USB: fix race leading to use after free in io_edgeport

usb_unlink_urb() is asynchronous, therefore an URB's buffer may not
be freed without waiting for the completion handler. This patch switches
to usb_kill_urb(), which is synchronous.
Thanks to Alan for making me look at the remaining users of usb_unlink_urb()


Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Al Borchers <alborchers@steinerpoint.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

drivers/usb/serial/io_edgeport.c

@@ -3046,11 +3046,11 @@ static void edge_shutdown (struct usb_serial *serial)
 	}
 	/* free up our endpoint stuff */
 	if (edge_serial->is_epic) {
-		usb_unlink_urb(edge_serial->interrupt_read_urb);
+		usb_kill_urb(edge_serial->interrupt_read_urb);
 		usb_free_urb(edge_serial->interrupt_read_urb);
 		kfree(edge_serial->interrupt_in_buffer);
 
-		usb_unlink_urb(edge_serial->read_urb);
+		usb_kill_urb(edge_serial->read_urb);
 		usb_free_urb(edge_serial->read_urb);
 		kfree(edge_serial->bulk_in_buffer);
 	}