From 83cf9f50cda5ab3f99055242bebbcb26d96319ad Mon Sep 17 00:00:00 2001
From: Jack Pham <jackp@codeaurora.org>
Date: Wed, 6 Aug 2014 19:52:49 -0700
Subject: [PATCH] usb: gadget: qc_rndis: Properly handle rndis_ipa_init failure

Currently if rndis_ipa_init() fails port->func doesn't get
removed from the configuration list, and will lead to a
use-after-free when the calling function later tries to remove
the function. Fix this to handle the failure gracefully and only
call usb_add_function() if it succeeded.

Bug: 35136547
Change-Id: I2ad0dfeaea6b5b6ba1e47aad564ac052348677e6
Signed-off-by: Jack Pham <jackp@codeaurora.org>
---
 drivers/usb/gadget/f_qc_rndis.c | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/drivers/usb/gadget/f_qc_rndis.c b/drivers/usb/gadget/f_qc_rndis.c
index dfa3dd6ed18dd..819bde5072a39 100644
--- a/drivers/usb/gadget/f_qc_rndis.c
+++ b/drivers/usb/gadget/f_qc_rndis.c
@@ -1206,25 +1206,27 @@ rndis_qc_bind_config_vendor(struct usb_configuration *c, u8 ethaddr[ETH_ALEN],
 
 	_rndis_qc = rndis;
 
+	if (rndis->xport == USB_GADGET_XPORT_BAM2BAM_IPA) {
+		status = rndis_ipa_init(&rndis_ipa_params);
+		if (status) {
+			pr_err("%s: failed to init rndis_ipa\n", __func__);
+			goto fail;
+		}
+	}
+
 	status = usb_add_function(c, &rndis->port.func);
 	if (status) {
-		kfree(rndis);
+		if (rndis->xport == USB_GADGET_XPORT_BAM2BAM_IPA)
+			rndis_ipa_cleanup(rndis_ipa_params.private);
 		goto fail;
 	}
 
 	if (rndis->xport != USB_GADGET_XPORT_BAM2BAM_IPA)
 		return status;
 
-	status = rndis_ipa_init(&rndis_ipa_params);
-	if (status) {
-		pr_err("%s: failed to initialize rndis_ipa\n", __func__);
-		kfree(rndis);
-		goto fail;
-	} else {
-		pr_debug("%s: rndis_ipa successful created\n", __func__);
-		return status;
-	}
 fail:
+  kfree(rndis);
+  _rndis_qc = NULL;
 	rndis_exit();
 	return status;
 }