Re: [PATCH] can: mcba_usb: fix memory leak in mcba_usb

[Pavel Skripkin <paskripkin@gmail.com>]

On Sun, 25 Jul 2021 16:42:49 +0900
Yasushi SHOJI <yasushi.shoji@gmail.com> wrote:

> Hi Pavel,
> 

Hi, Yasushi!

> Apologize for the late reply.
> 
> Since 6bd3d80d1f019cef, my Microchip CAN Analyzer stopped working,
> more precisely I can't capture any data with it and repeated messages
> from the driver flod the syslog. I usually use the Debian kernel image
> and linux 5.10.46-2 migrated to unstable on July 20th.  I noticed my
> device stopped working a few days later but didn't have time to
> bisect.
> 
> Does your device work with the patch?
> Does the patch work on the main line?
>

I don't have this device, I just fixed this syzbot bug report:
https://syzkaller.appspot.com/bug?id=c94c1c23e829d5ac97995d51219f0c5a0cd1fa54.

I think, I found the root case. In this patch I saved dma_buff to local
variable and then to array, but forgot to assign it to
urb->transfer_buf. This log

[   33.862175] DMAR: [DMA Write] Request device [00:14.0] PASID ffffffff fault addr 0 [fault reason 05] PTE Write access is not set

points exactly to this problem.


Can You try the following patch?

diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c
index a45865bd7254..a1a154c08b7f 100644
--- a/drivers/net/can/usb/mcba_usb.c
+++ b/drivers/net/can/usb/mcba_usb.c
@@ -653,6 +653,8 @@ static int mcba_usb_start(struct mcba_priv *priv)
 			break;
 		}
 
+		urb->transfer_dma = buf_dma;
+
 		usb_fill_bulk_urb(urb, priv->udev,
 				  usb_rcvbulkpipe(priv->udev, MCBA_USB_EP_IN),
 				  buf, MCBA_USB_RX_BUFF_SIZE,



I've added Marc to this discussion, I believe, he can help us, since he
is CAN maintainer.


I am sorry for breaking your device :(

> I've posted some report with my hardware configuration at debian
> mailing list: https://bugs.debian.org/990850
> 
> Please let me know if you need any more information.
> 
> Best,
> --
>                yashi





With regards,
Pavel Skripkin