[PATCH] firmware_class: avoid double free

The error exit path in request_firmware frees the allocated struct firmware
*firmware, which is good.  What is not so good is that the value of
firmware has already been copied out to the caller as *firmware_p.  The
risk is that the caller will pass this to release_firmware, a double free.
This is exactly what will happen if the caller copied the example code

         if(request_firmware(&fw_entry, $FIRMWARE, device) == 0)
                copy_fw_to_device(fw_entry->data, fw_entry->size);
         release(fw_entry);

from the firmware documentation.

Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
index 6cad14e8f4bdb54a548ff320500beb9f24329e86..982a96f6bffe27c7ce74cb8e39b6220026bf0d95 100644 (file)
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c
@@ -441,6 +441,7 @@ request_firmware(const struct firmware **firmware_p, const char *name,
 
 error_kfree_fw:
        kfree(firmware);
+       *firmware_p = NULL;
 out:
        return retval;
 }