acer-wmi: double free in acer_rfkill_exit()

This is acer_rfkill_exit() from drivers/platform/x86/acer-wmi.c.

The code frees wireless_rfkill->data again instead of
bluetooth_rfkill->data.

This was found using a code checker (http://repo.or.cz/w/smatch.git/).

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Carlos Corbacho <carlos@strangeworlds.co.uk>
Signed-off-by: Len Brown <len.brown@intel.com>

diff --git a/drivers/platform/x86/acer-wmi.c b/drivers/platform/x86/acer-wmi.c
index 6bcca61..a6a42e8 100644 (file)
--- a/drivers/platform/x86/acer-wmi.c
+++ b/drivers/platform/x86/acer-wmi.c
@@ -1026,7 +1026,7 @@ static void acer_rfkill_exit(void)
        kfree(wireless_rfkill->data);
        rfkill_unregister(wireless_rfkill);
        if (has_cap(ACER_CAP_BLUETOOTH)) {
        kfree(wireless_rfkill->data);
        rfkill_unregister(wireless_rfkill);
        if (has_cap(ACER_CAP_BLUETOOTH)) {

-               kfree(wireless_rfkill->data);
+               kfree(bluetooth_rfkill->data);

                rfkill_unregister(bluetooth_rfkill);
        }
        return;
                rfkill_unregister(bluetooth_rfkill);
        }
        return;