ide: fix use after free in ide-acpi

out_obj points to kfreed memory and we dereference that pointer in DEBPRINT/printk. Signed-off-by: Mariusz Kozlowski <mk@lab.zgora.pl> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Mariusz Kozlowski <mk@lab.zgora.pl> 2010-11-22 14:37:21 -0500
committer: David S. Miller <davem@davemloft.net> 2010-11-22 14:37:21 -0500
commit: ba5787323d38084b30261e84510d4a173fcb493a (patch)
tree: 8d3c718f5627ac5898bcd56a993e6aca944dabfc
parent: dd8717da6da9b0e745df49762be4573010f1013c (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/ide/ide-acpi.c b/drivers/ide/ide-acpi.c
index c26c11905ffe..2af8cb460a3b 100644
--- a/drivers/ide/ide-acpi.c
+++ b/drivers/ide/ide-acpi.c
@@ -416,21 +416,21 @@ void ide_acpi_get_timing(ide_hwif_t *hwif)
        out_obj = output.pointer;
        if (out_obj->type != ACPI_TYPE_BUFFER) {
-                kfree(output.pointer);
                DEBPRINT("Run _GTM: error: "
                       "expected object type of ACPI_TYPE_BUFFER, "
                       "got 0x%x\n", out_obj->type);
+                kfree(output.pointer);
                return;
        }
        if (!out_obj->buffer.length || !out_obj->buffer.pointer ||
            out_obj->buffer.length != sizeof(struct GTM_buffer)) {
-                kfree(output.pointer);
                printk(KERN_ERR
                        "%s: unexpected _GTM length (0x%x)[should be 0x%zx] or "
                        "addr (0x%p)\n",
                        __func__, out_obj->buffer.length,
                        sizeof(struct GTM_buffer), out_obj->buffer.pointer);
+                kfree(output.pointer);
                return;
        }
author	Mariusz Kozlowski <mk@lab.zgora.pl>	2010-11-22 14:37:21 -0500
committer	David S. Miller <davem@davemloft.net>	2010-11-22 14:37:21 -0500
commit	ba5787323d38084b30261e84510d4a173fcb493a (patch)
tree	8d3c718f5627ac5898bcd56a993e6aca944dabfc
parent	dd8717da6da9b0e745df49762be4573010f1013c (diff)