The error exit path in request_firmware frees the allocated
struct firmware *firmware, which is good. What is not so good
is that the value of firmware has already been copied out to the
caller as *firmware_p. The risk is that the caller will pass this
to release_firmware, a double free. This is exactly what will
happen if the caller copied the example code
if(request_firmware(&fw_entry, $FIRMWARE, device) == 0)
copy_fw_to_device(fw_entry->data, fw_entry->size);
release(fw_entry);
from the firmware documentation.
--- mm/drivers/base/firmware_class.c.orig 2004-10-02 18:43:00.323005656 +0200
+++ mm/drivers/base/firmware_class.c 2004-10-02 18:43:37.500448654 +0200
@@ -441,6 +441,7 @@
error_kfree_fw:
kfree(firmware);
+ *firmware_p = NULL;
out:
return retval;
}