From nobody Mon Feb 9 09:00:19 2026 Received: from metis.whiteo.stw.pengutronix.de (metis.whiteo.stw.pengutronix.de [185.203.201.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7FBF23939A4 for ; Fri, 16 Jan 2026 19:35:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.203.201.7 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768592159; cv=none; b=AIXfzYuFQzmWvXYuwhDjZn5ih0ygN28PfG/YXUX42ltdytjwPT6hO6DgovkoHVOobkMA7eRFE+dutceRJsYzOMz8lOeUdAZDJKjC95bqz0ygjVaF17JA+gPPBwYs1JQd150tExLpFHn19i98JZwnNFkPmxGHN1ZbVreAq7PYm2M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768592159; c=relaxed/simple; bh=Y6Uv+ur1n5mR2tRtUap3puYXnHdwmhUIXOsOst/QLS0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=cHPNMbAGas0RqXsTEORTm0VQwi4cx6q6Bk5+aQ6xD5Huo0tidZUSpSXH8bzeDYKOnHRWBgFCzxIU8vdJ3OGMOcoafvdSyhGTIuCZ3tU6Hm5ATt0QgHZ+3h2OcTzC5v3VZBpV9ei6u7LH2Sb+AyDAfVGnIrNi6an1DAfVlqVV8fE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de; spf=pass smtp.mailfrom=pengutronix.de; arc=none smtp.client-ip=185.203.201.7 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=pengutronix.de Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1vgpbi-000801-HI; Fri, 16 Jan 2026 20:35:42 +0100 Received: from moin.white.stw.pengutronix.de ([2a0a:edc0:0:b01:1d::7b] helo=bjornoya.blackshift.org) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vgpbg-000yK3-0v; Fri, 16 Jan 2026 20:35:39 +0100 Received: from hardanger.blackshift.org (p54b152ce.dip0.t-ipconnect.de [84.177.82.206]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: mkl-all@blackshift.org) by smtp.blackshift.org (Postfix) with ESMTPSA id 5231E4CEEDF; Fri, 16 Jan 2026 19:35:39 +0000 (UTC) From: Marc Kleine-Budde Date: Fri, 16 Jan 2026 20:35:14 +0100 Subject: [PATCH can v2 1/5] can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260116-can_usb-fix-memory-leak-v2-1-4b8cb2915571@pengutronix.de> References: <20260116-can_usb-fix-memory-leak-v2-0-4b8cb2915571@pengutronix.de> In-Reply-To: <20260116-can_usb-fix-memory-leak-v2-0-4b8cb2915571@pengutronix.de> To: Vincent Mailhol , Wolfgang Grandegger , Sebastian Haas , "David S. Miller" , Frank Jungclaus , socketcan@esd.eu, Yasushi SHOJI , Daniel Berglund , Olivier Sobrie , =?utf-8?q?Remigiusz_Ko=C5=82=C5=82=C4=85taj?= , Bernd Krumboeck Cc: kernel@pengutronix.de, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, Marc Kleine-Budde , stable@vger.kernel.org X-Mailer: b4 0.15-dev-47773 X-Developer-Signature: v=1; a=openpgp-sha256; l=1776; i=mkl@pengutronix.de; h=from:subject:message-id; bh=Y6Uv+ur1n5mR2tRtUap3puYXnHdwmhUIXOsOst/QLS0=; b=owEBbQGS/pANAwAKAQx0Zd/5kJGcAcsmYgBpapMBe3x6e0O3LKm+jnHD1LRid2zMSCwcA/tBk Dc0tk5YcEGJATMEAAEKAB0WIQSf+wzYr2eoX/wVbPMMdGXf+ZCRnAUCaWqTAQAKCRAMdGXf+ZCR nMyCCACH3hKHbmxOUe4B0/B2FBAUtQd71acX3de2QErfI0rMvOLPXC744iSwhry80Im2Z1BKe8C FP6kQp0pLK3v3DTnR5WH+fqAhyXDHNcInh/bYyDZ7x4BCGYN+nUOyaMUNHmbpehNyWAh9Gqf3Lo Py8SyWrpSlyfEiWKgru5SdOFjjb/UeqVqjq5jp6lwHhffYRBkVQ7lZKOEV3AZF5k/6zRRuuyAYv 8Y1I6MeQthaOIi6y/zW1kQIfYObKf/4A4Ku55jFdJNy1ENg2p5vyyww1SqV70pu80eDmNDZz4od hbC69w9MCtgP6Crx+obz/IrbIoprx5lfa8pdtZrW/ezf5NYw X-Developer-Key: i=mkl@pengutronix.de; a=openpgp; fpr=C1400BA0B3989E6FBC7D5B5C2B5EE211C58AEA54 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: mkl@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In ems_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In ems_usb_close() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in ems_usb_close(). Fix the memory leak by anchoring the URB in the ems_usb_read_bulk_callback() to the dev->rx_submitted anchor. Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB i= nterface") Cc: stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde --- drivers/net/can/usb/ems_usb.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c index de8e212a1366..4c219a5b139b 100644 --- a/drivers/net/can/usb/ems_usb.c +++ b/drivers/net/can/usb/ems_usb.c @@ -486,11 +486,17 @@ static void ems_usb_read_bulk_callback(struct urb *ur= b) urb->transfer_buffer, RX_BUFFER_SIZE, ems_usb_read_bulk_callback, dev); =20 + usb_anchor_urb(urb, &dev->rx_submitted); + retval =3D usb_submit_urb(urb, GFP_ATOMIC); + if (!retval) + return; + + usb_unanchor_urb(urb); =20 if (retval =3D=3D -ENODEV) netif_device_detach(netdev); - else if (retval) + else netdev_err(netdev, "failed resubmitting read bulk urb: %d\n", retval); } --=20 2.51.0 From nobody Mon Feb 9 09:00:20 2026 Received: from metis.whiteo.stw.pengutronix.de (metis.whiteo.stw.pengutronix.de [185.203.201.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DB2072D73A0 for ; Fri, 16 Jan 2026 19:35:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.203.201.7 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768592160; cv=none; b=WC+GMumWdHnAEkvWzfOGagqqARApcwnzb3xFIOOLJaD6UsnaHmlgnjwKkbX3VH9A5NSif7ZlgQfiioR8XBaXERVWsOxOHl1tRBGVfHqpeWxAm7RHsj76AmDg7HlPM/3PRdOdGls8b9JCA0/S6xK9upKbLIMhLEG5QuFJblZTdfI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768592160; c=relaxed/simple; bh=KbWIIEM4ohPRp4DL98wrpV9hcgVfu3ohKMJyFuQCySI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=SsHixee0SCTlf5KgLHJZ4NfvBmIW0wucwByMsW2HliF62dOFvN+cihA6s1VPgkNxRbpC3QfsNRx6WqfSVi3l5FVwXTLONRXydtfq7hH6zQ6iqZSmApl9ejrnEVmN/VJDhQvm8Gc5+Jkeu9NFDNYzg5kAa2tI2pRZ88fy+Qd3Kjo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de; spf=pass smtp.mailfrom=pengutronix.de; arc=none smtp.client-ip=185.203.201.7 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=pengutronix.de Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1vgpbi-000802-HH; Fri, 16 Jan 2026 20:35:42 +0100 Received: from moin.white.stw.pengutronix.de ([2a0a:edc0:0:b01:1d::7b] helo=bjornoya.blackshift.org) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vgpbg-000yK4-1C; Fri, 16 Jan 2026 20:35:39 +0100 Received: from hardanger.blackshift.org (p54b152ce.dip0.t-ipconnect.de [84.177.82.206]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: mkl-all@blackshift.org) by smtp.blackshift.org (Postfix) with ESMTPSA id 62EFD4CEEE0; Fri, 16 Jan 2026 19:35:39 +0000 (UTC) From: Marc Kleine-Budde Date: Fri, 16 Jan 2026 20:35:15 +0100 Subject: [PATCH can v2 2/5] can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260116-can_usb-fix-memory-leak-v2-2-4b8cb2915571@pengutronix.de> References: <20260116-can_usb-fix-memory-leak-v2-0-4b8cb2915571@pengutronix.de> In-Reply-To: <20260116-can_usb-fix-memory-leak-v2-0-4b8cb2915571@pengutronix.de> To: Vincent Mailhol , Wolfgang Grandegger , Sebastian Haas , "David S. Miller" , Frank Jungclaus , socketcan@esd.eu, Yasushi SHOJI , Daniel Berglund , Olivier Sobrie , =?utf-8?q?Remigiusz_Ko=C5=82=C5=82=C4=85taj?