[PATCH net 0/n] pull-request: can 2022-03-31

[PATCH net 0/n] pull-request: can 2022-03-31

[Marc Kleine-Budde]

Hello Jakub, hello David,

this is a pull request of 8 patches for net/master.

The first patch is by Oliver Hartkopp and fixes MSG_PEEK feature in
the CAN ISOTP protocol (broken in net-next for v5.18 only).

Tom Rix's patch for the mcp251xfd driver fixes the propagation of an
error value in case of an error.

A patch by me for the m_can driver fixes a use-after-free in the xmit
handler for m_can IP cores v3.0.x.

Hangyu Hua contributes 3 patches fixing the same double free in the
error path of the xmit handler in the ems_usb, usb_8dev and mcba_usb
USB CAN driver.

Pavel Skripkin contributes a patch for the mcba_usb driver to properly
check the endpoint type.

The last patch is by me and fixes a mem leak in the gs_usb, which was
introduced in net-next for v5.18.

regards,
Marc

---

The following changes since commit f9512d654f62604664251dedd437a22fe484974a:

  net: sparx5: uses, depends on BRIDGE or !BRIDGE (2022-03-30 19:16:27 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can.git tags/linux-can-fixes-for-5.18-20220331

for you to fetch changes up to 50d34a0d151dc7abbdbec781bd7f09f2b3cbf01a:

  can: gs_usb: gs_make_candev(): fix memory leak for devices with extended bit timing configuration (2022-03-31 09:55:27 +0200)

----------------------------------------------------------------
linux-can-fixes-for-5.18-20220331

----------------------------------------------------------------
Hangyu Hua (3):
      can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path
      can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path
      can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error path

Marc Kleine-Budde (2):
      can: m_can: m_can_tx_handler(): fix use after free of skb
      can: gs_usb: gs_make_candev(): fix memory leak for devices with extended bit timing configuration

Oliver Hartkopp (1):
      can: isotp: restore accidentally removed MSG_PEEK feature

Pavel Skripkin (1):
      can: mcba_usb: properly check endpoint type

Tom Rix (1):
      can: mcp251xfd: mcp251xfd_register_get_dev_id(): fix return of error value

 drivers/net/can/m_can/m_can.c                  |  5 +++--
 drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c |  2 +-
 drivers/net/can/usb/ems_usb.c                  |  1 -
 drivers/net/can/usb/gs_usb.c                   |  2 ++
 drivers/net/can/usb/mcba_usb.c                 | 27 +++++++++++++----------
 drivers/net/can/usb/usb_8dev.c                 | 30 ++++++++++++--------------
 net/can/isotp.c                                |  2 +-
 7 files changed, 37 insertions(+), 32 deletions(-)

[PATCH net 1/8] can: isotp: restore accidentally removed MSG_PEEK feature

[Marc Kleine-Budde]

From: Oliver Hartkopp <socketcan@hartkopp.net>

In commit 42bf50a1795a ("can: isotp: support MSG_TRUNC flag when
reading from socket") a new check for recvmsg flags has been
introduced that only checked for the flags that are handled in
isotp_recvmsg() itself.

This accidentally removed the MSG_PEEK feature flag which is processed
later in the call chain in __skb_try_recv_from_queue().

Add MSG_PEEK to the set of valid flags to restore the feature.

Fixes: 42bf50a1795a ("can: isotp: support MSG_TRUNC flag when reading from socket")
Link: https://github.com/linux-can/can-utils/issues/347#issuecomment-1079554254
Link: https://lore.kernel.org/all/20220328113611.3691-1-socketcan@hartkopp.net
Reported-by: Derek Will <derekrobertwill@gmail.com>
Suggested-by: Derek Will <derekrobertwill@gmail.com>
Tested-by: Derek Will <derekrobertwill@gmail.com>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 net/can/isotp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/can/isotp.c b/net/can/isotp.c
index f6f8ba1f816d..bafb0fb5f0e0 100644
--- a/net/can/isotp.c
+++ b/net/can/isotp.c
@@ -1050,7 +1050,7 @@ static int isotp_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
 	int noblock = flags & MSG_DONTWAIT;
 	int ret = 0;
 
