Linux CAN drivers development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Xiang Mei" <xmei5@asu.edu>
Cc: "Vincent Mailhol" <mailhol@kernel.org>,
	"Oliver Hartkopp" <socketcan@hartkopp.net>,
	"Marc Kleine-Budde" <mkl@pengutronix.de>,
	"Oleksij Rempel" <o.rempel@pengutronix.de>,
	linux-can@vger.kernel.org
Subject: Re: [PATCH net] can: esd_usb: free_candev() after unlink_all_urbs() in disconnect
Date: Sun, 05 Jul 2026 01:13:57 +0000	[thread overview]
Message-ID: <20260705011358.6D2181F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260705010005.1169943-1-xmei5@asu.edu>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Moving `unlink_all_urbs()` before `unregister_netdev()` introduces a memory leak race with `esd_usb_open()` on the RX path.
--

commit f21a9588c02c39e2094757bcdada4fb7aca593c8
Author: Xiang Mei <xmei5@asu.edu>

can: esd_usb: free_candev() after unlink_all_urbs() in disconnect

This commit fixes a slab-use-after-free issue by killing URBs before freeing
the CAN devices.

> diff --git a/drivers/net/can/usb/esd_usb.c b/drivers/net/can/usb/esd_usb.c
> index d257440fa01ff..34c0ca1872839 100644
> --- a/drivers/net/can/usb/esd_usb.c
> +++ b/drivers/net/can/usb/esd_usb.c
> @@ -1385,6 +1385,7 @@ static void esd_usb_disconnect(struct usb_interface *intf)
>  
>  	if (dev) {
>  		dev->in_usb_disconnect = 1;
> +		unlink_all_urbs(dev);

[Severity: Medium]
Does moving unlink_all_urbs() before unregister_netdev() introduce a memory
leak regression by racing with esd_usb_open() on the RX path?

Previously, unregister_netdev() ran first, providing rtnl_lock 
synchronization. Now that unlink_all_urbs() runs before unregister_netdev(),
esd_usb_open() could run concurrently if the interface is brought up at the
exact same time the device is disconnected.

If this race occurs, unlink_all_urbs() could scan the buffers while they are
still NULL:

drivers/net/can/usb/esd_usb.c:unlink_all_urbs() {
        ...
        for (i = 0; i < ESD_USB_MAX_RX_URBS; ++i)
                usb_free_coherent(dev->udev, ESD_USB_RX_BUFFER_SIZE,
                                  dev->rxbuf[i], dev->rxbuf_dma[i]);
        ...
}

And concurrently, esd_usb_setup_rx_urbs() could allocate them immediately
after the check:

drivers/net/can/usb/esd_usb.c:esd_usb_setup_rx_urbs() {
        ...
        dev->rxbuf[i] = buf;
        dev->rxbuf_dma[i] = buf_dma;
        ...
}

Could these newly allocated DMA buffers be permanently leaked since
unlink_all_urbs() has already completed its cleanup pass?

>  		for (i = 0; i < dev->net_count; i++) {
>  			if (dev->nets[i]) {
>  				netdev = dev->nets[i]->netdev;
>  				netdev_info(netdev, "unregister\n");
>  				unregister_netdev(netdev);
>  				free_candev(netdev);
>  			}
>  		}
> -		unlink_all_urbs(dev);
>  		kfree(dev);
>  	}
>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260705010005.1169943-1-xmei5@asu.edu?part=1

      reply	other threads:[~2026-07-05  1:13 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-05  1:00 [PATCH net] can: esd_usb: free_candev() after unlink_all_urbs() in disconnect Xiang Mei
2026-07-05  1:13 ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260705011358.6D2181F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=linux-can@vger.kernel.org \
    --cc=mailhol@kernel.org \
    --cc=mkl@pengutronix.de \
    --cc=o.rempel@pengutronix.de \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=socketcan@hartkopp.net \
    --cc=xmei5@asu.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox