.mikhail1@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@xxxxxxxxxx>
---
drivers/bluetooth/btintel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
index d9349ba48..4ac1eba9c 100644
--- a/drivers/bluetooth/btintel.c
+++ b/drivers/bluetooth/btintel.c
@@ -1340,11 +1340,11 @@ static acpi_status btintel_ppag_callback(acpi_handle handle, u32 lvl, void *data
p = buffer.pointer;
ppag = (struct btintel_ppag *)data;
if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) {
- kfree(buffer.pointer);
bt_dev_warn(hdev, "PPAG-BT: Invalid object type: %d or package count: %d",
p->type, p->package.count);
+ kfree(buffer.pointer);
ppag->status = AE_ERROR;
return AE_ERROR;
}
--
2.34.1