The error exit path in request_firmware frees the allocated struct firmware
*firmware, which is good.  What is not so good is that the value of
firmware has already been copied out to the caller as *firmware_p.  The
risk is that the caller will pass this to release_firmware, a double free. 
This is exactly what will happen if the caller copied the example code

         if(request_firmware(&fw_entry, $FIRMWARE, device) == 0)
                copy_fw_to_device(fw_entry->data, fw_entry->size);
         release(fw_entry);

from the firmware documentation.
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>