tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak

Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").

In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the
URBs for USB-in transfers are allocated, added to the dev->rx_submitted
anchor and submitted. In the complete callback
kvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In
kvaser_usb_remove_interfaces() the URBs are freed by calling
usb_kill_anchored_urbs(&dev->rx_submitted).

However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in usb_kill_anchored_urbs().

Fix the memory leak by anchoring the URB in the
kvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor.

Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-3-4b8cb2915571@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>

Marc Kleine-Budde 248e8e1a 5a4391bd

+8 -1
+8 -1
drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
··· 361 361 urb->transfer_buffer, KVASER_USB_RX_BUFFER_SIZE, 362 362 kvaser_usb_read_bulk_callback, dev); 363 363 364 + usb_anchor_urb(urb, &dev->rx_submitted); 365 + 364 366 err = usb_submit_urb(urb, GFP_ATOMIC); 367 + if (!err) 368 + return; 369 + 370 + usb_unanchor_urb(urb); 371 + 365 372 if (err == -ENODEV) { 366 373 for (i = 0; i < dev->nchannels; i++) { 367 374 struct kvaser_usb_net_priv *priv; ··· 379 372 380 373 netif_device_detach(priv->netdev); 381 374 } 382 - } else if (err) { 375 + } else { 383 376 dev_err(&dev->intf->dev, 384 377 "Failed resubmitting read bulk urb: %d\n", err); 385 378 }