public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
@ 2026-04-21 11:10 Morduan Zang
  2026-04-21 11:54 ` Petko Manolov
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Morduan Zang @ 2026-04-21 11:10 UTC (permalink / raw)
  To: Petko Manolov
  Cc: Andrew Lunn, David S . Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, linux-usb, netdev, linux-kernel, Morduan Zang

When rtl8150_start_xmit() fails to submit the tx URB, the URB is never
handed to the USB core and write_bulk_callback() will not run.  The
driver returns NETDEV_TX_OK, which tells the networking stack that the
skb has been consumed, but nothing actually frees the skb on this
error path:

  dev->tx_skb = skb;
  ...
  if ((res = usb_submit_urb(dev->tx_urb, GFP_ATOMIC))) {
          ...
          /* no kfree_skb here */
  }
  return NETDEV_TX_OK;

This leaks the skb on every submit failure and also leaves dev->tx_skb
pointing at memory that the driver itself may later free, which is
fragile.

Free the skb with dev_kfree_skb_any() in the error path and clear
dev->tx_skb so no stale pointer is left behind.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Morduan Zang <zhangdandan@uniontech.com>
---
 drivers/net/usb/rtl8150.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index a0f790a368ba..d358b6d41a53 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -716,6 +716,13 @@ static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
 			netdev->stats.tx_errors++;
 			netif_start_queue(netdev);
 		}
+		/*
+		 * The URB was not submitted, so write_bulk_callback() will
+		 * never run to free dev->tx_skb.  Drop the skb here and
+		 * clear tx_skb to avoid leaving a stale pointer.
+		 */
+		dev->tx_skb = NULL;
+		dev_kfree_skb_any(skb);
 	} else {
 		netdev->stats.tx_packets++;
 		netdev->stats.tx_bytes += skb_len;
-- 
2.50.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
  2026-04-21 11:10 [PATCH] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit Morduan Zang
@ 2026-04-21 11:54 ` Petko Manolov
  2026-04-21 12:34 ` Andrew Lunn
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Petko Manolov @ 2026-04-21 11:54 UTC (permalink / raw)
  To: Morduan Zang
  Cc: Andrew Lunn, David S . Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, linux-usb, netdev, linux-kernel

On 26-04-21 19:10:25, Morduan Zang wrote:
> When rtl8150_start_xmit() fails to submit the tx URB, the URB is never
> handed to the USB core and write_bulk_callback() will not run.  The
> driver returns NETDEV_TX_OK, which tells the networking stack that the
> skb has been consumed, but nothing actually frees the skb on this
> error path:
> 
>   dev->tx_skb = skb;
>   ...
>   if ((res = usb_submit_urb(dev->tx_urb, GFP_ATOMIC))) {
>           ...
>           /* no kfree_skb here */
>   }
>   return NETDEV_TX_OK;
> 
> This leaks the skb on every submit failure and also leaves dev->tx_skb
> pointing at memory that the driver itself may later free, which is
> fragile.
> 
> Free the skb with dev_kfree_skb_any() in the error path and clear
> dev->tx_skb so no stale pointer is left behind.

Another approach would be to use skb_copy_from_linear_data() to a static buffer
and free the skb right away.  Take a look at pegasus_start_xmit() in
drivers/net/usb/pegasus.c.  This comes at the cost of yet another memcpy,
though.

The above is not to say i don't like your current approach, just FYI.


		Petko

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
  2026-04-21 11:10 [PATCH] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit Morduan Zang
  2026-04-21 11:54 ` Petko Manolov
@ 2026-04-21 12:34 ` Andrew Lunn
  2026-04-23 18:44 ` Jakub Kicinski
  2026-04-24  1:55 ` [PATCH net v2] " Morduan Zang
  3 siblings, 0 replies; 5+ messages in thread
From: Andrew Lunn @ 2026-04-21 12:34 UTC (permalink / raw)
  To: Morduan Zang
  Cc: Petko Manolov, Andrew Lunn, David S . Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni, linux-usb, netdev, linux-kernel

On Tue, Apr 21, 2026 at 07:10:25PM +0800, Morduan Zang wrote:
> When rtl8150_start_xmit() fails to submit the tx URB, the URB is never
> handed to the USB core and write_bulk_callback() will not run.  The
> driver returns NETDEV_TX_OK, which tells the networking stack that the
> skb has been consumed, but nothing actually frees the skb on this
> error path:
> 
>   dev->tx_skb = skb;
>   ...
>   if ((res = usb_submit_urb(dev->tx_urb, GFP_ATOMIC))) {
>           ...
>           /* no kfree_skb here */
>   }
>   return NETDEV_TX_OK;
> 
> This leaks the skb on every submit failure and also leaves dev->tx_skb
> pointing at memory that the driver itself may later free, which is
> fragile.
> 
> Free the skb with dev_kfree_skb_any() in the error path and clear
> dev->tx_skb so no stale pointer is left behind.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Morduan Zang <zhangdandan@uniontech.com>

Reviewed-by: Andrew Lunn <andrew@lunn.ch>

    Andrew

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
  2026-04-21 11:10 [PATCH] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit Morduan Zang
  2026-04-21 11:54 ` Petko Manolov
  2026-04-21 12:34 ` Andrew Lunn
@ 2026-04-23 18:44 ` Jakub Kicinski
  2026-04-24  1:55 ` [PATCH net v2] " Morduan Zang
  3 siblings, 0 replies; 5+ messages in thread
From: Jakub Kicinski @ 2026-04-23 18:44 UTC (permalink / raw)
  To: Morduan Zang
  Cc: Petko Manolov, Andrew Lunn, David S . Miller, Eric Dumazet,
	Paolo Abeni, linux-usb, netdev, linux-kernel

On Tue, 21 Apr 2026 19:10:25 +0800 Morduan Zang wrote:
> When rtl8150_start_xmit() fails to submit the tx URB, the URB is never
> handed to the USB core and write_bulk_callback() will not run.  The
> driver returns NETDEV_TX_OK, which tells the networking stack that the
> skb has been consumed, but nothing actually frees the skb on this
> error path:

Does not apply, please rebase on net/main and repost.
-- 
pw-bot: cr

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH net v2] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
  2026-04-21 11:10 [PATCH] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit Morduan Zang
                   ` (2 preceding siblings ...)
  2026-04-23 18:44 ` Jakub Kicinski
@ 2026-04-24  1:55 ` Morduan Zang
  3 siblings, 0 replies; 5+ messages in thread
From: Morduan Zang @ 2026-04-24  1:55 UTC (permalink / raw)
  To: Jakub Kicinski, Petko Manolov
  Cc: Andrew Lunn, David S . Miller, Eric Dumazet, Paolo Abeni,
	linux-usb, netdev, linux-kernel, Morduan Zang, Andrew Lunn

When rtl8150_start_xmit() fails to submit the tx URB, the URB is never
handed to the USB core and write_bulk_callback() will not run.  The
driver returns NETDEV_TX_OK, which tells the networking stack that the
skb has been consumed, but nothing actually frees the skb on this
error path:

  dev->tx_skb = skb;
  ...
  if ((res = usb_submit_urb(dev->tx_urb, GFP_ATOMIC))) {
          ...
          /* no kfree_skb here */
  }
  return NETDEV_TX_OK;

This leaks the skb on every submit failure and also leaves dev->tx_skb
pointing at memory that the driver itself may later free, which is
fragile.

Free the skb with dev_kfree_skb_any() in the error path and clear
dev->tx_skb so no stale pointer is left behind.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Morduan Zang <zhangdandan@uniontech.com>
---
Changes in v2:
 - Rebase on net/main as requested (Jakub Kicinski).  v1 was based on
   a tree that also carried the pending UAF fix ("net: usb: rtl8150:
   fix use-after-free in rtl8150_start_xmit()"), so v1 did not apply
   on net/main.  v2 is an independent fix that applies cleanly to
   net/main on its own; it does not depend on the UAF fix being
   applied first.
 - No code change besides the rebase context.

v1: https://lore.kernel.org/all/678BC10BB9E39322+20260421111025.15833-1-zhangdandan@uniontech.com/
---
 drivers/net/usb/rtl8150.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index 4cda0643afb6..9999484d2c5e 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -707,6 +707,13 @@ static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
 			netdev->stats.tx_errors++;
 			netif_start_queue(netdev);
 		}
+		/*
+		 * The URB was not submitted, so write_bulk_callback() will
+		 * never run to free dev->tx_skb.  Drop the skb here and
+		 * clear tx_skb to avoid leaving a stale pointer.
+		 */
+		dev->tx_skb = NULL;
+		dev_kfree_skb_any(skb);
 	} else {
 		netdev->stats.tx_packets++;
 		netdev->stats.tx_bytes += skb->len;
-- 
2.50.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-04-24  1:56 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-21 11:10 [PATCH] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit Morduan Zang
2026-04-21 11:54 ` Petko Manolov
2026-04-21 12:34 ` Andrew Lunn
2026-04-23 18:44 ` Jakub Kicinski
2026-04-24  1:55 ` [PATCH net v2] " Morduan Zang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox