[PATCH] firmware_class: avoid double free

The error exit path in request_firmware frees the allocated struct firmware *firmware, which is good. What is not so good is that the value of firmware has already been copied out to the caller as *firmware_p. The risk is that the caller will pass this to release_firmware, a double free. This is exactly what will happen if the caller copied the example code if(request_firmware(&fw_entry, $FIRMWARE, device) == 0) copy_fw_to_device(fw_entry->data, fw_entry->size); release(fw_entry); from the firmware documentation. Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] firmware_class: avoid double free
The error exit path in request_firmware frees the allocated struct firmware *firmware, which is good. What is not so good is that the value of firmware has already been copied out to the caller as *firmware_p. The risk is that the caller will pass this to release_firmware, a double free. This is exactly what will happen if the caller copied the example code if(request_firmware(&fw_entry, $FIRMWARE, device) == 0) copy_fw_to_device(fw_entry->data, fw_entry->size); release(fw_entry); from the firmware documentation. Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
12df409b · Duncan Sands · Linus Torvalds · 4bab1863 · 12df409b
Commit 12df409b authored Oct 19, 2004 by Duncan Sands Committed by Linus Torvalds Oct 19, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

drivers/base/firmware_class.c drivers/base/firmware_class.c +1 -0

No files found.
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c
@@ -441,6 +441,7 @@ request_firmware(const struct firmware **firmware_p, const char *name,

 error_kfree_fw:
 	kfree(firmware);
+	*firmware_p = NULL;
 out:
 	return retval;
 }