-	if (flags & ~(MSG_DONTWAIT | MSG_TRUNC))
+	if (flags & ~(MSG_DONTWAIT | MSG_TRUNC | MSG_PEEK))
 		return -EINVAL;
 
 	if (!so->bound)

base-commit: f9512d654f62604664251dedd437a22fe484974a
-- 
2.35.1

[PATCH net 2/8] can: mcp251xfd: mcp251xfd_register_get_dev_id(): fix return of error value

[Marc Kleine-Budde]

From: Tom Rix <trix@redhat.com>

Clang static analysis reports this issue:

| mcp251xfd-core.c:1813:7: warning: The left operand
|   of '&' is a garbage value
|   FIELD_GET(MCP251XFD_REG_DEVID_ID_MASK, dev_id),
|   ^                                      ~~~~~~

dev_id is set in a successful call to mcp251xfd_register_get_dev_id().
Though the status of calls made by mcp251xfd_register_get_dev_id() are
checked and handled, their status' are not returned. So return err.

Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN")
Link: https://lore.kernel.org/all/20220319153128.2164120-1-trix@redhat.com
Signed-off-by: Tom Rix <trix@redhat.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
index 325024be7b04..f9dd8fdba12b 100644
--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
+++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
@@ -1786,7 +1786,7 @@ mcp251xfd_register_get_dev_id(const struct mcp251xfd_priv *priv, u32 *dev_id,
  out_kfree_buf_rx:
 	kfree(buf_rx);
 
-	return 0;
+	return err;
 }
 
 #define MCP251XFD_QUIRK_ACTIVE(quirk) \
-- 
2.35.1

[PATCH net 3/8] can: m_can: m_can_tx_handler(): fix use after free of skb

[Marc Kleine-Budde]

can_put_echo_skb() will clone skb then free the skb. Move the
can_put_echo_skb() for the m_can version 3.0.x directly before the
start of the xmit in hardware, similar to the 3.1.x branch.

Fixes: 80646733f11c ("can: m_can: update to support CAN FD features")
Link: https://lore.kernel.org/all/20220317081305.739554-1-mkl@pengutronix.de
Cc: stable@vger.kernel.org
Reported-by: Hangyu Hua <hbh25y@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 drivers/net/can/m_can/m_can.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
index 1a4b56f6fa8c..b3b5bc1c803b 100644
--- a/drivers/net/can/m_can/m_can.c
+++ b/drivers/net/can/m_can/m_can.c
@@ -1637,8 +1637,6 @@ static netdev_tx_t m_can_tx_handler(struct m_can_classdev *cdev)
 		if (err)
 			goto out_fail;
 
-		can_put_echo_skb(skb, dev, 0, 0);
-
 		if (cdev->can.ctrlmode & CAN_CTRLMODE_FD) {
 			cccr = m_can_read(cdev, M_CAN_CCCR);
 			cccr &= ~CCCR_CMR_MASK;
@@ -1655,6 +1653,9 @@ static netdev_tx_t m_can_tx_handler(struct m_can_classdev *cdev)
 			m_can_write(cdev, M_CAN_CCCR, cccr);
 		}
 		m_can_write(cdev, M_CAN_TXBTIE, 0x1);
+
+		can_put_echo_skb(skb, dev, 0, 0);
+
 		m_can_write(cdev, M_CAN_TXBAR, 0x1);
 		/* End of xmit function for version 3.0.x */
 	} else {
-- 
2.35.1

[PATCH net 4/8] can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path

[Marc Kleine-Budde]

From: Hangyu Hua <hbh25y@gmail.com>

There is no need to call dev_kfree_skb() when usb_submit_urb() fails
beacause can_put_echo_skb() deletes the original skb and
can_free_echo_skb() deletes the cloned skb.

Link: https://lore.kernel.org/all/20220228083639.38183-1-hbh25y@gmail.com
Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
Cc: stable@vger.kernel.org
Cc: Sebastian Haas <haas@ems-wuensche.com>
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 drivers/net/can/usb/ems_usb.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c
index 7bedceffdfa3..bbec3311d893 100644
--- a/drivers/net/can/usb/ems_usb.c
+++ b/drivers/net/can/usb/ems_usb.c
@@ -819,7 +819,6 @@ static netdev_tx_t ems_usb_start_xmit(struct sk_buff *skb, struct net_device *ne
 
 		usb_unanchor_urb(urb);
 		usb_free_coherent(dev->udev, size, buf, urb->transfer_dma);
-		dev_kfree_skb(skb);
 
 		atomic_dec(&dev->active_tx_urbs);
 
-- 
2.35.1

[PATCH net 5/8] can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path

[Marc Kleine-Budde]

From: Hangyu Hua <hbh25y@gmail.com>

There is no need to call dev_kfree_skb() when usb_submit_urb() fails
because can_put_echo_skb() deletes original skb and
can_free_echo_skb() deletes the cloned skb.

Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices")
Link: https://lore.kernel.org/all/20220311080614.45229-1-hbh25y@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 drivers/net/can/usb/usb_8dev.c | 30 ++++++++++++++----------------
 1 file changed, 14 insertions(+), 16 deletions(-)

diff --git a/drivers/net/can/usb/usb_8dev.c b/drivers/net/can/usb/usb_8dev.c
index 431af1ec1e3c..b638604bf1ee 100644
--- a/drivers/net/can/usb/usb_8dev.c
+++ b/drivers/net/can/usb/usb_8dev.c
@@ -663,9 +663,20 @@ static netdev_tx_t usb_8dev_start_xmit(struct sk_buff *skb,
 	atomic_inc(&priv->active_tx_urbs);
 
 	err = usb_submit_urb(urb, GFP_ATOMIC);
-	if (unlikely(err))
-		goto failed;
-	else if (atomic_read(&priv->active_tx_urbs) >= MAX_TX_URBS)
+	if (unlikely(err)) {
+		can_free_echo_skb(netdev, context->echo_index, NULL);
+
+		usb_unanchor_urb(urb);
+		usb_free_coherent(priv->udev, size, buf, urb->transfer_dma);
+
+		atomic_dec(&priv->active_tx_urbs);
+
+		if (err == -ENODEV)
+			netif_device_detach(netdev);
+		else
+			netdev_warn(netdev, "failed tx_urb %d\n", err);
+		stats->tx_dropped++;
+	} else if (atomic_read(&priv->active_tx_urbs) >= MAX_TX_URBS)
 		/* Slow down tx path */
 		netif_stop_queue(netdev);
 
@@ -684,19 +695,6 @@ static netdev_tx_t usb_8dev_start_xmit(struct sk_buff *skb,
 
 	return NETDEV_TX_BUSY;
 
-failed:
-	can_free_echo_skb(netdev, context->echo_index, NULL);
-
-	usb_unanchor_urb(urb);
-	usb_free_coherent(priv->udev, size, buf, urb->transfer_dma);
-
-	atomic_dec(&priv->active_tx_urbs);
-
-	if (err == -ENODEV)
-		netif_device_detach(netdev);
-	else
-		netdev_warn(netdev, "failed tx_urb %d\n", err);
-
 nomembuf:
 	usb_free_urb(urb);
 
-- 
2.35.1

[PATCH net 6/8] can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error path

[Marc Kleine-Budde]

From: Hangyu Hua <hbh25y@gmail.com>

There is no need to call dev_kfree_skb() when usb_submit_urb() fails
because can_put_echo_skb() deletes original skb and
can_free_echo_skb() deletes the cloned skb.

Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer")
Link: https://lore.kernel.org/all/20220311080208.45047-1-hbh25y@gmail.com
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 drivers/net/can/usb/mcba_usb.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c
index 77bddff86252..7c198eb5bc9c 100644
--- a/drivers/net/can/usb/mcba_usb.c
+++ b/drivers/net/can/usb/mcba_usb.c
@@ -364,7 +364,6 @@ static netdev_tx_t mcba_usb_start_xmit(struct sk_buff *skb,
 xmit_failed:
 	can_free_echo_skb(priv->netdev, ctx->ndx, NULL);
 	mcba_usb_free_ctx(ctx);
-	dev_kfree_skb(skb);
 	stats->tx_dropped++;
 
 	return NETDEV_TX_OK;
-- 
2.35.1

[PATCH net 7/8] can: mcba_usb: properly check endpoint type

[Marc Kleine-Budde]

From: Pavel Skripkin <paskripkin@gmail.com>

Syzbot reported warning in usb_submit_urb() which is caused by wrong
endpoint type. We should check that in endpoint is actually present to
prevent this warning.

