USB: fix race leading to use after free in io_edgeport

usb_unlink_urb() is asynchronous, therefore an URB's buffer may not
be freed without waiting for the completion handler. This patch switches
to usb_kill_urb(), which is synchronous.
Thanks to Alan for making me look at the remaining users of usb_unlink_urb()

Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Al Borchers <alborchers@steinerpoint.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c
index 4807f960150bd389c58127323e3b5fc350dac62f..056e1923c4de16134bb15b96c9f23e3c694809f6 100644 (file)
--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -3046,11 +3046,11 @@ static void edge_shutdown (struct usb_serial *serial)
        }
        /* free up our endpoint stuff */
        if (edge_serial->is_epic) {
-               usb_unlink_urb(edge_serial->interrupt_read_urb);
+               usb_kill_urb(edge_serial->interrupt_read_urb);
                usb_free_urb(edge_serial->interrupt_read_urb);
                kfree(edge_serial->interrupt_in_buffer);
 
-               usb_unlink_urb(edge_serial->read_urb);
+               usb_kill_urb(edge_serial->read_urb);
                usb_free_urb(edge_serial->read_urb);
                kfree(edge_serial->bulk_in_buffer);
        }