From: Johan Hovold <jhovold@gmail.com>
Date: Thu, 13 May 2010 19:02:00 +0000 (+0200)
Subject: USB: ir-usb: fix double free
X-Git-Tag: firefly_0821_release~10186^2~1550
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=7c54f6cf0342d52c1b14e06ecbc116419547ef97;p=firefly-linux-kernel-4.4.55.git

USB: ir-usb: fix double free

commit 2ff78c0c2b67120c8e503268da3f177cae2228a2 upstream.

If the user specifies a custom bulk buffer size we get a double free at
port release.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/drivers/usb/serial/ir-usb.c b/drivers/usb/serial/ir-usb.c
index 95d8d26b9a44..2e0497b02260 100644
--- a/drivers/usb/serial/ir-usb.c
+++ b/drivers/usb/serial/ir-usb.c
@@ -312,6 +312,7 @@ static int ir_open(struct tty_struct *tty, struct usb_serial_port *port)
 		kfree(port->read_urb->transfer_buffer);
 		port->read_urb->transfer_buffer = buffer;
 		port->read_urb->transfer_buffer_length = buffer_size;
+		port->bulk_in_buffer = buffer;
 
 		buffer = kmalloc(buffer_size, GFP_KERNEL);
 		if (!buffer) {
@@ -321,6 +322,7 @@ static int ir_open(struct tty_struct *tty, struct usb_serial_port *port)
 		kfree(port->write_urb->transfer_buffer);
 		port->write_urb->transfer_buffer = buffer;
 		port->write_urb->transfer_buffer_length = buffer_size;
+		port->bulk_out_buffer = buffer;
 		port->bulk_out_size = buffer_size;
 	}