From nobody Mon Feb 9 15:24:54 2026 Received: from metis.whiteo.stw.pengutronix.de (metis.whiteo.stw.pengutronix.de [185.203.201.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C5AE329A322 for ; Sat, 10 Jan 2026 17:29:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.203.201.7 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768066197; cv=none; b=LX55NcGGCPPRu0TndYq5VjnqjT9EoCJvpEmgBtho/cMiqCOmZ6/FL1z9Ci2RSu88U9HcV6J1+ZBFb9TzAskJeZ9dovNBOENE7D4stD+sLJDxtAPwTwigLbkxMdYKsyVf75IsOW1RmcOmAe9/oDfSpXfUvPNWJrhUutEOSBYENbo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768066197; c=relaxed/simple; bh=bugZjGGJr0BTLoSY0RX9evgMGVU7+BDACt3oLqrmfiE=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=QszCxGjAQW8xo7yIOe7XRhBBOctnK9vwSemM9+ChBwtBycPPGVtIZb/cYwlvNxyrGD1K24CjgiXQG5XRYvrmnnIfDJVaR176c29MPuo1NaMgNdUIBvyGCJAdVVusCfqCt3rNjKxGiRCw5d67OCOC+DlaPohee2ufvqUnqPoDmQQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de; spf=pass smtp.mailfrom=pengutronix.de; arc=none smtp.client-ip=185.203.201.7 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=pengutronix.de Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1vecm5-0004J6-Pt; Sat, 10 Jan 2026 18:29:17 +0100 Received: from moin.white.stw.pengutronix.de ([2a0a:edc0:0:b01:1d::7b] helo=bjornoya.blackshift.org) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vecm4-00AEGI-1L; Sat, 10 Jan 2026 18:29:16 +0100 Received: from hardanger.blackshift.org (unknown [IPv6:2a03:2260:2009::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: mkl-all@blackshift.org) by smtp.blackshift.org (Postfix) with ESMTPSA id 8A3FE4CA204; Sat, 10 Jan 2026 17:29:15 +0000 (UTC) From: Marc Kleine-Budde Date: Sat, 10 Jan 2026 18:28:52 +0100 Subject: [PATCH can 1/5] can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260110-can_usb-fix-memory-leak-v1-1-4a7c082a7081@pengutronix.de> References: <20260110-can_usb-fix-memory-leak-v1-0-4a7c082a7081@pengutronix.de> In-Reply-To: <20260110-can_usb-fix-memory-leak-v1-0-4a7c082a7081@pengutronix.de> To: Vincent Mailhol , Wolfgang Grandegger , Sebastian Haas , "David S. Miller" , Frank Jungclaus , socketcan@esd.eu, Yasushi SHOJI , Daniel Berglund , Olivier Sobrie , =?utf-8?q?Remigiusz_Ko=C5=82=C5=82=C4=85taj?= , Bernd Krumboeck Cc: kernel@pengutronix.de, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, Marc Kleine-Budde , stable@vger.kernel.org X-Mailer: b4 0.15-dev-47773 X-Developer-Signature: v=1; a=openpgp-sha256; l=1548; i=mkl@pengutronix.de; h=from:subject:message-id; bh=bugZjGGJr0BTLoSY0RX9evgMGVU7+BDACt3oLqrmfiE=; b=owEBbQGS/pANAwAKAQx0Zd/5kJGcAcsmYgBpYoxh1RY/m8CCCrdFH6QsE8NVCan9otwjYlA5h knVVEoFJfaJATMEAAEKAB0WIQSf+wzYr2eoX/wVbPMMdGXf+ZCRnAUCaWKMYQAKCRAMdGXf+ZCR nF9xCACGyOVKURclPrLDsexUe/n/a1x8NkErpAFdtu6GkJWryqcUpa2J9wVNcJmHmUvqzS6Tuqa EV2nl8ol0oFVN/s6kRvhEV2pp6/LKlvRP8+Jz+w9TmhJjdS9E1vvFDfwGvGJ9KQZwFwTaXjpj77 hQmXvany86cnKi110PGNVFgEEUlGzMuU3/CtD8U0mX8FTQo4NLmUFBfGtY+H7Z/6e0r9PQjE0zr neQac4OgDyw/CKxoQE4Ls/t9bxzxYh25f5z47dq9CadhEI/mt8USCN1CwhvmUcZtxAqRn88++V7 hkLOUIrAa5picHc30yylDyAjFDBp5qV4D6rkOkxvEML59+cU X-Developer-Key: i=mkl@pengutronix.de; a=openpgp; fpr=C1400BA0B3989E6FBC7D5B5C2B5EE211C58AEA54 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: mkl@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In ems_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In ems_usb_close() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in ems_usb_close(). Fix the memory leak by anchoring the URB in the ems_usb_read_bulk_callback() to the dev->rx_submitted anchor. Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB i= nterface") Cc: stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde --- drivers/net/can/usb/ems_usb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c index de8e212a1366..f44737312b04 100644 --- a/drivers/net/can/usb/ems_usb.c +++ b/drivers/net/can/usb/ems_usb.c @@ -486,6 +486,8 @@ static void ems_usb_read_bulk_callback(struct urb *urb) urb->transfer_buffer, RX_BUFFER_SIZE, ems_usb_read_bulk_callback, dev); =20 + usb_anchor_urb(urb, &dev->rx_submitted); + retval =3D usb_submit_urb(urb, GFP_ATOMIC); =20 if (retval =3D=3D -ENODEV) --=20 2.51.0 From nobody Mon Feb 9 15:24:54 2026 Received: from metis.whiteo.stw.pengutronix.de (metis.whiteo.stw.pengutronix.de [185.203.201.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BEC5C242D66 for ; Sat, 10 Jan 2026 17:29:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.203.201.7 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768066194; cv=none; b=PLX7Oi1v1GyGJT3nNAfgoWr/oTwn3qFwN0zNPI+h8QksBGZjZUGN/FGmyGR9THdqQFpG2MWGz2d0AlrNOzQJL5zfshVY+11eP8kH9mTn6C8hYYhtIJpP0OPdOPZr4B4oegPYPYEwnbeve6xuUoWrLjOdtKumbKra42EBsxMPxZM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768066194; c=relaxed/simple; bh=JaAlURbUJSKd/Fkv3OFvdiRlVouO9eQ1P0C1SWPD8+o=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=ukKJOLDtaIADlZnECDfycZPal12KMPlrdcd2sfrhOw8H76UIVjAN6hefec3WkMCH8Plg9+EtmzLYkheuv4+TnBrfFrhb412HP4uI+TWrC5R9g3hTpM8FaXeyDeTaNtLs3CTImAEWFAYTD1cZuZUWSGV8RqTBZAyURkAkiGMqktw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de; spf=pass smtp.mailfrom=pengutronix.de; arc=none smtp.client-ip=185.203.201.7 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=pengutronix.de Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1vecm5-0004J7-Pu; Sat, 10 Jan 2026 18:29:17 +0100 Received: from moin.white.stw.pengutronix.de ([2a0a:edc0:0:b01:1d::7b] helo=bjornoya.blackshift.org) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vecm5-00AEGL-0Z; Sat, 10 Jan 2026 18:29:17 +0100 Received: from hardanger.blackshift.org (unknown [IPv6:2a03:2260:2009::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: mkl-all@blackshift.org) by smtp.blackshift.org (Postfix) with ESMTPSA id 4D4AF4CA205; Sat, 10 Jan 2026 17:29:16 +0000 (UTC) From: Marc Kleine-Budde Date: Sat, 10 Jan 2026 18:28:53 +0100 Subject: [PATCH can 2/5] can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260110-can_usb-fix-memory-leak-v1-2-4a7c082a7081@pengutronix.de> References: <20260110-can_usb-fix-memory-leak-v1-0-4a7c082a7081@pengutronix.de> In-Reply-To: <20260110-can_usb-fix-memory-leak-v1-0-4a7c082a7081@pengutronix.de> To: Vincent Mailhol , Wolfgang Grandegger , Sebastian Haas , "David S. Miller" , Frank Jungclaus , socketcan@esd.eu, Yasushi SHOJI , Daniel Berglund , Olivier Sobrie , =?utf-8?q?Remigiusz_Ko=C5=82=C5=82=C4=85taj?