= , Bernd Krumboeck Cc: kernel@pengutronix.de, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, Marc Kleine-Budde , stable@vger.kernel.org X-Mailer: b4 0.15-dev-47773 X-Developer-Signature: v=1; a=openpgp-sha256; l=1867; i=mkl@pengutronix.de; h=from:subject:message-id; bh=KbWIIEM4ohPRp4DL98wrpV9hcgVfu3ohKMJyFuQCySI=; b=owEBbQGS/pANAwAKAQx0Zd/5kJGcAcsmYgBpapMDdXADWUgaw9YvJzE/HGUiZn9aD0PXuzjhj +FnbjWikDiJATMEAAEKAB0WIQSf+wzYr2eoX/wVbPMMdGXf+ZCRnAUCaWqTAwAKCRAMdGXf+ZCR nKv0CACNXLUKTK5r2V9C/Jh9KzpQx79px9NeGVSDQwwitiF2m2cvgmzLC+lHXvX6yNIbJqr5wRg uS9zIH1EDTHvV0nV26lOBfdg9nS4+0M2YCxaisqHQZhujfVm+pAdOcd8sPwlvyDgctrKtjlT0hT MU2LZiHETRa3HeQFwWHo5G6obz+y/AyBeSZHy8tdMspf3AjoLAy0SSLp5y5sKaMHH3RJDF4dZPL BHgmNKjBkQ2a+ckA61my+/f1LzUKX+D+t7pXtCikZM2oaLXcXoIYxyNF0HB0/U/Yf//3J/+N8d+ ZGfdGxqj0RPvOs1YcvfAX/KfKVHhQZzrMpDjD+wztKHsvQ7v X-Developer-Key: i=mkl@pengutronix.de; a=openpgp; fpr=C1400BA0B3989E6FBC7D5B5C2B5EE211C58AEA54 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: mkl@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In esd_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback esd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In esd_usb_close() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in esd_usb_close(). Fix the memory leak by anchoring the URB in the esd_usb_read_bulk_callback() to the dev->rx_submitted anchor. Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device") Cc: stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde --- drivers/net/can/usb/esd_usb.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/net/can/usb/esd_usb.c b/drivers/net/can/usb/esd_usb.c index 08da507faef4..8cc924c47042 100644 --- a/drivers/net/can/usb/esd_usb.c +++ b/drivers/net/can/usb/esd_usb.c @@ -541,13 +541,20 @@ static void esd_usb_read_bulk_callback(struct urb *ur= b) urb->transfer_buffer, ESD_USB_RX_BUFFER_SIZE, esd_usb_read_bulk_callback, dev); =20 + usb_anchor_urb(urb, &dev->rx_submitted); + err =3D usb_submit_urb(urb, GFP_ATOMIC); + if (!err) + return; + + usb_unanchor_urb(urb); + if (err =3D=3D -ENODEV) { for (i =3D 0; i < dev->net_count; i++) { if (dev->nets[i]) netif_device_detach(dev->nets[i]->netdev); } - } else if (err) { + } else { dev_err(dev->udev->dev.parent, "failed resubmitting read bulk urb: %pe\n", ERR_PTR(err)); } --=20 2.51.0 From nobody Mon Feb 9 09:00:20 2026 Received: from metis.whiteo.stw.pengutronix.de (metis.whiteo.stw.pengutronix.de [185.203.201.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A0E8B3939AE for ; Fri, 16 Jan 2026 19:35:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.203.201.7 