In mcba_usb_read_bulk_callback(), when we don't resubmit or fails to
resubmit the urb, we need to deallocate the transfer buffer that is
allocated in mcba_usb_start().
Reported-by: syzbot+57281c762a3922e14...@syzkaller.appspotmail.com
Signed-off-by: Bui Quang Minh <minhquangbu...@gmail.com>
---
v1: add memory leak fix when not resubmitting urb
v2: add memory leak fix when failing to resubmit urb
drivers/net/can/usb/mcba_usb.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c
index df54eb7d4b36..30236e640116 100644
--- a/drivers/net/can/usb/mcba_usb.c
+++ b/drivers/net/can/usb/mcba_usb.c
@@ -584,6 +584,8 @@ static void mcba_usb_read_bulk_callback(struct urb *urb)
case -EPIPE:
case -EPROTO:
case -ESHUTDOWN:
+ usb_free_coherent(urb->dev, urb->transfer_buffer_length,
+ urb->transfer_buffer, urb->transfer_dma);
return;
default:
@@ -615,11 +617,14 @@ static void mcba_usb_read_bulk_callback(struct urb *urb)
retval = usb_submit_urb(urb, GFP_ATOMIC);
- if (retval == -ENODEV)
- netif_device_detach(netdev);
- else if (retval)
+ if (retval < 0) {
netdev_err(netdev, "failed resubmitting read bulk urb: %d\n",
retval);
+ usb_free_coherent(urb->dev, urb->transfer_buffer_length,
+ urb->transfer_buffer, urb->transfer_dma);
+ if (retval == -ENODEV)
+ netif_device_detach(netdev);
+ }
}
/* Start USB device */
--
2.17.1