= , Bernd Krumboeck Cc: kernel@pengutronix.de, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, Marc Kleine-Budde , stable@vger.kernel.org X-Mailer: b4 0.15-dev-47773 X-Developer-Signature: v=1; a=openpgp-sha256; l=1571; i=mkl@pengutronix.de; h=from:subject:message-id; bh=JaAlURbUJSKd/Fkv3OFvdiRlVouO9eQ1P0C1SWPD8+o=; b=owEBbQGS/pANAwAKAQx0Zd/5kJGcAcsmYgBpYoxjZC9YTOX5h7saCu++eGEpXST6SveIJV7AH BwvqVC6LSKJATMEAAEKAB0WIQSf+wzYr2eoX/wVbPMMdGXf+ZCRnAUCaWKMYwAKCRAMdGXf+ZCR nOlRB/0aGtkHBDmSTeWq9TkRrU7VATYfPF5fzvtS4KcgFBIjwDunIMb4C/Wk8YFJ0W9kDZjrSea ntFEBC4jorKhD+B4RHI34VBAc5RrVB+mCCcVkSys1rXXQEVNcO55RUnkgNh103SpizED73DOTmS CaVyhBhOB93h52uFN1hz6a5ya1ORRJXAp1mbqgiyUdaOSNhjnycCOzYl+TUIxXoicCM0t1j0hR9 QgTfJUlPJn/K4WV5pkEXLYPMxDM9KONhnRBOnfNXGuHyd0ER7IoWeA69mtaG+ztzLfrfXlEGAfh udjVCrAAm426bs7yj+IB0oO44rJA6//ya5i4fZgQOQcMWwrx X-Developer-Key: i=mkl@pengutronix.de; a=openpgp; fpr=C1400BA0B3989E6FBC7D5B5C2B5EE211C58AEA54 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: mkl@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In esd_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback esd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In esd_usb_close() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in esd_usb_close(). Fix the memory leak by anchoring the URB in the esd_usb_read_bulk_callback() to the dev->rx_submitted anchor. Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device") Cc: stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde --- drivers/net/can/usb/esd_usb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/can/usb/esd_usb.c b/drivers/net/can/usb/esd_usb.c index 08da507faef4..dc656b9ab15f 100644 --- a/drivers/net/can/usb/esd_usb.c +++ b/drivers/net/can/usb/esd_usb.c @@ -541,6 +541,8 @@ static void esd_usb_read_bulk_callback(struct urb *urb) urb->transfer_buffer, ESD_USB_RX_BUFFER_SIZE, esd_usb_read_bulk_callback, dev); =20 + usb_anchor_urb(urb, &dev->rx_submitted); + err =3D usb_submit_urb(urb, GFP_ATOMIC); if (err =3D=3D -ENODEV) { for (i =3D 0; i < dev->net_count; i++) { --=20 2.51.0 From nobody Mon Feb 9 15:24:54 2026 Received: from metis.whiteo.stw.pengutronix.de (metis.whiteo.stw.pengutronix.de [185.203.201.