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768592159; cv=none; b=UUxqREyRvVSGc13SI/kyeaYgZLt28v4CWpbJg+t3gurwjo4SvhHEf9DuqQF4dYYUUEXW9dKpzqu2NOel/NMYWrDck439944FtBiZkM5Z4mSg3BrvxIJxt41MTIeIyJqy0m1CdI8lHNke5PtUr6WGBLW26mOAU821mI2Snw2PJ30= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768592159; c=relaxed/simple; bh=zHH4+sI9VkLKWmaHTffypGgqFMLyrd7a8GCEonrR1go=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=cEHS6hiUubttvvKk4Z1xZS1S5z8jUxVNnFOv+Mm2OTOaBRBa028VZumR1EYwyRtY+CAJ69Bi6ZfkYKsdY+aMU3l5uXHUdP6WawEmqglf55bElEtVegDUM9DkXD3RX2+EGNge6+U2f/xizHLosOrAOOTXD25OZ0ANwdxqLCk2Iy0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de; spf=pass smtp.mailfrom=pengutronix.de; arc=none smtp.client-ip=185.203.201.7 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=pengutronix.de Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1vgpbi-000803-HH; Fri, 16 Jan 2026 20:35:42 +0100 Received: from moin.white.stw.pengutronix.de ([2a0a:edc0:0:b01:1d::7b] helo=bjornoya.blackshift.org) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vgpbg-000yK5-1N; Fri, 16 Jan 2026 20:35:39 +0100 Received: from hardanger.blackshift.org (p54b152ce.dip0.t-ipconnect.de [84.177.82.206]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: mkl-all@blackshift.org) by smtp.blackshift.org (Postfix) with ESMTPSA id 73F974CEEE1; Fri, 16 Jan 2026 19:35:39 +0000 (UTC) From: Marc Kleine-Budde Date: Fri, 16 Jan 2026 20:35:16 +0100 Subject: [PATCH can v2 3/5] can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260116-can_usb-fix-memory-leak-v2-3-4b8cb2915571@pengutronix.de> References: <20260116-can_usb-fix-memory-leak-v2-0-4b8cb2915571@pengutronix.de> In-Reply-To: <20260116-can_usb-fix-memory-leak-v2-0-4b8cb2915571@pengutronix.de> To: Vincent Mailhol , Wolfgang Grandegger , Sebastian Haas , "David S. Miller" , Frank Jungclaus , socketcan@esd.eu, Yasushi SHOJI , Daniel Berglund , Olivier Sobrie , =?utf-8?q?Remigiusz_Ko=C5=82=C5=82=C4=85taj?= , Bernd Krumboeck Cc: kernel@pengutronix.de, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, Marc Kleine-Budde , stable@vger.kernel.org X-Mailer: b4 0.15-dev-47773 X-Developer-Signature: v=1; a=openpgp-sha256; l=2140; i=mkl@pengutronix.de; h=from:subject:message-id; bh=zHH4+sI9VkLKWmaHTffypGgqFMLyrd7a8GCEonrR1go=; b=owEBbQGS/pANAwAKAQx0Zd/5kJGcAcsmYgBpapMFKRzgtYb63gusilRUJ8jurXP8rjPUl7+Ym EWzeBUEoS+JATMEAAEKAB0WIQSf+wzYr2eoX/wVbPMMdGXf+ZCRnAUCaWqTBQAKCRAMdGXf+ZCR nBtqB/wNjsAlp+j/1htaTot/qQ2n1TLAvOIQ4ix+hE71uFz1X4gxh7GyO8J6nuMEJ4u0VDzELp+ JR/G+jMMa60y57VH0b3IVOHBAiXyD0V5oZhqpsuVN96DCrMMvBJhee/Tyfbj0YD7FILnNNuXKkw TLmYD7z8FEixM9Jsp+odvLaH1LUnmI9nFifprN5fDXJZwi1QewbJPJqxogzZmRrB2GUuaSjEFkm eAF5dnzLB1YkGW21gK8NppHf8FCLU6a7FCvNHv/f0Jc+kAQZYhXKZSdMR/8SJLlPxqRR7yJF+X9 utHyAnjRRl+q5Q2jU8KMDF1hcBW1u6Oa05SJTJogGShF8cn+ X-Developer-Key: i=mkl@pengutronix.de; a=openpgp; fpr=C1400BA0B3989E6FBC7D5B5C2B5EE211C58AEA54 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: mkl@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback kvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In kvaser_usb_remove_interfaces() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the kvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor. Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devic= es") Cc: stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde --- drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c b/drivers/net= /can/usb/kvaser_usb/kvaser_usb_core.c index 62701ec34272..d0a2a2a33c1c 100644 --- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c +++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c @@ -361,7 +361,14 @@ static void kvaser_usb_read_bulk_callback(struct urb *= urb) urb->transfer_buffer, KVASER_USB_RX_BUFFER_SIZE, kvaser_usb_read_bulk_callback, dev); =20 + usb_anchor_urb(urb, &dev->rx_submitted); + err =3D usb_submit_urb(urb, GFP_ATOMIC); + if (!err) + return; + + usb_unanchor_urb(urb); + if (err =3D=3D -ENODEV) { for (i =3D 0; i < dev->nchannels; i++) { struct kvaser_usb_net_priv *priv; @@ -372,7 +379,7 @@ static void kvaser_usb_read_bulk_callback(struct urb *u= rb) =20 netif_device_detach(priv->netdev); } - } else if (err) { + } else { dev_err(&dev->intf->dev, "Failed resubmitting read bulk urb: %d\n", err); } --=20 2.51.0 From nobody Mon Feb 9 09:00:20 2026 Received: from metis.whiteo.stw.pengutronix.de (metis.whiteo.stw.pengutronix.de [185.203.201.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2E7F939C643 for ; Fri, 16 Jan 2026 19:35:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.203.201.7 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768592159; cv=none; b=rPqnpLOnnjTUG1rXtDxDX3rC45lo1yHTO2SMSeY7KxUKJldznBfrZUJIMdai4KdampCVhATVFMtNyjmKShuLtwAmxdhveiTmHgfvcD7okNxzQ/h/Jyv4vCDrmrtMI5ZBRRsMjc9b5P9naVZUhc2a5VqWpPWx50pdYutW3sAOckY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768592159; c=relaxed/simple; bh=qXFHomxH6ThdcsyxaPXbrxn3x7sls0MHEmxaTfhx8Qg=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=CO00kYetbk37S1xVSkaylvlICnF4t4sI/rNl3P4RhXeqQkIWosGa2gE8BihD1Ei+vHg/Hfn38qmTILrAUPDL9MRd6bOUtd5+tTmUAP1u9fwfTywKqQMBNcKJ7GHb5utbgzSaYGNZEA0vGA1V3s4ULeQz1t+68ZDoNy92a6q4ZOM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de; spf=pass smtp.mailfrom=pengutronix.de; arc=none smtp.client-ip=185.203.201.7 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=pengutronix.de Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1vgpbi-000804-HJ; Fri, 16 Jan 2026 20:35:42 +0100 Received: from moin.white.stw.pengutronix.de ([2a0a:edc0:0:b01:1d::7b] helo=bjornoya.blackshift.org) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vgpbg-000yK8-1X; Fri, 16 Jan 2026 20:35:39 +0100 Received: from hardanger.blackshift.org (p54b152ce.dip0.t-ipconnect.de [84.177.82.206]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: mkl-all@blackshift.org) by smtp.blackshift.org (Postfix) with ESMTPSA id 82DB54CEEE2; Fri, 16 Jan 2026 19:35:39 +0000 (UTC) From: Marc Kleine-Budde Date: Fri, 16 Jan 2026 20:35:17 +0100 Subject: [PATCH can v2 4/5] can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260116-can_usb-fix-memory-leak-v2-4-4b8cb2915571@pengutronix.de> References: <20260116-can_usb-fix-memory-leak-v2-0-4b8cb2915571@pengutronix.de> In-Reply-To: <20260116-can_usb-fix-memory-leak-v2-0-4b8cb2915571@pengutronix.de> To: Vincent Mailhol , Wolfgang Grandegger , Sebastian Haas , "David S. Miller" , Frank Jungclaus , socketcan@esd.eu, Yasushi SHOJI , Daniel Berglund , Olivier Sobrie , =?utf-8?q?Remigiusz_Ko=C5=82=C5=82=C4=85taj?= , Bernd Krumboeck Cc: kernel@pengutronix.de, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, Marc Kleine-Budde , stable@vger.kernel.org X-Mailer: b4 0.15-dev-47773 X-Developer-Signature: v=1; a=openpgp-sha256; l=1845; i=mkl@pengutronix.de; h=from:subject:message-id; bh=qXFHomxH6ThdcsyxaPXbrxn3x7sls0MHEmxaTfhx8Qg=; b=owEBbQGS/pANAwAKAQx0Zd/5kJGcAcsmYgBpapMHCftZMBpsm3ESnrHH0MdA0TlDQ10hv5vs/ ElSzJ5jvE6JATMEAAEKAB0WIQSf+wzYr2eoX/wVbPMMdGXf+ZCRnAUCaWqTBwAKCRAMdGXf+ZCR nMCxB/0RdQkP6n9H89T6X8F1MT5cpnIgin4Pkrqum/PeTcHw+cu03O8YnDBiKeJNqR9IGF0yyDT i4YP+5ekic9dNcfqOdlpGYuvGvbcZaGl3PjUhkFFPViJbvE0rj8bp2Lyt7PIaNIgPJPA5a4mGXf pVKpgGQQ8F2knWY0SywzhQA5b3BvGszQT4vjUg4uoOZ0030FS8KHCfXdOP52EGV68HOTZcYGW2z sE2HqlkzNQ0636GKuM2lQC/SaDM7c8B+y/5/73IZUOoshkntN0LiRH0+JyRZ9+lHQoSe64N52RI uBbuYAvP3/c6w3e4u8ZYJ2porzp3dZm8YyqMzrsth16vPrrP X-Developer-Key: i=mkl@pengutronix.de; a=openpgp; fpr=C1400BA0B3989E6FBC7D5B5C2B5EE211C58AEA54 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: mkl@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback mcba_usb_read_bulk_callback(), the URBs are processed and resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by calling usb_kill_anchored_urbs(&priv->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor. Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Anal= yzer") Cc: stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde --- drivers/net/can/usb/mcba_usb.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c index 41c0a1c399bf..04170326dc7e 100644 --- a/drivers/net/can/usb/mcba_usb.c +++ b/drivers/net/can/usb/mcba_usb.c @@ -608,11 +608,17 @@ static void mcba_usb_read_bulk_callback(struct urb *u= rb) urb->transfer_buffer, MCBA_USB_RX_BUFF_SIZE, mcba_usb_read_bulk_callback, priv); =20 + usb_anchor_urb(urb, &priv->rx_submitted); + retval =3D usb_submit_urb(urb, GFP_ATOMIC); + if (!retval) + return; + + usb_unanchor_urb(urb); =20 if (retval =3D=3D -ENODEV) netif_device_detach(netdev); - else if (retval) + else netdev_err(netdev, "failed resubmitting read bulk urb: %d\n", retval); } --=20 2.51.0 From nobody Mon Feb 9 09:00:20 2026 Received: from metis.whiteo.stw.pengutronix.de (metis.whiteo.stw.pengutronix.de [185.203.201.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7FA5434BA54 for ; Fri, 16 Jan 2026 19:35:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.203.201.7 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768592159; cv=none; b=X6hK41DD8hvSrYaGLrpoHxMTXSiXGh2xR3TW4954+snFKGtiSttsl4ibKaCEcQCNueDxLcwmrMicZczHAzhPX8uJ+lNk5tr5NpvAnhsaaxj3uCHRahkciezbpRLq00Evtw4jrc2r1KkrVRADFOqfjaGv8dURY3uYx0Is2dQUN8U= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768592159; c=relaxed/simple; bh=ajUWlkXh/WeruZi/fZoonvdk1N6Xwdk976vaNLYbaEI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=epiCJLq+efILiIdO0PBr4RM6GdrAOc2x/0D9ai/i1RcFb5Bf9xZrN0KOSfPMziKLc9ZsqvRex50dPXjTl7FUBCdLlkXochOE+IfHd8geBEk2ZN35rfSKLGrVeWpuKrR4QRXmFLwTfY/mq8ymiGkAAO3kzo2TGAKeUE9ZacZK5A4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de; spf=pass smtp.mailfrom=pengutronix.de; arc=none smtp.client-ip=185.203.201.7 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=pengutronix.de Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1vgpbi-000805-HI; Fri, 16 Jan 2026 20:35:42 +0100 Received: from moin.white.stw.pengutronix.de ([2a0a:edc0:0:b01:1d::7b] helo=bjornoya.blackshift.org) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vgpbg-000yKB-1m; Fri, 16 Jan 2026 20:35:39 +0100 Received: from hardanger.blackshift.org (p54b152ce.dip0.t-ipconnect.de [84.177.82.206]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: mkl-all@blackshift.org) by smtp.blackshift.org (Postfix) with ESMTPSA id 9601E4CEEE3; Fri, 16 Jan 2026 19:35:39 +0000 (UTC) From: Marc Kleine-Budde Date: Fri, 16 Jan 2026 20:35:18 +0100 Subject: [PATCH can v2 5/5] can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260116-can_usb-fix-memory-leak-v2-5-4b8cb2915571@pengutronix.de> References: <20260116-can_usb-fix-memory-leak-v2-0-4b8cb2915571@pengutronix.de> In-Reply-To: <20260116-can_usb-fix-memory-leak-v2-0-4b8cb2915571@pengutronix.de> To: Vincent Mailhol , Wolfgang Grandegger , Sebastian Haas , "David S. Miller" , Frank Jungclaus , socketcan@esd.eu, Yasushi SHOJI , Daniel Berglund , Olivier Sobrie , =?utf-8?q?Remigiusz_Ko=C5=82=C5=82=C4=85taj?= , Bernd Krumboeck Cc: kernel@pengutronix.de, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, Marc Kleine-Budde , stable@vger.kernel.org X-Mailer: b4 0.15-dev-47773 X-Developer-Signature: v=1; a=openpgp-sha256; l=1841; i=mkl@pengutronix.de; h=from:subject:message-id; bh=ajUWlkXh/WeruZi/fZoonvdk1N6Xwdk976vaNLYbaEI=; b=owEBbQGS/pANAwAKAQx0Zd/5kJGcAcsmYgBpapMJL919z3NV/cvyu6WS0eMw8l8h/oh8JD6WN 3MXUVhIQ5GJATMEAAEKAB0WIQSf+wzYr2eoX/wVbPMMdGXf+ZCRnAUCaWqTCQAKCRAMdGXf+ZCR nInsB/sF2kH/HpMUjXiqJn5r3uD1Xw9LLCopEGGr8Eh2adUpDnZccvkKuAlN5S0q8+6gjW1eUqw +QZuVXhhwZByK5z8ibEvhagAeJZF9Qc6+83HY3ZQaxpTmlunQcGarvTp1EA00BcQR7so8jAO9Va Oxx/kpz1836r4AWMXa5MRnL9QlCcm+XdubyTD+g4l/Rg5LpV7h1U0Fx5DWX4VQGqEbvmhhncBfn 8QN8+63cQS/48ZeO5szX3xwW4BCJ3Soj7tM7Nse0/2lvSzcDIBDgC7acinqchXfFWoGmUZnLNL9 pyjigAJ1O+R79Ctw82noRTbhoX+nrH5UVZ+JW6f9stZKtxqa X-Developer-Key: i=mkl@pengutronix.de; a=openpgp; fpr=C1400BA0B3989E6FBC7D5B5C2B5EE211C58AEA54 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: mkl@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback usb_8dev_read_bulk_callback(), the URBs are processed and resubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed by calling usb_kill_anchored_urbs(&priv->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the usb_8dev_read_bulk_callback() to the priv->rx_submitted anchor. Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from= 8 devices") Cc: stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde --- drivers/net/can/usb/usb_8dev.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/net/can/usb/usb_8dev.c b/drivers/net/can/usb/usb_8dev.c index 7449328f7cd7..3125cf59d002 100644 --- a/drivers/net/can/usb/usb_8dev.c +++ b/drivers/net/can/usb/usb_8dev.c @@ -541,11 +541,17 @@ static void usb_8dev_read_bulk_callback(struct urb *u= rb) urb->transfer_buffer, RX_BUFFER_SIZE, usb_8dev_read_bulk_callback, priv); =20 + usb_anchor_urb(urb, &priv->rx_submitted); + retval =3D usb_submit_urb(urb, GFP_ATOMIC); + if (!retval) + return; + + usb_unanchor_urb(urb); =20 if (retval =3D=3D -ENODEV) netif_device_detach(netdev); - else if (retval) + else netdev_err(netdev, "failed resubmitting read bulk urb: %d\n", retval); } --=20 2.51.0