From 709105c301aa53fb86c46b36f882998558b19652 Mon Sep 17 00:00:00 2001
From: Greg Hackmann <ghackmann@google.com>
Date: Tue, 15 Nov 2016 15:17:24 -0800
Subject: [PATCH] net: wireless: bcmdhd: fix use-after-free in
 _dhd_pno_get_for_batch()

Bug: 32838767
Change-Id: I987b07c30b3ed76865a002e7c154a5fa36b1bf29
Signed-off-by: Greg Hackmann <ghackmann@google.com>
---
 drivers/net/wireless/bcmdhd/dhd_pno.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
index 3e4c6d8191f47..93642ed12bc04 100644
--- a/drivers/net/wireless/bcmdhd/dhd_pno.c
+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
@@ -3069,9 +3069,10 @@ _dhd_pno_get_for_batch(dhd_pub_t *dhd, char *buf, int bufsize, int reason)
 		list_del(&pscan_results->list);
 		MFREE(dhd->osh, pscan_results, SCAN_RESULTS_SIZE);
 		_params->params_batch.get_batch.top_node_cnt--;
+	} else {
+		/* increase total scan count using current scan count */
+		_params->params_batch.get_batch.tot_scan_cnt += pscan_results->cnt_header;
 	}
-	/* increase total scan count using current scan count */
-	_params->params_batch.get_batch.tot_scan_cnt += pscan_results->cnt_header;
 
 	if (buf && bufsize) {
 		/* This is a first try to get batching results */