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8542D296BD1 for ; Sat, 10 Jan 2026 17:29:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.203.201.7 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768066198; cv=none; b=jna++zgHsPt4VbxuTSyvk+N+obsUEuRwTReu3ZDIv2TNyMsa1DW7B33IygrhX0wIbJad9U4PppBT4OEK8Q89B5cIF0yJK8AoIK/BFV9ll99lqsPo4X3LCo6ZzzP1tXKJnCMySZu/277SveqY9Nl8aEaGwKoTk27/xHVf4Ei0po0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768066198; c=relaxed/simple; bh=KbzRlV+NZsQXG10eptueM6fP9/Gf2kPzyb3mAiMVPeY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=fzs97PTZI0WNakoTAaazLGF8BVNh89Zlc0B2d4rAOju+E341jhbHH7fUfWQ8wTp7XUTc6BNXoMz2LiKoLLYAkTiMO08ZaSm0+SVGWLVYZaaUMVSYvnjZg0yzB/Ue/rUqEMlirMMd82D43P4AlorjxmOlgWy6VP6ctG00YKspMyA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de; spf=pass smtp.mailfrom=pengutronix.de; arc=none smtp.client-ip=185.203.201.7 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=pengutronix.de Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1vecm6-0004JW-9L; Sat, 10 Jan 2026 18:29:18 +0100 Received: from moin.white.stw.pengutronix.de ([2a0a:edc0:0:b01:1d::7b] helo=bjornoya.blackshift.org) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vecm5-00AEGO-31; Sat, 10 Jan 2026 18:29:17 +0100 Received: from hardanger.blackshift.org (unknown [IPv6:2a03:2260:2009::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: mkl-all@blackshift.org) by smtp.blackshift.org (Postfix) with ESMTPSA id 128764CA206; Sat, 10 Jan 2026 17:29:17 +0000 (UTC) From: Marc Kleine-Budde Date: Sat, 10 Jan 2026 18:28:54 +0100 Subject: [PATCH can 3/5] can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260110-can_usb-fix-memory-leak-v1-3-4a7c082a7081@pengutronix.de> References: <20260110-can_usb-fix-memory-leak-v1-0-4a7c082a7081@pengutronix.de> In-Reply-To: <20260110-can_usb-fix-memory-leak-v1-0-4a7c082a7081@pengutronix.de> To: Vincent Mailhol , Wolfgang Grandegger , Sebastian Haas , "David S. Miller" , Frank Jungclaus , socketcan@esd.eu, Yasushi SHOJI , Daniel Berglund , Olivier Sobrie , =?utf-8?q?Remigiusz_Ko=C5=82=C5=82=C4=85taj?= , Bernd Krumboeck Cc: kernel@pengutronix.de, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, Marc Kleine-Budde , stable@vger.kernel.org X-Mailer: b4 0.15-dev-47773 X-Developer-Signature: v=1; a=openpgp-sha256; l=1771; i=mkl@pengutronix.de; h=from:subject:message-id; bh=KbzRlV+NZsQXG10eptueM6fP9/Gf2kPzyb3mAiMVPeY=; b=owEBbQGS/pANAwAKAQx0Zd/5kJGcAcsmYgBpYoxkPmj2p7xDEcKLIXSFNo3NoTqD7t4Ka1fkV kj1HNwxVPKJATMEAAEKAB0WIQSf+wzYr2eoX/wVbPMMdGXf+ZCRnAUCaWKMZAAKCRAMdGXf+ZCR nFspB/4jOevCIMsXPvoc7mWdriuMVjx3ZoMLSU47FFRxiDDrVPLMygIqtjYh/xCU7l6CJjibEfT RL7AN42Yh1P2qHIIPf5hpqEQnqw0err5PA3UCKb5QkhlEyQum3ocSoNxfQ/fe69qPq7X3cqQpK4 sofPm5P9f3kZpg+JRn4/AiVcziLv8OSL4Q74n0iWIi0gcHQIhlFSDvosm/Y66YMEjeSyA824LuU WISNbclJx6uwEmFUBlNLTsK1WJ0Gyh592YWGzeekshUowAcnUPo8dtMR/i1n3ERmN0I5/0Nivb8 BZMYrqMwX1AISz1AhFccKnYffX8h8oPsqHqOQyemnA7zas2m X-Developer-Key: i=mkl@pengutronix.de; a=openpgp; fpr=C1400BA0B3989E6FBC7D5B5C2B5EE211C58AEA54 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: mkl@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback kvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In kvaser_usb_remove_interfaces() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the kvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor. Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devic= es") Cc: stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde --- drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c b/drivers/net= /can/usb/kvaser_usb/kvaser_usb_core.c index 62701ec34272..0da0abb0bebe 100644 --- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c +++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c @@ -361,6 +361,8 @@ static void kvaser_usb_read_bulk_callback(struct urb *u= rb) urb->transfer_buffer, KVASER_USB_RX_BUFFER_SIZE, kvaser_usb_read_bulk_callback, dev); =20 + usb_anchor_urb(urb, &dev->rx_submitted); + err =3D usb_submit_urb(urb, GFP_ATOMIC); if (err =3D=3D -ENODEV) { for (i =3D 0; i < dev->nchannels; i++) { --=20 2.51.0 From nobody Mon Feb 9 15:24:54 2026 Received: from metis.whiteo.stw.pengutronix.de (metis.whiteo.stw.pengutronix.de [185.203.201.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C59EE299AB4 for ; Sat, 10 Jan 2026 17:29:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.203.201.7 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768066194; cv=none; b=Pu5AQlnRg0HSAmLP/ACxht72TaI9OQ13fgFqiDPqEGhLwyLWJ3G0mVzFpHNT3W+TCxmWDryx8E7RAMcU4fhzefI8UJMFXz3/bbJJLLaVYMf/+yLgidRHGIrPWYDDvUHOgS/dCw/MiSOcM/HKN6dZDfqlFbkSUUzIDFJI622hgtc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768066194; c=relaxed/simple; bh=koysSqIyAprpgVYcIbn8PnOX0DFwnfb5nrK0mnVJAAg=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=suCAO/AGQb2a2yIA4VQEOAyiRd0q7HVhYv1mSckeK0aRfVx7m/AwaPVeTX5rx9vjqGkIpmB0CexGMkYYdppkwuPZ1F5pterALBL8TYD6LUyPXa0xnkMDje+Z5H1aSVAo6EhodGBlwBj5YjFO24En8jMvNMu2VDNOZi9r1xSyVlo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de; spf=pass smtp.mailfrom=pengutronix.de; arc=none smtp.client-ip=185.203.201.7 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=pengutronix.de Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1vecm7-0004Jf-43; Sat, 10 Jan 2026 18:29:19 +0100 Received: from moin.white.stw.pengutronix.de ([2a0a:edc0:0:b01:1d::7b] helo=bjornoya.blackshift.org) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vecm6-00AEGV-2T; Sat, 10 Jan 2026 18:29:18 +0100 Received: from hardanger.blackshift.org (unknown [IPv6:2a03:2260:2009::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: mkl-all@blackshift.org) by smtp.blackshift.org (Postfix) with ESMTPSA id D930D4CA207; Sat, 10 Jan 2026 17:29:17 +0000 (UTC) From: Marc Kleine-Budde Date: Sat, 10 Jan 2026 18:28:55 +0100 Subject: [PATCH can 4/5] can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260110-can_usb-fix-memory-leak-v1-4-4a7c082a7081@pengutronix.de> References: <20260110-can_usb-fix-memory-leak-v1-0-4a7c082a7081@pengutronix.de> In-Reply-To: <20260110-can_usb-fix-memory-leak-v1-0-4a7c082a7081@pengutronix.de> To: Vincent Mailhol , Wolfgang Grandegger , Sebastian Haas , "David S. Miller" , Frank Jungclaus , socketcan@esd.eu, Yasushi SHOJI , Daniel Berglund , Olivier Sobrie , =?utf-8?q?Remigiusz_Ko=C5=82=C5=82=C4=85taj?