| Message ID | 20230817093528.687571-1-konstantin.meskhidze@huawei.com |
|---|---|
| State | New |
| Headers | show |
| Series | Bluetooth: btintel: fix dereference after free in btintel_ppag_callback() | expand |
diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c index d9349ba48..4ac1eba9c 100644 --- a/drivers/bluetooth/btintel.c +++ b/drivers/bluetooth/btintel.c @@ -1340,11 +1340,11 @@ static acpi_status btintel_ppag_callback(acpi_handle handle, u32 lvl, void *data p = buffer.pointer; ppag = (struct btintel_ppag *)data; if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) { - kfree(buffer.pointer); bt_dev_warn(hdev, "PPAG-BT: Invalid object type: %d or package count: %d", p->type, p->package.count); + kfree(buffer.pointer); ppag->status = AE_ERROR; return AE_ERROR; }
'buffer.pointer' is freed and then dereferenced via 'p' pointer at 'bt_dev_warn' function call. Fixes: c585a92b2f9c ("Bluetooth: btintel: Set Per Platform Antenna Gain(PPAG)") Co-developed-by: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> --- drivers/bluetooth/btintel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)