From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri, 22 Jul 2022 06:37:07 +0000 (+0300)
Subject: wifi: mt76: mt7921: fix use after free in mt7921_acpi_read()
X-Git-Tag: v6.1-rc5~319^2~30^2~45^2~24
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e7de4b4979bd8d313ec837931dde936653ca82ea;p=platform%2Fkernel%2Flinux-starfive.git

wifi: mt76: mt7921: fix use after free in mt7921_acpi_read()

Don't dereference "sar_root" after it has been freed.

Fixes: f965333e491e ("mt76: mt7921: introduce ACPI SAR support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---

diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/acpi_sar.c b/drivers/net/wireless/mediatek/mt76/mt7921/acpi_sar.c
index be4f07a..47e034a 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/acpi_sar.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/acpi_sar.c
@@ -13,6 +13,7 @@ mt7921_acpi_read(struct mt7921_dev *dev, u8 *method, u8 **tbl, u32 *len)
 	acpi_handle root, handle;
 	acpi_status status;
 	u32 i = 0;
+	int ret;
 
 	root = ACPI_HANDLE(mdev->dev);
 	if (!root)
@@ -52,9 +53,11 @@ mt7921_acpi_read(struct mt7921_dev *dev, u8 *method, u8 **tbl, u32 *len)
 		*(*tbl + i) = (u8)sar_unit->integer.value;
 	}
 free:
+	ret = (i == sar_root->package.count) ? 0 : -EINVAL;
+
 	kfree(sar_root);
 
-	return (i == sar_root->package.count) ? 0 : -EINVAL;
+	return ret;
 }
 
 /* MTCL : Country List Table for 6G band */