USB: rndis_host: fix crash while probing a Nokia S60 mobile

{

	int			retval;

	struct net_device	*net = dev->net;

	struct cdc_state	*info = (void *) &dev->data;

	union {

		void			*buf;

		struct rndis_msg_hdr	*header;

		return -ENOMEM;

	retval = usbnet_generic_cdc_bind(dev, intf);

	if (retval < 0)

		goto done;

		goto fail;

	net->hard_header_len += sizeof (struct rndis_data_hdr);

	if (unlikely(retval < 0)) {

		/* it might not even be an RNDIS device!! */

		dev_err(&intf->dev, "RNDIS init failed, %d\n", retval);

fail:

		usb_driver_release_interface(driver_of(intf),

			((struct cdc_state *)&(dev->data))->data);

		goto done;

		goto fail_and_release;

	}

	dev->hard_mtu = le32_to_cpu(u.init_c->max_transfer_size);

	/* REVISIT:  peripheral "alignment" request is ignored ... */

	retval = rndis_command(dev, u.header);

	if (unlikely(retval < 0)) {

		dev_err(&intf->dev, "rndis get ethaddr, %d\n", retval);

		goto fail;

		goto fail_and_release;

	}

	tmp = le32_to_cpu(u.get_c->offset);

	if (unlikely((tmp + 8) > (1024 - ETH_ALEN)

		dev_err(&intf->dev, "rndis ethaddr off %d len %d ?\n",

			tmp, le32_to_cpu(u.get_c->len));

		retval = -EDOM;

		goto fail;

		goto fail_and_release;

	}

	memcpy(net->dev_addr, tmp + (char *)&u.get_c->request_id, ETH_ALEN);

	retval = rndis_command(dev, u.header);

	if (unlikely(retval < 0)) {

		dev_err(&intf->dev, "rndis set packet filter, %d\n", retval);

		goto fail;

		goto fail_and_release;

	}

	retval = 0;

done:

	kfree(u.buf);

	return retval;

fail_and_release:

	usb_set_intfdata(info->data, NULL);

	usb_driver_release_interface(driver_of(intf), info->data);

fail:

	kfree(u.buf);

	return retval;

}