= , Bernd Krumboeck Cc: kernel@pengutronix.de, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, Marc Kleine-Budde , stable@vger.kernel.org X-Mailer: b4 0.15-dev-47773 X-Developer-Signature: v=1; a=openpgp-sha256; l=1617; i=mkl@pengutronix.de; h=from:subject:message-id; bh=koysSqIyAprpgVYcIbn8PnOX0DFwnfb5nrK0mnVJAAg=; b=owEBbQGS/pANAwAKAQx0Zd/5kJGcAcsmYgBpYoxmG24G6TxcPw4xtDSUp6kZ2WwerLowtWsQT iaG32saY3CJATMEAAEKAB0WIQSf+wzYr2eoX/wVbPMMdGXf+ZCRnAUCaWKMZgAKCRAMdGXf+ZCR nC+GCACRt/SO7xRRzuBE27Vk5jslFTtJs25PbFGFIJIlP1QDV/TbpVN6jYBRQdqNf6+tIDKLy0R bfuYJh9F32OyIqpq+gTvntUwcGM+tlnikWQ6+2PVqY2ckRVe8MknDi+USd/mh6orHboL/uvjvnY UqzvgAf9VWIEZIzK0mW6eUhmCh1/JTIb3JuXdxobTMCetYKxIk+NVc/F9uHHoe0vCtXZHLLX6ah cT3ZU8N3VHLD/g6Lz6IhtS6LVq5qKTXqGK9+3/vOi5iPd/Tp4iPbrH4tV/zhukBwHueZ86Y3mgB XTeVShgro94wK8nwmBh5dNPpRaB/xUO1bzeijJOMs4iKEXVU X-Developer-Key: i=mkl@pengutronix.de; a=openpgp; fpr=C1400BA0B3989E6FBC7D5B5C2B5EE211C58AEA54 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: mkl@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback mcba_usb_read_bulk_callback(), the URBs are processed and resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by calling usb_kill_anchored_urbs(&priv->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor. Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Anal= yzer") Cc: stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde --- drivers/net/can/usb/mcba_usb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c index 41c0a1c399bf..33d32966eb87 100644 --- a/drivers/net/can/usb/mcba_usb.c +++ b/drivers/net/can/usb/mcba_usb.c @@ -608,6 +608,8 @@ static void mcba_usb_read_bulk_callback(struct urb *urb) urb->transfer_buffer, MCBA_USB_RX_BUFF_SIZE, mcba_usb_read_bulk_callback, priv); =20 + usb_anchor_urb(urb, &priv->rx_submitted); + retval =3D usb_submit_urb(urb, GFP_ATOMIC); =20 if (retval =3D=3D -ENODEV) --=20 2.51.0 From nobody Mon Feb 9 15:24:54 2026 Received: from metis.whiteo.stw.pengutronix.de (metis.whiteo.stw.pengutronix.de [185.203.201.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8B81929AAF8 for ; Sat, 10 Jan 2026 17:29:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.203.201.7 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768066197; cv=none; b=IG2rXuSsYOBG+kyOUoYWnQplIKIUsajvVgmPSxeaBOQ8DHO4mr9UBJQGNXRdbbIDrfp2ln3KR0H4KSinneJ0HlAn/s2CDORE+7XA36EulXP69yAmcTYuP0ZjLoajbco6MWFZ8QUHBbSNPeros3ULodNcvduzprTf7D+a3CJwT/E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768066197; c=relaxed/simple; bh=3EgaE++Z5C+HH/5AV78kZyWIMoDtSGh5zMd6nygDiwA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=p9L44IN924Tag/YJyipMhJsCsAnLNw+YAGh7FNMI72BU5F7AAuKN2dZVbMv3TrIEVC6Wa+fJLngWTSH5B3tgUkrgsXKuLXPIypLZWT4tX5pzvrrTMio4682xZkjZ2X4+2MwdYalxGD2eOtmSUbc77Vu7IoX9m+XiNXd0+EvCyTA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de; spf=pass smtp.mailfrom=pengutronix.de; arc=none smtp.client-ip=185.203.201.7 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=pengutronix.de Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1vecm7-0004Jo-T9; Sat, 10 Jan 2026 18:29:19 +0100 Received: from moin.white.stw.pengutronix.de ([2a0a:edc0:0:b01:1d::7b] helo=bjornoya.blackshift.org) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vecm7-00AEGZ-1l; Sat, 10 Jan 2026 18:29:19 +0100 Received: from hardanger.blackshift.org (unknown [IPv6:2a03:2260:2009::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: mkl-all@blackshift.org) by smtp.blackshift.org (Postfix) with ESMTPSA id A2DF94CA208; Sat, 10 Jan 2026 17:29:18 +0000 (UTC) From: Marc Kleine-Budde Date: Sat, 10 Jan 2026 18:28:56 +0100 Subject: [PATCH can 5/5] can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260110-can_usb-fix-memory-leak-v1-5-4a7c082a7081@pengutronix.de> References: <20260110-can_usb-fix-memory-leak-v1-0-4a7c082a7081@pengutronix.de> In-Reply-To: <20260110-can_usb-fix-memory-leak-v1-0-4a7c082a7081@pengutronix.de> To: Vincent Mailhol , Wolfgang Grandegger , Sebastian Haas , "David S. Miller" , Frank Jungclaus , socketcan@esd.eu, Yasushi SHOJI , Daniel Berglund , Olivier Sobrie , =?utf-8?q?Remigiusz_Ko=C5=82=C5=82=C4=85taj?= , Bernd Krumboeck Cc: kernel@pengutronix.de, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, Marc Kleine-Budde , stable@vger.kernel.org X-Mailer: b4 0.15-dev-47773 X-Developer-Signature: v=1; a=openpgp-sha256; l=1616; i=mkl@pengutronix.de; h=from:subject:message-id; bh=3EgaE++Z5C+HH/5AV78kZyWIMoDtSGh5zMd6nygDiwA=; b=owEBbQGS/pANAwAKAQx0Zd/5kJGcAcsmYgBpYoxofF/0iTljBo2zuI1zmf1QmmIcb3NblJSYh QGTjjzPBvmJATMEAAEKAB0WIQSf+wzYr2eoX/wVbPMMdGXf+ZCRnAUCaWKMaAAKCRAMdGXf+ZCR nGyiB/9iQYl3aFkXGZFpD8mLB91RMysUul7kkUVWmet55TrGF//icbvtI63JZeMZbm1zUyy3WNg x+Vu7C5w9djvy/7BvqS+HBSJ8B0SXTp6SH+7zkwI8oofW22IfyLm/TTbZJAchELWNi82i7bGd7/ 72WLOHAbnDYoXaoLRQ2429PsS9+ML8lslKlqdJVyTu3BVtNTTSQ3JVO/fFWy339E/nkEFYaSGRr iEOWogruhszdYOgMbQOi9K635lRljCcbwuANDWadAnnsjrLgZwW2XYcwTKCcUa5ckDS0rL3mCu9 z3Bzoencq2EE3M+b9uHu/W66rcCK5Y45c7tqigtNy5ZhZhkj X-Developer-Key: i=mkl@pengutronix.de; a=openpgp; fpr=C1400BA0B3989E6FBC7D5B5C2B5EE211C58AEA54 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: mkl@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback usb_8dev_read_bulk_callback(), the URBs are processed and resubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed by calling usb_kill_anchored_urbs(&priv->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the usb_8dev_read_bulk_callback() to the priv->rx_submitted anchor. Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from= 8 devices") Cc: stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde --- drivers/net/can/usb/usb_8dev.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/can/usb/usb_8dev.c b/drivers/net/can/usb/usb_8dev.c index 7449328f7cd7..f5896416a780 100644 --- a/drivers/net/can/usb/usb_8dev.c +++ b/drivers/net/can/usb/usb_8dev.c @@ -541,6 +541,8 @@ static void usb_8dev_read_bulk_callback(struct urb *urb) urb->transfer_buffer, RX_BUFFER_SIZE, usb_8dev_read_bulk_callback, priv); =20 + usb_anchor_urb(urb, &priv->rx_submitted); + retval =3D usb_submit_urb(urb, GFP_ATOMIC); =20 if (retval =3D=3D -ENODEV) --=20 2.51.0