From: sashiko-bot@kernel.org
To: "Xiang Mei" <xmei5@asu.edu>
Cc: "Vincent Mailhol" <mailhol@kernel.org>,
"Oliver Hartkopp" <socketcan@hartkopp.net>,
"Marc Kleine-Budde" <mkl@pengutronix.de>,
"Oleksij Rempel" <o.rempel@pengutronix.de>,
linux-can@vger.kernel.org
Subject: Re: [PATCH net] can: esd_usb: free_candev() after unlink_all_urbs() in disconnect
Date: Sun, 05 Jul 2026 01:13:57 +0000 [thread overview]
Message-ID: <20260705011358.6D2181F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260705010005.1169943-1-xmei5@asu.edu>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Moving `unlink_all_urbs()` before `unregister_netdev()` introduces a memory leak race with `esd_usb_open()` on the RX path.
--
commit f21a9588c02c39e2094757bcdada4fb7aca593c8
Author: Xiang Mei <xmei5@asu.edu>
can: esd_usb: free_candev() after unlink_all_urbs() in disconnect
This commit fixes a slab-use-after-free issue by killing URBs before freeing
the CAN devices.
> diff --git a/drivers/net/can/usb/esd_usb.c b/drivers/net/can/usb/esd_usb.c
> index d257440fa01ff..34c0ca1872839 100644
> --- a/drivers/net/can/usb/esd_usb.c
> +++ b/drivers/net/can/usb/esd_usb.c
> @@ -1385,6 +1385,7 @@ static void esd_usb_disconnect(struct usb_interface *intf)
>
> if (dev) {
> dev->in_usb_disconnect = 1;
> + unlink_all_urbs(dev);
[Severity: Medium]
Does moving unlink_all_urbs() before unregister_netdev() introduce a memory
leak regression by racing with esd_usb_open() on the RX path?
Previously, unregister_netdev() ran first, providing rtnl_lock
synchronization. Now that unlink_all_urbs() runs before unregister_netdev(),
esd_usb_open() could run concurrently if the interface is brought up at the
exact same time the device is disconnected.
If this race occurs, unlink_all_urbs() could scan the buffers while they are
still NULL:
drivers/net/can/usb/esd_usb.c:unlink_all_urbs() {
...
for (i = 0; i < ESD_USB_MAX_RX_URBS; ++i)
usb_free_coherent(dev->udev, ESD_USB_RX_BUFFER_SIZE,
dev->rxbuf[i], dev->rxbuf_dma[i]);
...
}
And concurrently, esd_usb_setup_rx_urbs() could allocate them immediately
after the check:
drivers/net/can/usb/esd_usb.c:esd_usb_setup_rx_urbs() {
...
dev->rxbuf[i] = buf;
dev->rxbuf_dma[i] = buf_dma;
...
}
Could these newly allocated DMA buffers be permanently leaked since
unlink_all_urbs() has already completed its cleanup pass?
> for (i = 0; i < dev->net_count; i++) {
> if (dev->nets[i]) {
> netdev = dev->nets[i]->netdev;
> netdev_info(netdev, "unregister\n");
> unregister_netdev(netdev);
> free_candev(netdev);
> }
> }
> - unlink_all_urbs(dev);
> kfree(dev);
> }
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260705010005.1169943-1-xmei5@asu.edu?part=1
prev parent reply other threads:[~2026-07-05 1:13 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-05 1:00 [PATCH net] can: esd_usb: free_candev() after unlink_all_urbs() in disconnect Xiang Mei
2026-07-05 1:13 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260705011358.6D2181F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-can@vger.kernel.org \
--cc=mailhol@kernel.org \
--cc=mkl@pengutronix.de \
--cc=o.rempel@pengutronix.de \
--cc=sashiko-reviews@lists.linux.dev \
--cc=socketcan@hartkopp.net \
--cc=xmei5@asu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox