* [PATCH] net: tn40xx: fix netdev and NAPI leak in probe error paths
@ 2026-06-15 6:42 ZhaoJinming
2026-06-17 23:33 ` Jakub Kicinski
0 siblings, 1 reply; 2+ messages in thread
From: ZhaoJinming @ 2026-06-15 6:42 UTC (permalink / raw)
To: FUJITA Tomonori, Andrew Lunn, David S . Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni
Cc: netdev, linux-kernel, ZhaoJinming
In tn40_probe(), after tn40_netdev_alloc() and netif_napi_add() succeed,
none of the subsequent error paths call netif_napi_del() or free_netdev()
to undo these operations. On any probe failure after netif_napi_add() the
NAPI structure (embedded in the netdev private data) remains on the
per-netdev napi_list while the backing memory is never freed, causing:
- A permanent memory leak of the net_device and its private data
(includes DMA rings, descriptor arrays and other internal structures
allocated by tn40_priv_init).
- A stale napi_list node that references already-freed memory, which
is a use-after-free if the list is traversed after probe failure.
Fix by renaming err_unset_drvdata to err_free_netdev, adding
netif_napi_del() and free_netdev() calls there, and redirecting the
tn40_hw_reset() and pci_alloc_irq_vectors() failure paths to this new
label so that all error paths after netdev allocation properly release
the netdev and NAPI resources.
Fixes: dd2a0ff55408 ("net: tn40xx: add basic Tx handling")
Signed-off-by: ZhaoJinming <zhaojinming@uniontech.com>
---
drivers/net/ethernet/tehuti/tn40.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/tehuti/tn40.c b/drivers/net/ethernet/tehuti/tn40.c
index 558b791a97ed..532703e9c28e 100644
--- a/drivers/net/ethernet/tehuti/tn40.c
+++ b/drivers/net/ethernet/tehuti/tn40.c
@@ -1751,13 +1751,13 @@ static int tn40_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
ret = tn40_hw_reset(priv);
if (ret) {
dev_err(&pdev->dev, "failed to reset HW.\n");
- goto err_unset_drvdata;
+ goto err_free_netdev;
}
ret = pci_alloc_irq_vectors(pdev, 1, nvec, PCI_IRQ_MSI);
if (ret < 0) {
dev_err(&pdev->dev, "failed to allocate irq.\n");
- goto err_unset_drvdata;
+ goto err_free_netdev;
}
ret = tn40_mdiobus_init(priv);
@@ -1799,8 +1799,10 @@ static int tn40_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
tn40_swnodes_cleanup(priv);
err_free_irq:
pci_free_irq_vectors(pdev);
-err_unset_drvdata:
+err_free_netdev:
+ netif_napi_del(&priv->napi);
pci_set_drvdata(pdev, NULL);
+ free_netdev(ndev);
err_iounmap:
iounmap(regs);
err_free_regions:
--
2.20.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] net: tn40xx: fix netdev and NAPI leak in probe error paths
2026-06-15 6:42 [PATCH] net: tn40xx: fix netdev and NAPI leak in probe error paths ZhaoJinming
@ 2026-06-17 23:33 ` Jakub Kicinski
0 siblings, 0 replies; 2+ messages in thread
From: Jakub Kicinski @ 2026-06-17 23:33 UTC (permalink / raw)
To: ZhaoJinming
Cc: FUJITA Tomonori, Andrew Lunn, David S . Miller, Eric Dumazet,
Paolo Abeni, netdev, linux-kernel
On Mon, 15 Jun 2026 14:42:56 +0800 ZhaoJinming wrote:
> In tn40_probe(), after tn40_netdev_alloc() and netif_napi_add() succeed,
> none of the subsequent error paths call netif_napi_del() or free_netdev()
> to undo these operations. On any probe failure after netif_napi_add() the
> NAPI structure (embedded in the netdev private data) remains on the
> per-netdev napi_list while the backing memory is never freed, causing:
it's devm_ allocated:
ndev = devm_alloc_etherdev(&pdev->dev, sizeof(struct tn40_priv));
you're introducing a bug instead of fixing one..
--
pw-bot: reject
pv-bot: slop
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-17 23:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-15 6:42 [PATCH] net: tn40xx: fix netdev and NAPI leak in probe error paths ZhaoJinming
2026-06-17 23:33 ` Jakub Kicinski
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox