From d12a8727171c770990c246f0682f0af7859bb245 Mon Sep 17 00:00:00 2001
From: Pavitrakumar Managutte <pavitra1729@gmail.com>
Date: Wed, 22 Oct 2014 19:24:58 +0530
Subject: usb: gadget: function: Remove redundant usb_free_all_descriptors

Removed usb_free_all_descriptors in the bind functions, which
results in double-free corruption of the descriptors on error path.
The usb descriptors are allocated by usb_assign_descriptors.

Signed-off-by: Pavitrakumar Managutte <pavitra1729@gmail.com>
Reviewed-by: Robert Baldyga <r.baldyga@samsung.com>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Felipe Balbi <balbi@ti.com>
---
 drivers/usb/gadget/function/f_rndis.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'drivers/usb/gadget/function/f_rndis.c')

diff --git a/drivers/usb/gadget/function/f_rndis.c b/drivers/usb/gadget/function/f_rndis.c
index ddb09dc6d1f2..2f0517f5bae3 100644
--- a/drivers/usb/gadget/function/f_rndis.c
+++ b/drivers/usb/gadget/function/f_rndis.c
@@ -803,7 +803,7 @@ rndis_bind(struct usb_configuration *c, struct usb_function *f)
 	if (rndis->manufacturer && rndis->vendorID &&
 			rndis_set_param_vendor(rndis->config, rndis->vendorID,
 					       rndis->manufacturer))
-		goto fail;
+		goto fail_free_descs;
 
 	/* NOTE:  all that is done without knowing or caring about
 	 * the network link ... which is unavailable to this code
@@ -817,10 +817,11 @@ rndis_bind(struct usb_configuration *c, struct usb_function *f)
 			rndis->notify->name);
 	return 0;
 
+fail_free_descs:
+	usb_free_all_descriptors(f);
 fail:
 	kfree(f->os_desc_table);
 	f->os_desc_n = 0;
-	usb_free_all_descriptors(f);
 
 	if (rndis->notify_req) {
 		kfree(rndis->notify_req->buf);
-- 
cgit v1.2.2


From 9b1763553a89b2a84881119eeabfccdb803bb468 Mon Sep 17 00:00:00 2001
From: Pavitrakumar Managutte <pavitra1729@gmail.com>
Date: Wed, 22 Oct 2014 19:33:22 +0530
Subject: usb: gadget: function: Fixed the return value on error path

Fixed the return value on failure. status variable
is set to 0 at usb_assign_descriptors call and the same is
returned on error which is incorrect.

Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Pavitrakumar Managutte <pavitra1729@gmail.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
---
 drivers/usb/gadget/function/f_rndis.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'drivers/usb/gadget/function/f_rndis.c')

diff --git a/drivers/usb/gadget/function/f_rndis.c b/drivers/usb/gadget/function/f_rndis.c
index 2f0517f5bae3..f13fc6a58565 100644
--- a/drivers/usb/gadget/function/f_rndis.c
+++ b/drivers/usb/gadget/function/f_rndis.c
@@ -802,8 +802,10 @@ rndis_bind(struct usb_configuration *c, struct usb_function *f)
 
 	if (rndis->manufacturer && rndis->vendorID &&
 			rndis_set_param_vendor(rndis->config, rndis->vendorID,
-					       rndis->manufacturer))
+					       rndis->manufacturer)) {
+		status = -EINVAL;
 		goto fail_free_descs;
+	}
 
 	/* NOTE:  all that is done without knowing or caring about
 	 * the network link ... which is unavailable to this code
-- 
cgit v1.2.2