ide: fix use after free in ide-acpi

out_obj points to kfreed memory and we dereference that pointer in
DEBPRINT/printk.

Signed-off-by: Mariusz Kozlowski <mk@lab.zgora.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/drivers/ide/ide-acpi.c b/drivers/ide/ide-acpi.c
index c26c11905ffe0063eec29b07a236b5e24a0922c9..2af8cb460a3bc7cfd33531c0304d6ca6cff56d90 100644 (file)
--- a/drivers/ide/ide-acpi.c
+++ b/drivers/ide/ide-acpi.c
@@ -416,21 +416,21 @@ void ide_acpi_get_timing(ide_hwif_t *hwif)
 
        out_obj = output.pointer;
        if (out_obj->type != ACPI_TYPE_BUFFER) {
-               kfree(output.pointer);
                DEBPRINT("Run _GTM: error: "
                       "expected object type of ACPI_TYPE_BUFFER, "
                       "got 0x%x\n", out_obj->type);
+               kfree(output.pointer);
                return;
        }
 
        if (!out_obj->buffer.length || !out_obj->buffer.pointer ||
            out_obj->buffer.length != sizeof(struct GTM_buffer)) {
-               kfree(output.pointer);
                printk(KERN_ERR
                        "%s: unexpected _GTM length (0x%x)[should be 0x%zx] or "
                        "addr (0x%p)\n",
                        __func__, out_obj->buffer.length,
                        sizeof(struct GTM_buffer), out_obj->buffer.pointer);
+               kfree(output.pointer);
                return;
        }