When es58x_alloc_rx_urbs() fails to allocate the requested number of
URBs but succeeds in allocating some, it returns an error code.
This causes es58x_open() to return early, skipping the cleanup label
'free_urbs', which leads to the anchored URBs being leaked.

As pointed out by maintainer Vincent Mailhol, the driver is designed
to handle partial URB allocation gracefully. Therefore, partial
allocation should not be treated as a fatal error.

Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been
allocated, restoring the intended behavior and preventing the leak
in es58x_open().

Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces")
Reported-by: syzbot+e8cb6691a7cf68256cb8@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e8cb6691a7cf68256cb8
Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>
---
Changes in v2:
- Replaced the cleanup fix in es58x_open() with the logic fix in
  es58x_alloc_rx_urbs() to treat partial allocation as success, as
  suggested by Vincent Mailhol.
---
 drivers/net/can/usb/etas_es58x/es58x_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/can/usb/etas_es58x/es58x_core.c b/drivers/net/can/usb/etas_es58x/es58x_core.c
index f799233c2b72..2d248deb69dc 100644
--- a/drivers/net/can/usb/etas_es58x/es58x_core.c
+++ b/drivers/net/can/usb/etas_es58x/es58x_core.c
@@ -1736,7 +1736,7 @@ static int es58x_alloc_rx_urbs(struct es58x_device *es58x_dev)
 	dev_dbg(dev, "%s: Allocated %d rx URBs each of size %u\n",
 		__func__, i, rx_buf_len);
 
-	return ret;
+	return 0;
 }
 
 /**
-- 
2.52.0

On 23.12.2025 02:17:32, Szymon Wilczek wrote:
> When es58x_alloc_rx_urbs() fails to allocate the requested number of
> URBs but succeeds in allocating some, it returns an error code.
> This causes es58x_open() to return early, skipping the cleanup label
> 'free_urbs', which leads to the anchored URBs being leaked.
>
> As pointed out by maintainer Vincent Mailhol, the driver is designed
> to handle partial URB allocation gracefully. Therefore, partial
> allocation should not be treated as a fatal error.
>
> Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been
> allocated, restoring the intended behavior and preventing the leak
> in es58x_open().
>
> Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces")
> Reported-by: syzbot+e8cb6691a7cf68256cb8@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=e8cb6691a7cf68256cb8
> Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>

Applied to linux-can.

Thanks,
Marc

P.S.: There's no need to send a vN+1 patch as reply to vN

-- 
Pengutronix e.K.                 | Marc Kleine-Budde          |
Embedded Linux                   | https://www.pengutronix.de |
Vertretung Nürnberg              | Phone: +49-5121-206917-129 |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-9   |

On 23/12/2025 at 02:17, Szymon Wilczek wrote:
> When es58x_alloc_rx_urbs() fails to allocate the requested number of
> URBs but succeeds in allocating some, it returns an error code.
> This causes es58x_open() to return early, skipping the cleanup label
> 'free_urbs', which leads to the anchored URBs being leaked.
> 
> As pointed out by maintainer Vincent Mailhol, the driver is designed
> to handle partial URB allocation gracefully. Therefore, partial
> allocation should not be treated as a fatal error.
> 
> Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been
> allocated, restoring the intended behavior and preventing the leak
> in es58x_open().
> 
> Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces")
> Reported-by: syzbot+e8cb6691a7cf68256cb8@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=e8cb6691a7cf68256cb8
> Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>

Thanks for the fix!

Reviewed-by: Vincent Mailhol <mailhol@kernel.org>


Yours sincerely,
Vincent Mailhol