[PATCH] ieee802154: ca8210: fix cas_ctl leak on spi

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] ieee802154: ca8210: fix cas_ctl leak on spi_async failure
@ 2026-04-21  7:32 Shitalkumar Gandhi
  2026-04-21  7:52 ` Miquel Raynal
  2026-04-21  9:47 ` Markus Elfring
  0 siblings, 2 replies; 3+ messages in thread
From: Shitalkumar Gandhi @ 2026-04-21  7:32 UTC (permalink / raw)
  To: alex.aring, stefan, miquel.raynal
  Cc: andrew+netdev, davem, edumazet, kuba, pabeni, linux-wpan, netdev,
	linux-kernel, stable, Shitalkumar Gandhi

ca8210_spi_transfer() allocates cas_ctl with kzalloc_obj(GFP_ATOMIC)
and relies entirely on the SPI completion callback
ca8210_spi_transfer_complete() to free it.

The spi_async() API only invokes the completion callback on successful
submission.  On failure it returns a negative error code without ever
queuing the callback, which leaves cas_ctl and its embedded spi_message
and spi_transfer orphaned.  Every kfree(cas_ctl) in the driver is
inside the completion callback, so there is no other reclamation path.

ca8210_spi_transfer() is called from ca8210_spi_exchange(), the
interrupt handler ca8210_interrupt_handler(), and from the retry path
inside the completion callback itself.  The exchange and interrupt
handler paths loop on -EBUSY, so under sustained SPI bus contention
every retry iteration leaks a fresh cas_ctl (~600 bytes per
occurrence).

Fix it by freeing cas_ctl on the spi_async() error path.  While here,
correct the misleading error string: the function calls spi_async(),
not spi_sync().

Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver")
Cc: stable@vger.kernel.org
Signed-off-by: Shitalkumar Gandhi <shitalkumar.gandhi@cambiumnetworks.com>
---
 drivers/net/ieee802154/ca8210.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
index ed4178155a5d..bf837adfebb2 100644
--- a/drivers/net/ieee802154/ca8210.c
+++ b/drivers/net/ieee802154/ca8210.c
@@ -919,9 +919,10 @@ static int ca8210_spi_transfer(
 	if (status < 0) {
 		dev_crit(
 			&spi->dev,
-			"status %d from spi_sync in write\n",
+			"status %d from spi_async in write\n",
 			status
 		);
+		kfree(cas_ctl);
 	}

 	return status;
-- 
2.25.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] ieee802154: ca8210: fix cas_ctl leak on spi_async failure
  2026-04-21  7:32 [PATCH] ieee802154: ca8210: fix cas_ctl leak on spi_async failure Shitalkumar Gandhi
@ 2026-04-21  7:52 ` Miquel Raynal
  2026-04-21  9:47 ` Markus Elfring
  1 sibling, 0 replies; 3+ messages in thread
From: Miquel Raynal @ 2026-04-21  7:52 UTC (permalink / raw)
  To: Shitalkumar Gandhi
  Cc: alex.aring, stefan, andrew+netdev, davem, edumazet, kuba, pabeni,
	linux-wpan, netdev, linux-kernel, stable, Shitalkumar Gandhi

Hello,

On 21/04/2026 at 13:02:59 +0530, Shitalkumar Gandhi <shital.gandhi45@gmail.com> wrote:

> ca8210_spi_transfer() allocates cas_ctl with kzalloc_obj(GFP_ATOMIC)
> and relies entirely on the SPI completion callback
> ca8210_spi_transfer_complete() to free it.

[...]

> Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Shitalkumar Gandhi <shitalkumar.gandhi@cambiumnetworks.com>
> ---

Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>

Thanks,
Miquèl

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] ieee802154: ca8210: fix cas_ctl leak on spi_async failure
  2026-04-21  7:32 [PATCH] ieee802154: ca8210: fix cas_ctl leak on spi_async failure Shitalkumar Gandhi
  2026-04-21  7:52 ` Miquel Raynal
@ 2026-04-21  9:47 ` Markus Elfring
  1 sibling, 0 replies; 3+ messages in thread
From: Markus Elfring @ 2026-04-21  9:47 UTC (permalink / raw)
  To: Shitalkumar Gandhi, linux-wpan, netdev, Alexander Aring,
	Miquel Raynal, Stefan Schmidt
  Cc: Shitalkumar Gandhi, stable, LKML, Andrew Lunn, David S. Miller,
	Eric Dumazet, Jakub Kicinski, Paolo Abeni

…
> Fix it by freeing cas_ctl on the spi_async() error path.  While here,
> correct the misleading error string: the function calls spi_async(),
> not spi_sync().

Would it be safer to offer desired changes as separate patches?
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v7.0#n81

Regards,
Markus

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-04-21  9:47 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-21  7:32 [PATCH] ieee802154: ca8210: fix cas_ctl leak on spi_async failure Shitalkumar Gandhi
2026-04-21  7:52 ` Miquel Raynal
2026-04-21  9:47 ` Markus Elfring

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox