| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20260110-can_usb-fix-memory-leak-v1-4-4a7c082a7081@pengutronix.de>
Date: Sat, 10 Jan 2026 18:28:55 +0100
From: Marc Kleine-Budde <mkl@...gutronix.de>
To: Vincent Mailhol <mailhol@...nel.org>,
Wolfgang Grandegger <wg@...ndegger.com>,
Sebastian Haas <haas@...-wuensche.com>,
"David S. Miller" <davem@...emloft.net>,
Frank Jungclaus <frank.jungclaus@....eu>, socketcan@....eu,
Yasushi SHOJI <yashi@...cecubics.com>, Daniel Berglund <db@...ser.com>,
Olivier Sobrie <olivier@...rie.be>,
Remigiusz Kołłątaj <remigiusz.kollataj@...ica.com>,
Bernd Krumboeck <b.krumboeck@...il.com>
Cc: kernel@...gutronix.de, linux-can@...r.kernel.org,
linux-kernel@...r.kernel.org, Marc Kleine-Budde <mkl@...gutronix.de>,
stable@...r.kernel.org
Subject: [PATCH can 4/5] can: mcba_usb: mcba_usb_read_bulk_callback(): fix
URB memory leak
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are
allocated, added to the priv->rx_submitted anchor and submitted. In the
complete callback mcba_usb_read_bulk_callback(), the URBs are processed and
resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by
calling usb_kill_anchored_urbs(&priv->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in usb_kill_anchored_urbs().
Fix the memory leak by anchoring the URB in the
mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor.
Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer")
Cc: stable@...r.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@...gutronix.de>
---
drivers/net/can/usb/mcba_usb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c
index 41c0a1c399bf..33d32966eb87 100644
--- a/drivers/net/can/usb/mcba_usb.c
+++ b/drivers/net/can/usb/mcba_usb.c
@@ -608,6 +608,8 @@ static void mcba_usb_read_bulk_callback(struct urb *urb)
urb->transfer_buffer, MCBA_USB_RX_BUFF_SIZE,
mcba_usb_read_bulk_callback, priv);
+ usb_anchor_urb(urb, &priv->rx_submitted);
+
retval = usb_submit_urb(urb, GFP_ATOMIC);
if (retval == -ENODEV)
--
2.51.0
Powered by blists - more mailing lists