Commit 12df409b authored by Duncan Sands's avatar Duncan Sands Committed by Linus Torvalds

[PATCH] firmware_class: avoid double free

The error exit path in request_firmware frees the allocated struct firmware
*firmware, which is good.  What is not so good is that the value of
firmware has already been copied out to the caller as *firmware_p.  The
risk is that the caller will pass this to release_firmware, a double free. 
This is exactly what will happen if the caller copied the example code

         if(request_firmware(&fw_entry, $FIRMWARE, device) == 0)
                copy_fw_to_device(fw_entry->data, fw_entry->size);
         release(fw_entry);

from the firmware documentation.
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 4bab1863
...@@ -441,6 +441,7 @@ request_firmware(const struct firmware **firmware_p, const char *name, ...@@ -441,6 +441,7 @@ request_firmware(const struct firmware **firmware_p, const char *name,
error_kfree_fw: error_kfree_fw:
kfree(firmware); kfree(firmware);
*firmware_p = NULL;
out: out:
return retval; return retval;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment