USB: ir-usb: fix double free

If the user specifies a custom bulk buffer size we get a double free at
port release.

Cc: stable <stable@kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/usb/serial/ir-usb.c b/drivers/usb/serial/ir-usb.c
index 4a0f51974232cd21b8c673c23659ca5a454c92d1..71bdbe06baff32be117e414dc9d5002e2d0857f6 100644 (file)
--- a/drivers/usb/serial/ir-usb.c
+++ b/drivers/usb/serial/ir-usb.c
@@ -312,6 +312,7 @@ static int ir_open(struct tty_struct *tty, struct usb_serial_port *port)
                kfree(port->read_urb->transfer_buffer);
                port->read_urb->transfer_buffer = buffer;
                port->read_urb->transfer_buffer_length = buffer_size;
+               port->bulk_in_buffer = buffer;
 
                buffer = kmalloc(buffer_size, GFP_KERNEL);
                if (!buffer) {
@@ -321,6 +322,7 @@ static int ir_open(struct tty_struct *tty, struct usb_serial_port *port)
                kfree(port->write_urb->transfer_buffer);
                port->write_urb->transfer_buffer = buffer;
                port->write_urb->transfer_buffer_length = buffer_size;
+               port->bulk_out_buffer = buffer;
                port->bulk_out_size = buffer_size;
        }