Commit 018fb313 authored by Rhett Aultman's avatar Rhett Aultman Committed by Jinjie Ruan
Browse files

can: gs_usb: gs_usb_open/close(): fix memory leak 

stable inclusion
from stable-v4.19.252
commit d91492638b054f4a359621ef216242be5973ed6b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP6SC
CVE: CVE-2022-49661

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d91492638b054f4a359621ef216242be5973ed6b

--------------------------------

commit 2bda24ef upstream.

The gs_usb driver appears to suffer from a malady common to many USB
CAN adapter drivers in that it performs usb_alloc_coherent() to
allocate a number of USB request blocks (URBs) for RX, and then later
relies on usb_kill_anchored_urbs() to free them, but this doesn't
actually free them. As a result, this may be leaking DMA memory that's
been used by the driver.

This commit is an adaptation of the techniques found in the esd_usb2
driver where a similar design pattern led to a memory leak. It
explicitly frees the RX URBs and their DMA memory via a call to
usb_free_coherent(). Since the RX URBs were allocated in the
gs_can_open(), we remove them in gs_can_close() rather than in the
disconnect function as was done in esd_usb2.

For more information, see the 928150fa ("can: esd_usb2: fix memory
leak").

Link: https://lore.kernel.org/all/alpine.DEB.2.22.394.2206031547001.1630869@thelappy


Fixes: d08e973a ("can: gs_usb: Added support for the GS_USB CAN devices")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarRhett Aultman <rhett.aultman@samsara.com>
Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Conflicts:
	drivers/net/can/usb/gs_usb.c
[Just context conflicts in gs_can_close().]
Signed-off-by: default avatarJinjie Ruan <ruanjinjie@huawei.com>
parent 8bb5e053

drivers/net/can/usb/gs_usb.c

+21 −2
Original line number Diff line number Diff line
@@ -186,6 +186,8 @@ struct gs_can { 


	struct usb_anchor tx_submitted;

	atomic_t active_tx_urbs;

	void *rxbuf[GS_MAX_RX_URBS];

	dma_addr_t rxbuf_dma[GS_MAX_RX_URBS];

};



/* usb interface struct */
@@ -590,6 +592,7 @@ static int gs_can_open(struct net_device *netdev) 
		for (i = 0; i < GS_MAX_RX_URBS; i++) {

			struct urb *urb;

			u8 *buf;

			dma_addr_t buf_dma;



			/* alloc rx urb */

			urb = usb_alloc_urb(0, GFP_KERNEL);
@@ -600,7 +603,7 @@ static int gs_can_open(struct net_device *netdev) 
			buf = usb_alloc_coherent(dev->udev,

						 sizeof(struct gs_host_frame),

						 GFP_KERNEL,

						 &urb->transfer_dma);

						 &buf_dma);

			if (!buf) {

				netdev_err(netdev,

					   "No memory left for USB buffer\n");
@@ -608,6 +611,8 @@ static int gs_can_open(struct net_device *netdev) 
				return -ENOMEM;

			}



			urb->transfer_dma = buf_dma;



			/* fill, anchor, and submit rx urb */

			usb_fill_bulk_urb(urb,

					  dev->udev,
@@ -631,10 +636,17 @@ static int gs_can_open(struct net_device *netdev) 
					   rc);



				usb_unanchor_urb(urb);

				usb_free_coherent(dev->udev,

						  sizeof(struct gs_host_frame),

						  buf,

						  buf_dma);

				usb_free_urb(urb);

				break;

			}



			dev->rxbuf[i] = buf;

			dev->rxbuf_dma[i] = buf_dma;



			/* Drop reference,

			 * USB core will take care of freeing it

			 */
@@ -698,12 +710,19 @@ static int gs_can_close(struct net_device *netdev) 
	int rc;

	struct gs_can *dev = netdev_priv(netdev);

	struct gs_usb *parent = dev->parent;

	unsigned int i;



	netif_stop_queue(netdev);



	/* Stop polling */

	if (atomic_dec_and_test(&parent->active_channels))

	if (atomic_dec_and_test(&parent->active_channels)) {

		usb_kill_anchored_urbs(&parent->rx_submitted);

		for (i = 0; i < GS_MAX_RX_URBS; i++)

			usb_free_coherent(dev->udev,

					  sizeof(struct gs_host_frame),

					  dev->rxbuf[i],

					  dev->rxbuf_dma[i]);

	}



	/* Stop sending URBs */

	usb_kill_anchored_urbs(&dev->tx_submitted);