From zaitcev@redhat.com Wed Jun 21 15:01:08 2006
Date: Wed, 21 Jun 2006 15:00:45 -0700
From: Pete Zaitcev <zaitcev@redhat.com>
To: greg@kroah.com
Cc: zaitcev@redhat.com
Subject: USB: fix usb-serial leaks, oopses on disconnect
Message-Id: <20060621150045.aa524555.zaitcev@redhat.com>

This fix addresses two issues:
- Unattached port structures were not freed
- My initial fix for crash when eventd runs a work in a freed port
  did not go far enough

Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/usb/serial/usb-serial.c |   23 +++++++++--------------
 1 file changed, 9 insertions(+), 14 deletions(-)

--- gregkh-2.6.orig/drivers/usb/serial/usb-serial.c
+++ gregkh-2.6/drivers/usb/serial/usb-serial.c
@@ -40,6 +40,8 @@
 #define DRIVER_AUTHOR "Greg Kroah-Hartman, greg@kroah.com, http://www.kroah.com/linux/"
 #define DRIVER_DESC "USB Serial Driver core"
 
+static void port_free(struct usb_serial_port *port);
+
 /* Driver structure we register with the USB core */
 static struct usb_driver usb_serial_driver = {
 	.name =		"usbserial",
@@ -146,23 +148,10 @@ static void destroy_serial(struct kref *
 			port = serial->port[i];
 			if (!port)
 				continue;
-			usb_kill_urb(port->read_urb);
-			usb_free_urb(port->read_urb);
-			usb_kill_urb(port->write_urb);
-			usb_free_urb(port->write_urb);
-			usb_kill_urb(port->interrupt_in_urb);
-			usb_free_urb(port->interrupt_in_urb);
-			usb_kill_urb(port->interrupt_out_urb);
-			usb_free_urb(port->interrupt_out_urb);
-			kfree(port->bulk_in_buffer);
-			kfree(port->bulk_out_buffer);
-			kfree(port->interrupt_in_buffer);
-			kfree(port->interrupt_out_buffer);
+			port_free(port);
 		}
 	}
 
-	flush_scheduled_work();		/* port->work */
-
 	usb_put_dev(serial->dev);
 
 	/* free up any memory that we allocated */
@@ -564,6 +553,11 @@ static void port_release(struct device *
 	struct usb_serial_port *port = to_usb_serial_port(dev);
 
 	dbg ("%s - %s", __FUNCTION__, dev->bus_id);
+	port_free(port);
+}
+
+static void port_free(struct usb_serial_port *port)
+{
 	usb_kill_urb(port->read_urb);
 	usb_free_urb(port->read_urb);
 	usb_kill_urb(port->write_urb);
@@ -576,6 +570,7 @@ static void port_release(struct device *
 	kfree(port->bulk_out_buffer);
 	kfree(port->interrupt_in_buffer);
 	kfree(port->interrupt_out_buffer);
+	flush_scheduled_work();		/* port->work */
 	kfree(port);
 }