* [PATCH 5.15.y v2 0/3] Backport to fix CVE-2026-23031 in 5.15
@ 2026-04-03 1:36 Ruohan Lan
2026-04-03 1:36 ` [PATCH 5.15.y v2 1/3] can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak Ruohan Lan
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Ruohan Lan @ 2026-04-03 1:36 UTC (permalink / raw)
To: gregkh, stable; +Cc: mkl, linux-can, Ruohan Lan
v1->v2: Append the following two commits suggested by Marc Kleine-Budde
mkl@pengutronix.de, thank you. :
79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error")
494fc029f662 ("can: gs_usb: gs_usb_receive_bulk_callback(): fix error message")
Marc Kleine-Budde (3):
can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on
usb_submit_urb() error
can: gs_usb: gs_usb_receive_bulk_callback(): fix error message
drivers/net/can/usb/gs_usb.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--
2.43.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 5.15.y v2 1/3] can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
2026-04-03 1:36 [PATCH 5.15.y v2 0/3] Backport to fix CVE-2026-23031 in 5.15 Ruohan Lan
@ 2026-04-03 1:36 ` Ruohan Lan
2026-04-03 1:36 ` [PATCH 5.15.y v2 2/3] can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error Ruohan Lan
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Ruohan Lan @ 2026-04-03 1:36 UTC (permalink / raw)
To: gregkh, stable; +Cc: mkl, linux-can, Ruohan Lan
From: Marc Kleine-Budde <mkl@pengutronix.de>
[ Upstream commit 7352e1d5932a0e777e39fa4b619801191f57e603 ]
In gs_can_open(), the URBs for USB-in transfers are allocated, added to the
parent->rx_submitted anchor and submitted. In the complete callback
gs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In
gs_can_close() the URBs are freed by calling
usb_kill_anchored_urbs(parent->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in gs_can_close().
Fix the memory leak by anchoring the URB in the
gs_usb_receive_bulk_callback() to the parent->rx_submitted anchor.
Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260105-gs_usb-fix-memory-leak-v2-1-cc6ed6438034@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
[ The variable usbcan was renamed to parent in
commit b6980ad3a90c ("can: gs_usb: uniformly use "parent" as variable name for struct gs_usb")
introduced in v6.6. To backport to v5.15, replace parent with usbcan. ]
Signed-off-by: Ruohan Lan <ruohanlan@aliyun.com>
---
drivers/net/can/usb/gs_usb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
index ffa2a4d92d01..acffe11a0ae1 100644
--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -402,6 +402,8 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
usbcan
);
+ usb_anchor_urb(urb, &usbcan->rx_submitted);
+
rc = usb_submit_urb(urb, GFP_ATOMIC);
/* USB failure take down all interfaces */
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 5.15.y v2 2/3] can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error
2026-04-03 1:36 [PATCH 5.15.y v2 0/3] Backport to fix CVE-2026-23031 in 5.15 Ruohan Lan
2026-04-03 1:36 ` [PATCH 5.15.y v2 1/3] can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak Ruohan Lan
@ 2026-04-03 1:36 ` Ruohan Lan
2026-04-03 1:36 ` [PATCH 5.15.y v2 3/3] can: gs_usb: gs_usb_receive_bulk_callback(): fix error message Ruohan Lan
2026-04-08 10:52 ` [PATCH 5.15.y v2 1/3] can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak Sasha Levin
3 siblings, 0 replies; 5+ messages in thread
From: Ruohan Lan @ 2026-04-03 1:36 UTC (permalink / raw)
To: gregkh, stable; +Cc: mkl, linux-can, Jakub Kicinski, Ruohan Lan
From: Marc Kleine-Budde <mkl@pengutronix.de>
[ Upstream commit 79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7 ]
In commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix
URB memory leak"), the URB was re-anchored before usb_submit_urb() in
gs_usb_receive_bulk_callback() to prevent a leak of this URB during
cleanup.
However, this patch did not take into account that usb_submit_urb() could
fail. The URB remains anchored and
usb_kill_anchored_urbs(&parent->rx_submitted) in gs_can_close() loops
infinitely since the anchor list never becomes empty.
To fix the bug, unanchor the URB when an usb_submit_urb() error occurs,
also print an info message.
