From nobody Tue Feb 10 05:46:03 2026 Received: from metis.whiteo.stw.pengutronix.de (metis.whiteo.stw.pengutronix.de [185.203.201.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7FBF23939A4 for ; Fri, 16 Jan 2026 19:35:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.203.201.7 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768592159; cv=none; b=AIXfzYuFQzmWvXYuwhDjZn5ih0ygN28PfG/YXUX42ltdytjwPT6hO6DgovkoHVOobkMA7eRFE+dutceRJsYzOMz8lOeUdAZDJKjC95bqz0ygjVaF17JA+gPPBwYs1JQd150tExLpFHn19i98JZwnNFkPmxGHN1ZbVreAq7PYm2M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768592159; c=relaxed/simple; bh=Y6Uv+ur1n5mR2tRtUap3puYXnHdwmhUIXOsOst/QLS0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=cHPNMbAGas0RqXsTEORTm0VQwi4cx6q6Bk5+aQ6xD5Huo0tidZUSpSXH8bzeDYKOnHRWBgFCzxIU8vdJ3OGMOcoafvdSyhGTIuCZ3tU6Hm5ATt0QgHZ+3h2OcTzC5v3VZBpV9ei6u7LH2Sb+AyDAfVGnIrNi6an1DAfVlqVV8fE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de; spf=pass smtp.mailfrom=pengutronix.de; arc=none smtp.client-ip=185.203.201.7 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=pengutronix.de Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1vgpbi-000801-HI; Fri, 16 Jan 2026 20:35:42 +0100 Received: from moin.white.stw.pengutronix.de ([2a0a:edc0:0:b01:1d::7b] helo=bjornoya.blackshift.org) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vgpbg-000yK3-0v; Fri, 16 Jan 2026 20:35:39 +0100 Received: from hardanger.blackshift.org (p54b152ce.dip0.t-ipconnect.de [84.177.82.206]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: mkl-all@blackshift.org) by smtp.blackshift.org (Postfix) with ESMTPSA id 5231E4CEEDF; Fri, 16 Jan 2026 19:35:39 +0000 (UTC) From: Marc Kleine-Budde Date: Fri, 16 Jan 2026 20:35:14 +0100 Subject: [PATCH can v2 1/5] can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260116-can_usb-fix-memory-leak-v2-1-4b8cb2915571@pengutronix.de> References: <20260116-can_usb-fix-memory-leak-v2-0-4b8cb2915571@pengutronix.de> In-Reply-To: <20260116-can_usb-fix-memory-leak-v2-0-4b8cb2915571@pengutronix.de> To: Vincent Mailhol , Wolfgang Grandegger , Sebastian Haas , "David S. Miller" , Frank Jungclaus , socketcan@esd.eu, Yasushi SHOJI , Daniel Berglund , Olivier Sobrie , =?utf-8?q?Remigiusz_Ko=C5=82=C5=82=C4=85taj?= , Bernd Krumboeck Cc: kernel@pengutronix.de, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, Marc Kleine-Budde , stable@vger.kernel.org X-Mailer: b4 0.15-dev-47773 X-Developer-Signature: v=1; a=openpgp-sha256; l=1776; i=mkl@pengutronix.de; h=from:subject:message-id; bh=Y6Uv+ur1n5mR2tRtUap3puYXnHdwmhUIXOsOst/QLS0=; b=owEBbQGS/pANAwAKAQx0Zd/5kJGcAcsmYgBpapMBe3x6e0O3LKm+jnHD1LRid2zMSCwcA/tBk Dc0tk5YcEGJATMEAAEKAB0WIQSf+wzYr2eoX/wVbPMMdGXf+ZCRnAUCaWqTAQAKCRAMdGXf+ZCR nMyCCACH3hKHbmxOUe4B0/B2FBAUtQd71acX3de2QErfI0rMvOLPXC744iSwhry80Im2Z1BKe8C FP6kQp0pLK3v3DTnR5WH+fqAhyXDHNcInh/bYyDZ7x4BCGYN+nUOyaMUNHmbpehNyWAh9Gqf3Lo Py8SyWrpSlyfEiWKgru5SdOFjjb/UeqVqjq5jp6lwHhffYRBkVQ7lZKOEV3AZF5k/6zRRuuyAYv 8Y1I6MeQthaOIi6y/zW1kQIfYObKf/4A4Ku55jFdJNy1ENg2p5vyyww1SqV70pu80eDmNDZz4od hbC69w9MCtgP6Crx+obz/IrbIoprx5lfa8pdtZrW/ezf5NYw X-Developer-Key: i=mkl@pengutronix.de; a=openpgp; fpr=C1400BA0B3989E6FBC7D5B5C2B5EE211C58AEA54 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: mkl@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In ems_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In ems_usb_close() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in ems_usb_close(). Fix the memory leak by anchoring the URB in the ems_usb_read_bulk_callback() to the dev->rx_submitted anchor. Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB i= nterface") Cc: stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde --- drivers/net/can/usb/ems_usb.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c index de8e212a1366..4c219a5b139b 100644 --- a/drivers/net/can/usb/ems_usb.c +++ b/drivers/net/can/usb/ems_usb.c @@ -486,11 +486,17 @@ static void ems_usb_read_bulk_callback(struct urb *ur= b) urb->transfer_buffer, RX_BUFFER_SIZE, ems_usb_read_bulk_callback, dev); =20 + usb_anchor_urb(urb, &dev->rx_submitted); + retval =3D usb_submit_urb(urb, GFP_ATOMIC); + if (!retval) + return; + + usb_unanchor_urb(urb); =20 if (retval =3D=3D -ENODEV) netif_device_detach(netdev); - else if (retval) + else netdev_err(netdev, "failed resubmitting read bulk urb: %d\n", retval); } --=20 2.51.0