Found pipes are now saved to struct mcba_priv and code uses them
directly instead of making pipes in place.

Fail log:

| usb 5-1: BOGUS urb xfer, pipe 3 != type 1
| WARNING: CPU: 1 PID: 49 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
| Modules linked in:
| CPU: 1 PID: 49 Comm: kworker/1:2 Not tainted 5.17.0-rc6-syzkaller-00184-g38f80f42147f #0
| Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
| Workqueue: usb_hub_wq hub_event
| RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
| ...
| Call Trace:
|  <TASK>
|  mcba_usb_start drivers/net/can/usb/mcba_usb.c:662 [inline]
|  mcba_usb_probe+0x8a3/0xc50 drivers/net/can/usb/mcba_usb.c:858
|  usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
|  call_driver_probe drivers/base/dd.c:517 [inline]

Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer")
Link: https://lore.kernel.org/all/20220313100903.10868-1-paskripkin@gmail.com
Reported-and-tested-by: syzbot+3bc1dce0cc0052d60fde@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 drivers/net/can/usb/mcba_usb.c | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c
index 7c198eb5bc9c..c45a814e1de2 100644
--- a/drivers/net/can/usb/mcba_usb.c
+++ b/drivers/net/can/usb/mcba_usb.c
@@ -33,10 +33,6 @@
 #define MCBA_USB_RX_BUFF_SIZE 64
 #define MCBA_USB_TX_BUFF_SIZE (sizeof(struct mcba_usb_msg))
 
-/* MCBA endpoint numbers */
-#define MCBA_USB_EP_IN 1
-#define MCBA_USB_EP_OUT 1
-
 /* Microchip command id */
 #define MBCA_CMD_RECEIVE_MESSAGE 0xE3
 #define MBCA_CMD_I_AM_ALIVE_FROM_CAN 0xF5
@@ -83,6 +79,8 @@ struct mcba_priv {
 	atomic_t free_ctx_cnt;
 	void *rxbuf[MCBA_MAX_RX_URBS];
 	dma_addr_t rxbuf_dma[MCBA_MAX_RX_URBS];
+	int rx_pipe;
+	int tx_pipe;
 };
 
 /* CAN frame */
@@ -268,10 +266,8 @@ static netdev_tx_t mcba_usb_xmit(struct mcba_priv *priv,
 
 	memcpy(buf, usb_msg, MCBA_USB_TX_BUFF_SIZE);
 
-	usb_fill_bulk_urb(urb, priv->udev,
-			  usb_sndbulkpipe(priv->udev, MCBA_USB_EP_OUT), buf,
-			  MCBA_USB_TX_BUFF_SIZE, mcba_usb_write_bulk_callback,
-			  ctx);
+	usb_fill_bulk_urb(urb, priv->udev, priv->tx_pipe, buf, MCBA_USB_TX_BUFF_SIZE,
+			  mcba_usb_write_bulk_callback, ctx);
 
 	urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
 	usb_anchor_urb(urb, &priv->tx_submitted);
@@ -607,7 +603,7 @@ static void mcba_usb_read_bulk_callback(struct urb *urb)
 resubmit_urb:
 
 	usb_fill_bulk_urb(urb, priv->udev,
-			  usb_rcvbulkpipe(priv->udev, MCBA_USB_EP_OUT),
+			  priv->rx_pipe,
 			  urb->transfer_buffer, MCBA_USB_RX_BUFF_SIZE,
 			  mcba_usb_read_bulk_callback, priv);
 
@@ -652,7 +648,7 @@ static int mcba_usb_start(struct mcba_priv *priv)
 		urb->transfer_dma = buf_dma;
 
 		usb_fill_bulk_urb(urb, priv->udev,
-				  usb_rcvbulkpipe(priv->udev, MCBA_USB_EP_IN),
+				  priv->rx_pipe,
 				  buf, MCBA_USB_RX_BUFF_SIZE,
 				  mcba_usb_read_bulk_callback, priv);
 		urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
@@ -806,6 +802,13 @@ static int mcba_usb_probe(struct usb_interface *intf,
 	struct mcba_priv *priv;
 	int err;
 	struct usb_device *usbdev = interface_to_usbdev(intf);
+	struct usb_endpoint_descriptor *in, *out;
+
+	err = usb_find_common_endpoints(intf->cur_altsetting, &in, &out, NULL, NULL);
+	if (err) {
+		dev_err(&intf->dev, "Can't find endpoints\n");
+		return err;
+	}
 
 	netdev = alloc_candev(sizeof(struct mcba_priv), MCBA_MAX_TX_URBS);
 	if (!netdev) {
@@ -851,6 +854,9 @@ static int mcba_usb_probe(struct usb_interface *intf,
 		goto cleanup_free_candev;
 	}
 
+	priv->rx_pipe = usb_rcvbulkpipe(priv->udev, in->bEndpointAddress);
+	priv->tx_pipe = usb_sndbulkpipe(priv->udev, out->bEndpointAddress);
+
 	devm_can_led_init(netdev);
 
 	/* Start USB dev only if we have successfully registered CAN device */
-- 
2.35.1

[PATCH net 8/8] can: gs_usb: gs_make_candev(): fix memory leak for devices with extended bit timing configuration

[Marc Kleine-Budde]

Some CAN-FD capable devices offer extended bit timing information for
the data bit timing. The information must be read with an USB control
message. The memory for this message is allocated but not free()ed (in
the non error case). This patch adds the missing free.

Fixes: 6679f4c5e5a6 ("can: gs_usb: add extended bt_const feature")
Link: https://lore.kernel.org/all/20220329193450.659726-1-mkl@pengutronix.de
Reported-by: syzbot+4d0ae90a195b269f102d@syzkaller.appspotmail.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 drivers/net/can/usb/gs_usb.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
index 67408e316062..b29ba9138866 100644
--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -1092,6 +1092,8 @@ static struct gs_can *gs_make_candev(unsigned int channel,
 		dev->data_bt_const.brp_inc = le32_to_cpu(bt_const_extended->dbrp_inc);
 
 		dev->can.data_bittiming_const = &dev->data_bt_const;
+
+		kfree(bt_const_extended);
 	}
 
 	SET_NETDEV_DEV(netdev, &intf->dev);
-- 
2.35.1

Re: [PATCH net 0/n] pull-request: can 2022-03-31

[Jakub Kicinski]

On Thu, 31 Mar 2022 10:46:26 +0200 Marc Kleine-Budde wrote:
> The first patch is by Oliver Hartkopp and fixes MSG_PEEK feature in
> the CAN ISOTP protocol (broken in net-next for v5.18 only).
> 
> Tom Rix's patch for the mcp251xfd driver fixes the propagation of an
> error value in case of an error.
> 
> A patch by me for the m_can driver fixes a use-after-free in the xmit
> handler for m_can IP cores v3.0.x.
> 
> Hangyu Hua contributes 3 patches fixing the same double free in the
> error path of the xmit handler in the ems_usb, usb_8dev and mcba_usb
> USB CAN driver.
> 
> Pavel Skripkin contributes a patch for the mcba_usb driver to properly
> check the endpoint type.
> 
> The last patch is by me and fixes a mem leak in the gs_usb, which was
> introduced in net-next for v5.18.