Fixes: 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak")
Reported-by: Jakub Kicinski <kuba@kernel.org>
Closes: https://lore.kernel.org/all/20260110223836.3890248-1-kuba@kernel.org/
Link: https://patch.msgid.link/20260116-can_usb-fix-reanchor-v1-1-9d74e7289225@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ruohan Lan <ruohanlan@aliyun.com>
---
drivers/net/can/usb/gs_usb.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
index acffe11a0ae1..134f830508d9 100644
--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -405,6 +405,10 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
usb_anchor_urb(urb, &usbcan->rx_submitted);
rc = usb_submit_urb(urb, GFP_ATOMIC);
+ if (!rc)
+ return;
+
+ usb_unanchor_urb(urb);
/* USB failure take down all interfaces */
if (rc == -ENODEV) {
@@ -413,6 +417,9 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
if (usbcan->canch[rc])
netif_device_detach(usbcan->canch[rc]->netdev);
}
+ } else if (rc != -ESHUTDOWN && net_ratelimit()) {
+ netdev_info(netdev, "failed to re-submit IN URB: %pe\n",
+ ERR_PTR(urb->status));
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 5.15.y v2 3/3] can: gs_usb: gs_usb_receive_bulk_callback(): fix error message
2026-04-03 1:36 [PATCH 5.15.y v2 0/3] Backport to fix CVE-2026-23031 in 5.15 Ruohan Lan
2026-04-03 1:36 ` [PATCH 5.15.y v2 1/3] can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak Ruohan Lan
2026-04-03 1:36 ` [PATCH 5.15.y v2 2/3] can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error Ruohan Lan
@ 2026-04-03 1:36 ` Ruohan Lan
2026-04-08 10:52 ` [PATCH 5.15.y v2 1/3] can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak Sasha Levin
3 siblings, 0 replies; 5+ messages in thread
From: Ruohan Lan @ 2026-04-03 1:36 UTC (permalink / raw)
To: gregkh, stable; +Cc: mkl, linux-can, Jakub Kicinski, Ruohan Lan
From: Marc Kleine-Budde <mkl@pengutronix.de>
[ Upstream commit 494fc029f662c331e06b7c2031deff3c64200eed ]
Sinc commit 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback():
unanchor URL on usb_submit_urb() error") a failing resubmit URB will print
an info message.
In the case of a short read where netdev has not yet been assigned,
initialize as NULL to avoid dereferencing an undefined value. Also report
the error value of the failed resubmit.
Fixes: 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error")
Reported-by: Jakub Kicinski <kuba@kernel.org>
Closes: https://lore.kernel.org/all/20260119181904.1209979-1-kuba@kernel.org/
Link: https://patch.msgid.link/20260120-gs_usb-fix-error-message-v1-1-6be04de572bc@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ruohan Lan <ruohanlan@aliyun.com>
---
drivers/net/can/usb/gs_usb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
index 134f830508d9..fd9a06850c95 100644
--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -297,7 +297,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
{
struct gs_usb *usbcan = urb->context;
struct gs_can *dev;
- struct net_device *netdev;
+ struct net_device *netdev = NULL;
int rc;
struct net_device_stats *stats;
struct gs_host_frame *hf = urb->transfer_buffer;
@@ -419,7 +419,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
}
} else if (rc != -ESHUTDOWN && net_ratelimit()) {
netdev_info(netdev, "failed to re-submit IN URB: %pe\n",
- ERR_PTR(urb->status));
+ ERR_PTR(rc));
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 5.15.y v2 1/3] can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
2026-04-03 1:36 [PATCH 5.15.y v2 0/3] Backport to fix CVE-2026-23031 in 5.15 Ruohan Lan
` (2 preceding siblings ...)
2026-04-03 1:36 ` [PATCH 5.15.y v2 3/3] can: gs_usb: gs_usb_receive_bulk_callback(): fix error message Ruohan Lan
@ 2026-04-08 10:52 ` Sasha Levin
3 siblings, 0 replies; 5+ messages in thread
From: Sasha Levin @ 2026-04-08 10:52 UTC (permalink / raw)
To: Ruohan Lan; +Cc: stable
> can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
All 3 patches queued for 5.15, thanks.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-04-08 10:52 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-03 1:36 [PATCH 5.15.y v2 0/3] Backport to fix CVE-2026-23031 in 5.15 Ruohan Lan
2026-04-03 1:36 ` [PATCH 5.15.y v2 1/3] can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak Ruohan Lan
2026-04-03 1:36 ` [PATCH 5.15.y v2 2/3] can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error Ruohan Lan
2026-04-03 1:36 ` [PATCH 5.15.y v2 3/3] can: gs_usb: gs_usb_receive_bulk_callback(): fix error message Ruohan Lan
2026-04-08 10:52 ` [PATCH 5.15.y v2 1/3] can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox