isdn: gigaset: use after free

I moved the kfree(cb) below the dereferences.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/drivers/isdn/gigaset/bas-gigaset.c b/drivers/isdn/gigaset/bas-gigaset.c
index 0ded364..707d9c9 100644 (file)
--- a/drivers/isdn/gigaset/bas-gigaset.c
+++ b/drivers/isdn/gigaset/bas-gigaset.c
@@ -1914,11 +1914,13 @@ static int gigaset_write_cmd(struct cardstate *cs, struct cmdbuf_t *cb)
         * The next command will reopen the AT channel automatically.
         */
        if (cb->len == 3 && !memcmp(cb->buf, "+++", 3)) {
-               kfree(cb);
                rc = req_submit(cs->bcs, HD_CLOSE_ATCHANNEL, 0, BAS_TIMEOUT);
                if (cb->wake_tasklet)
                        tasklet_schedule(cb->wake_tasklet);
-               return rc < 0 ? rc : cb->len;
+               if (!rc)
+                       rc = cb->len;
+               kfree(cb);
+               return rc;
        }
 
        spin_lock_irqsave(&cs->cmdlock, flags);