I think patchwork did not like the "0/n" in the subject :(

Re: [PATCH net 0/n] pull-request: can 2022-03-31

[Marc Kleine-Budde]

[-- Attachment #1: Type: text/plain, Size: 1281 bytes --]

On 31.03.2022 08:42:23, Jakub Kicinski wrote:
> On Thu, 31 Mar 2022 10:46:26 +0200 Marc Kleine-Budde wrote:
> > The first patch is by Oliver Hartkopp and fixes MSG_PEEK feature in
> > the CAN ISOTP protocol (broken in net-next for v5.18 only).
> > 
> > Tom Rix's patch for the mcp251xfd driver fixes the propagation of an
> > error value in case of an error.
> > 
> > A patch by me for the m_can driver fixes a use-after-free in the xmit
> > handler for m_can IP cores v3.0.x.
> > 
> > Hangyu Hua contributes 3 patches fixing the same double free in the
> > error path of the xmit handler in the ems_usb, usb_8dev and mcba_usb
> > USB CAN driver.
> > 
> > Pavel Skripkin contributes a patch for the mcba_usb driver to properly
> > check the endpoint type.
> > 
> > The last patch is by me and fixes a mem leak in the gs_usb, which was
> > introduced in net-next for v5.18.
> 
> I think patchwork did not like the "0/n" in the subject :(

Should I resend (with a fixed subject)?

Marc

-- 
Pengutronix e.K.                 | Marc Kleine-Budde           |
Embedded Linux                   | https://www.pengutronix.de  |
Vertretung West/Dortmund         | Phone: +49-231-2826-924     |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-5555 |

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH net 0/n] pull-request: can 2022-03-31

[patchwork-bot+netdevbpf]

Hello:

This pull request was applied to netdev/net.git (master)
by Marc Kleine-Budde <mkl@pengutronix.de>:

On Thu, 31 Mar 2022 10:46:26 +0200 you wrote:
> Hello Jakub, hello David,
> 
> this is a pull request of 8 patches for net/master.
> 
> The first patch is by Oliver Hartkopp and fixes MSG_PEEK feature in
> the CAN ISOTP protocol (broken in net-next for v5.18 only).
> 
> [...]

Here is the summary with links:
  - [net,0/n] pull-request: can 2022-03-31
    https://git.kernel.org/netdev/net/c/46b556205dce
  - [net,2/8] can: mcp251xfd: mcp251xfd_register_get_dev_id(): fix return of error value
    https://git.kernel.org/netdev/net/c/fa7b514d2b28
  - [net,3/8] can: m_can: m_can_tx_handler(): fix use after free of skb
    https://git.kernel.org/netdev/net/c/2e8e79c416aa
  - [net,4/8] can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path
    https://git.kernel.org/netdev/net/c/c70222752228
  - [net,5/8] can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path
    https://git.kernel.org/netdev/net/c/3d3925ff6433
  - [net,6/8] can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error path
    https://git.kernel.org/netdev/net/c/04c9b00ba835
  - [net,7/8] can: mcba_usb: properly check endpoint type
    https://git.kernel.org/netdev/net/c/136bed0bfd3b
  - [net,8/8] can: gs_usb: gs_make_candev(): fix memory leak for devices with extended bit timing configuration
    https://git.kernel.org/netdev/net/c/50d34a0d151d

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Re: [PATCH net 1/8] can: isotp: restore accidentally removed MSG_PEEK feature

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (master)
by Marc Kleine-Budde <mkl@pengutronix.de>:

On Thu, 31 Mar 2022 10:46:27 +0200 you wrote:
> From: Oliver Hartkopp <socketcan@hartkopp.net>
> 
> In commit 42bf50a1795a ("can: isotp: support MSG_TRUNC flag when
> reading from socket") a new check for recvmsg flags has been
> introduced that only checked for the flags that are handled in
> isotp_recvmsg() itself.
> 
> [...]

Here is the summary with links:
  - [net,1/8] can: isotp: restore accidentally removed MSG_PEEK feature
    https://git.kernel.org/netdev/net/c/e382fea8ae54

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Re: [PATCH net 0/n] pull-request: can 2022-03-31

[Jakub Kicinski]

On Thu, 31 Mar 2022 17:45:49 +0200 Marc Kleine-Budde wrote:
> > I think patchwork did not like the "0/n" in the subject :(  
> 
> Should I resend (with a fixed subject)?

I should have clarified that :) It's okay - I had to build test
manually before sending the PR to Linus, anyway. Looks clean.