From 3dc27e3392c582d0f5ad20db3690b122a3a236b1 Mon Sep 17 00:00:00 2001
From: Zhen Kong <zkong@codeaurora.org>
Date: Fri, 13 Jul 2018 12:02:32 -0700
Subject: [PATCH] qseecom: fix kclient free issue in qseecom_remove

Remove kzfree() after kclient list iteration to avoid invalid
pointer deference.

Change-Id: I78922269e219fcb16d3cff05f8b168a75a3c05ae
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
---
 drivers/misc/qseecom.c | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
index f0140e8bbe68..e85b2b8972c9 100644
--- a/drivers/misc/qseecom.c
+++ b/drivers/misc/qseecom.c
@@ -8743,11 +8743,11 @@ static int qseecom_remove(struct platform_device *pdev)
 		&qseecom.registered_kclient_list_head, list) {
 
 		/* Break the loop if client handle is NULL */
-		if (!kclient->handle)
-			goto exit_free_kclient;
-
-		if (list_empty(&kclient->list))
-			goto exit_free_kc_handle;
+		if (!kclient->handle) {
+			list_del(&kclient->list);
+			kzfree(kclient);
+			break;
+		}
 
 		list_del(&kclient->list);
 		mutex_lock(&app_access_lock);
@@ -8760,11 +8760,6 @@ static int qseecom_remove(struct platform_device *pdev)
 		}
 	}
 
-exit_free_kc_handle:
-	kzfree(kclient->handle);
-exit_free_kclient:
-	kzfree(kclient);
-
 	spin_unlock_irqrestore(&qseecom.registered_kclient_list_lock, flags);
 
 	if (qseecom.qseos_version > QSEEE_VERSION_00)