From 239694f53b3704fc991fbc803f1463db03560257 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 8 Jul 2022 13:10:01 +0200 Subject: [PATCH] 4.9-stable patches added patches: can-grcan-grcan_probe-remove-extra-of_node_get.patch can-gs_usb-gs_usb_open-close-fix-memory-leak.patch --- ...grcan_probe-remove-extra-of_node_get.patch | 33 +++++ ...sb-gs_usb_open-close-fix-memory-leak.patch | 113 ++++++++++++++++++ queue-4.9/series | 2 + 3 files changed, 148 insertions(+) create mode 100644 queue-4.9/can-grcan-grcan_probe-remove-extra-of_node_get.patch create mode 100644 queue-4.9/can-gs_usb-gs_usb_open-close-fix-memory-leak.patch diff --git a/queue-4.9/can-grcan-grcan_probe-remove-extra-of_node_get.patch b/queue-4.9/can-grcan-grcan_probe-remove-extra-of_node_get.patch new file mode 100644 index 00000000000..bf1cc308c40 --- /dev/null +++ b/queue-4.9/can-grcan-grcan_probe-remove-extra-of_node_get.patch @@ -0,0 +1,33 @@ +From 562fed945ea482833667f85496eeda766d511386 Mon Sep 17 00:00:00 2001 +From: Liang He +Date: Sun, 19 Jun 2022 15:02:57 +0800 +Subject: can: grcan: grcan_probe(): remove extra of_node_get() + +From: Liang He + +commit 562fed945ea482833667f85496eeda766d511386 upstream. + +In grcan_probe(), of_find_node_by_path() has already increased the +refcount. There is no need to call of_node_get() again, so remove it. + +Link: https://lore.kernel.org/all/20220619070257.4067022-1-windhl@126.com +Fixes: 1e93ed26acf0 ("can: grcan: grcan_probe(): fix broken system id check for errata workaround needs") +Cc: stable@vger.kernel.org # v5.18 +Cc: Andreas Larsson +Signed-off-by: Liang He +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/grcan.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/can/grcan.c ++++ b/drivers/net/can/grcan.c +@@ -1669,7 +1669,6 @@ static int grcan_probe(struct platform_d + */ + sysid_parent = of_find_node_by_path("/ambapp0"); + if (sysid_parent) { +- of_node_get(sysid_parent); + err = of_property_read_u32(sysid_parent, "systemid", &sysid); + if (!err && ((sysid & GRLIB_VERSION_MASK) >= + GRCAN_TXBUG_SAFE_GRLIB_VERSION)) diff --git a/queue-4.9/can-gs_usb-gs_usb_open-close-fix-memory-leak.patch b/queue-4.9/can-gs_usb-gs_usb_open-close-fix-memory-leak.patch new file mode 100644 index 00000000000..bb554fb5d77 --- /dev/null +++ b/queue-4.9/can-gs_usb-gs_usb_open-close-fix-memory-leak.patch @@ -0,0 +1,113 @@ +From 2bda24ef95c0311ab93bda00db40486acf30bd0a Mon Sep 17 00:00:00 2001 +From: Rhett Aultman +Date: Sun, 3 Jul 2022 19:33:06 +0200 +Subject: can: gs_usb: gs_usb_open/close(): fix memory leak + +From: Rhett Aultman + +commit 2bda24ef95c0311ab93bda00db40486acf30bd0a upstream. + +The gs_usb driver appears to suffer from a malady common to many USB +CAN adapter drivers in that it performs usb_alloc_coherent() to +allocate a number of USB request blocks (URBs) for RX, and then later +relies on usb_kill_anchored_urbs() to free them, but this doesn't +actually free them. As a result, this may be leaking DMA memory that's +been used by the driver. + +This commit is an adaptation of the techniques found in the esd_usb2 +driver where a similar design pattern led to a memory leak. It +explicitly frees the RX URBs and their DMA memory via a call to +usb_free_coherent(). Since the RX URBs were allocated in the +gs_can_open(), we remove them in gs_can_close() rather than in the +disconnect function as was done in esd_usb2. + +For more information, see the 928150fad41b ("can: esd_usb2: fix memory +leak"). + +Link: https://lore.kernel.org/all/alpine.DEB.2.22.394.2206031547001.1630869@thelappy +Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") +Cc: stable@vger.kernel.org +Signed-off-by: Rhett Aultman +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/gs_usb.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -192,6 +192,8 @@ struct gs_can { + + struct usb_anchor tx_submitted; + atomic_t active_tx_urbs; ++ void *rxbuf[GS_MAX_RX_URBS]; ++ dma_addr_t rxbuf_dma[GS_MAX_RX_URBS]; + }; + + /* usb interface struct */ +@@ -601,6 +603,7 @@ static int gs_can_open(struct net_device + for (i = 0; i < GS_MAX_RX_URBS; i++) { + struct urb *urb; + u8 *buf; ++ dma_addr_t buf_dma; + + /* alloc rx urb */ + urb = usb_alloc_urb(0, GFP_KERNEL); +@@ -611,7 +614,7 @@ static int gs_can_open(struct net_device + buf = usb_alloc_coherent(dev->udev, + sizeof(struct gs_host_frame), + GFP_KERNEL, +- &urb->transfer_dma); ++ &buf_dma); + if (!buf) { + netdev_err(netdev, + "No memory left for USB buffer\n"); +@@ -619,6 +622,8 @@ static int gs_can_open(struct net_device + return -ENOMEM; + } + ++ urb->transfer_dma = buf_dma; ++ + /* fill, anchor, and submit rx urb */ + usb_fill_bulk_urb(urb, + dev->udev, +@@ -642,10 +647,17 @@ static int gs_can_open(struct net_device + rc); + + usb_unanchor_urb(urb); ++ usb_free_coherent(dev->udev, ++ sizeof(struct gs_host_frame), ++ buf, ++ buf_dma); + usb_free_urb(urb); + break; + } + ++ dev->rxbuf[i] = buf; ++ dev->rxbuf_dma[i] = buf_dma; ++ + /* Drop reference, + * USB core will take care of freeing it + */ +@@ -710,13 +722,20 @@ static int gs_can_close(struct net_devic + int rc; + struct gs_can *dev = netdev_priv(netdev); + struct gs_usb *parent = dev->parent; ++ unsigned int i; + + netif_stop_queue(netdev); + + /* Stop polling */ + parent->active_channels--; +- if (!parent->active_channels) ++ if (!parent->active_channels) { + usb_kill_anchored_urbs(&parent->rx_submitted); ++ for (i = 0; i < GS_MAX_RX_URBS; i++) ++ usb_free_coherent(dev->udev, ++ sizeof(struct gs_host_frame), ++ dev->rxbuf[i], ++ dev->rxbuf_dma[i]); ++ } + + /* Stop sending URBs */ + usb_kill_anchored_urbs(&dev->tx_submitted); diff --git a/queue-4.9/series b/queue-4.9/series index 5855d9c10a3..c6209be3ddf 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1 +1,3 @@ mm-slub-add-missing-tid-updates-on-slab-deactivation.patch +can-grcan-grcan_probe-remove-extra-of_node_get.patch +can-gs_usb-gs_usb_open-close-fix-memory-leak.patch -- 2.47.3