From c2e31d922c522757be5275c591800f71b6210bc6 Mon Sep 17 00:00:00 2001
From: Chandana Kishori Chiluveru <cchiluve@codeaurora.org>
Date: Thu, 15 Dec 2016 19:43:30 +0530
Subject: [PATCH] usb: gadget: f_qc_rndis: Fix double-free in qcrndis_free_inst

qcrndis_free_inst function can double free f_qc_rndis pointer.
Hence fix this memory bug in qcrndis_free_inst function.

Same bool RNDIS flag is used for USB_CONFIGFS_RNDIS and
USB_CONFIGFS_QCRNDIS. Add bool Change in Kconfig to differentiate
these two different configs.

Change-Id: I8e7c4be090107618cd6cbac394a57f109f8a1ced
Signed-off-by: Chandana Kishori Chiluveru <cchiluve@codeaurora.org>
---
 drivers/usb/gadget/Kconfig               |  2 +-
 drivers/usb/gadget/function/f_qc_rndis.c | 13 +------------
 2 files changed, 2 insertions(+), 13 deletions(-)

diff --git a/drivers/usb/gadget/Kconfig b/drivers/usb/gadget/Kconfig
index 9d9eed2d5d68..b826f926b205 100644
--- a/drivers/usb/gadget/Kconfig
+++ b/drivers/usb/gadget/Kconfig
@@ -325,7 +325,7 @@ config USB_CONFIGFS_ECM_SUBSET
 	  a simple CDC subset is used, placing fewer demands on USB.
 
 config USB_CONFIGFS_QCRNDIS
-	bool "RNDIS"
+	bool "QCRNDIS"
 	depends on USB_CONFIGFS
 	depends on RNDIS_IPA
 	depends on NET
diff --git a/drivers/usb/gadget/function/f_qc_rndis.c b/drivers/usb/gadget/function/f_qc_rndis.c
index eb306529981f..b8baa303f20b 100644
--- a/drivers/usb/gadget/function/f_qc_rndis.c
+++ b/drivers/usb/gadget/function/f_qc_rndis.c
@@ -1320,19 +1320,16 @@ static struct miscdevice rndis_qc_device = {
 
 static void qcrndis_free_inst(struct usb_function_instance *f)
 {
-	struct f_rndis_qc	*rndis;
 	struct f_rndis_qc_opts	*opts = container_of(f,
 				struct f_rndis_qc_opts, func_inst);
 	unsigned long flags;
 
-	rndis = opts->rndis;
 	misc_deregister(&rndis_qc_device);
 
 	ipa_data_free(USB_IPA_FUNC_RNDIS);
 	spin_lock_irqsave(&rndis_lock, flags);
-	kfree(rndis);
-	_rndis_qc = NULL;
 	kfree(opts->rndis);
+	_rndis_qc = NULL;
 	kfree(opts);
 	spin_unlock_irqrestore(&rndis_lock, flags);
 }
@@ -1414,13 +1411,6 @@ static struct usb_function_instance *qcrndis_alloc_inst(void)
 	return &opts->func_inst;
 }
 
-static void rndis_qc_cleanup(void)
-{
-	pr_info("rndis QC cleanup\n");
-
-	misc_deregister(&rndis_qc_device);
-}
-
 void *rndis_qc_get_ipa_rx_cb(void)
 {
 	return rndis_ipa_params.ipa_rx_notify;
@@ -1458,7 +1448,6 @@ static int __init usb_qcrndis_init(void)
 static void __exit usb_qcrndis_exit(void)
 {
 	usb_function_unregister(&rndis_bamusb_func);
-	rndis_qc_cleanup();
 }
 
 module_init(usb_qcrndis_init);