From: Dan Carpenter <error27@gmail.com>
Date: Sat, 14 Feb 2009 09:53:48 +0000 (+0000)
Subject: acer-wmi: double free in acer_rfkill_exit()
X-Git-Tag: v2.6.29~33^2^2~4
X-Git-Url: http://ftp.safe.ca/?p=safe%2Fjmp%2Flinux-2.6;a=commitdiff_plain;h=013d67fd4f0da8f6af60a376f1a254266ab658ef;ds=sidebyside

acer-wmi: double free in acer_rfkill_exit()

This is acer_rfkill_exit() from drivers/platform/x86/acer-wmi.c.

The code frees wireless_rfkill->data again instead of
bluetooth_rfkill->data.

This was found using a code checker (http://repo.or.cz/w/smatch.git/).

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Carlos Corbacho <carlos@strangeworlds.co.uk>
Signed-off-by: Len Brown <len.brown@intel.com>
---

diff --git a/drivers/platform/x86/acer-wmi.c b/drivers/platform/x86/acer-wmi.c
index 6bcca61..a6a42e8 100644
--- a/drivers/platform/x86/acer-wmi.c
+++ b/drivers/platform/x86/acer-wmi.c
@@ -1026,7 +1026,7 @@ static void acer_rfkill_exit(void)
 	kfree(wireless_rfkill->data);
 	rfkill_unregister(wireless_rfkill);
 	if (has_cap(ACER_CAP_BLUETOOTH)) {
-		kfree(wireless_rfkill->data);
+		kfree(bluetooth_rfkill->data);
 		rfkill_unregister(bluetooth_rfkill);
 	}
 	return;