1. Patchew
  2. linux
  3. View series

[PATCH can] can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak

Marc Kleine-Budde posted 1 patch 1 month, 2 weeks ago
There is a newer version of this series
drivers/net/can/usb/gs_usb.c | 2 ++
1 file changed, 2 insertions(+)
[PATCH can] can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
Posted by Marc Kleine-Budde 1 month, 2 weeks ago 
In gs_can_open(), the URBs for USB-in transfers are allocated, added to the
parent->rx_submitted anchor and submitted. In the complete callback
gs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In
gs_can_close() the URBs are freed by calling
usb_kill_anchored_urbs(parent->rx_submitted).

However, this does not take into account that the USB framework
unanchors the URB before the close function is called. This means that
once an in-URB has been completed, it is no longer anchored and is
ultimately not released in gs_can_close().

Fix the memory leak by anchoring the URB in the
gs_usb_receive_bulk_callback() to the parent->rx_submitted anchor.

Fixes: f16623a04943 ("can: gs_usb: fix")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 drivers/net/can/usb/gs_usb.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
index a0233e550a5a..d093babbc320 100644
--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -751,6 +751,8 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
 			  hf, parent->hf_size_rx,
 			  gs_usb_receive_bulk_callback, parent);
 
+	usb_anchor_urb(urb, &parent->rx_submitted);
+
 	rc = usb_submit_urb(urb, GFP_ATOMIC);
 
 	/* USB failure take down all interfaces */

---
base-commit: 6402078bd9d1ed46e79465e1faaa42e3458f8a33
change-id: 20251225-gs_usb-fix-memory-leak-062c24898cc9

Best regards,
--  
Marc Kleine-Budde <mkl@pengutronix.de>
Re: [PATCH can] can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
Posted by Marc Kleine-Budde 1 month, 2 weeks ago 
On 25.12.2025 15:05:43, Marc Kleine-Budde wrote:
> In gs_can_open(), the URBs for USB-in transfers are allocated, added to the
> parent->rx_submitted anchor and submitted. In the complete callback
> gs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In
> gs_can_close() the URBs are freed by calling
> usb_kill_anchored_urbs(parent->rx_submitted).
>
> However, this does not take into account that the USB framework
> unanchors the URB before the close function is called. This means that
> once an in-URB has been completed, it is no longer anchored and is
> ultimately not released in gs_can_close().
>
> Fix the memory leak by anchoring the URB in the
> gs_usb_receive_bulk_callback() to the parent->rx_submitted anchor.
>
> Fixes: f16623a04943 ("can: gs_usb: fix")

That should have been:
Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")

fixed in v2 + add stable on Cc.

regards,
Marc

-- 
Pengutronix e.K.                 | Marc Kleine-Budde          |
Embedded Linux                   | https://www.pengutronix.de |
Vertretung Nürnberg              | Phone: +49-5121-206917-129 |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-9   |

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.