rtlwifi: kfree entry until after entry->bssid has been accessed

The current code kfree's entry and then dereferences it by accessing
entry->bssid.  Avoid the dereference-after-free by moving the kfree
after the access to entry->bssid.

Detected by CoverityScan, CID#1448600 ("Read from pointer after free")

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
index e36ee592c6601d3382fdc68eb1a4bf21a0e1d8f2..208f56297a7574a831b3c4d3e5690f8e829555df 100644 (file)
--- a/drivers/net/wireless/realtek/rtlwifi/base.c
+++ b/drivers/net/wireless/realtek/rtlwifi/base.c
@@ -1735,12 +1735,12 @@ void rtl_scan_list_expire(struct ieee80211_hw *hw)
                        continue;
 
                list_del(&entry->list);
-               kfree(entry);
                rtlpriv->scan_list.num--;
 
                RT_TRACE(rtlpriv, COMP_SCAN, DBG_LOUD,
                         "BSSID=%pM is expire in scan list (total=%d)\n",
                         entry->bssid, rtlpriv->scan_list.num);
+               kfree(entry);
        }
 
        spin_unlock_irqrestore(&rtlpriv->locks.scan_list_lock, flags);