b43legacy: fix use-after-free rfkill bug

Fix rfkill code which caused a use-after-free bug. Thanks to David
Woodhouse for spotting this out.

Cc: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

drivers/net/wireless/b43legacy/rfkill.c

@@ -141,8 +141,11 @@ void b43legacy_rfkill_init(struct b43legacy_wldev *dev)
 	rfk->rfkill->user_claim_unsupported = 1;
 
 	rfk->poll_dev = input_allocate_polled_device();
-	if (!rfk->poll_dev)
+	if (!rfk->poll_dev) {
-		goto err_free_rfk;
+		rfkill_free(rfk->rfkill);
+		goto err_freed_rfk;
+	}
+
 	rfk->poll_dev->private = dev;
 	rfk->poll_dev->poll = b43legacy_rfkill_poll;
 	rfk->poll_dev->poll_interval = 1000; /* msecs */
@@ -178,8 +181,7 @@ void b43legacy_rfkill_init(struct b43legacy_wldev *dev)
 err_free_polldev:
 	input_free_polled_device(rfk->poll_dev);
 	rfk->poll_dev = NULL;
-err_free_rfk:
+err_freed_rfk:
-	rfkill_free(rfk->rfkill);
 	rfk->rfkill = NULL;
 out_error:
 	rfk->registered = 0;
@@ -198,7 +200,6 @@ void b43legacy_rfkill_exit(struct b43legacy_wldev *dev)
 	rfkill_unregister(rfk->rfkill);
 	input_free_polled_device(rfk->poll_dev);
 	rfk->poll_dev = NULL;
-	rfkill_free(rfk->rfkill);
 	rfk->rfkill = NULL;
 }