From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CBEFB28690 for ; Wed, 1 Apr 2026 02:14:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775009685; cv=none; b=DixQ3uH0C54qDkNk1ztS3H7Kv7U02bhkfs9ZDi3m458mt7c6Ew9QC68zKEhPHt1I7vYIF37SXrjecjYZqfit6UDLZgTiuZGPUHy6G+UnqJfnXrDpvFwphTVV/L0ff9F3YmO3oF76MLcDZKhepLmEg0KUfx3MYh9/IFOY0UdUiUg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775009685; c=relaxed/simple; bh=RKIRkB7dwIPp5lClJ0dJhiaIpEWh1SS1HK0MYCHKxr4=; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=ocnhcyhIa1oIdLc+lwQpSkv4nvgza/4q5e/2EXooZz3s9Nv+UiT4bEu0qN361MU3UsKtuAIVW3uRC2r5UMtor9lCyZ/MNXlR4cUiuf3vvOpX+D5YCJa87MJM8eTceAobPTNxX7sA7InLt58PbKMBMmx5la++G30FZBuUm2jb7ow= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ZVscnBww; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ZVscnBww" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E58A3C19423; Wed, 1 Apr 2026 02:14:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1775009685; bh=RKIRkB7dwIPp5lClJ0dJhiaIpEWh1SS1HK0MYCHKxr4=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=ZVscnBwwOBiFAsll4NVdYRbBAXWGY8Ze/q5YwnVc+YFVTOgSiYDhd7PjpdKVSSRf1 6iFNAFS4dU5D/Ejz42tpLoP1cxj04gmQwSeiuzKdKsL6AFRSoU+7aj5WimTnqTrKNy RUyZEDtqo+c95zRN23P/OXEF3lTNteHrTtzfvOrrd5PodIcSlkphGia0tnzYkWmNZR zlWfqubtg+AdVRV37GjaT2gL82zGETBvkBtKb+5m37vAyng7+rKl33icWM9rMFracm OCm2g/DfYdSyDMxfg6ItV0dj1++M1g2OsJRPwk2weREjPgoTJSXZ/OP1whKseQrmrQ 8GP1uk/qqOt3w== Date: Tue, 31 Mar 2026 19:14:44 -0700 From: Jakub Kicinski To: Linus Walleij Cc: Hans Ulli Kroll , Andrew Lunn , "David S. Miller" , Eric Dumazet , Paolo Abeni , =?UTF-8?B?TWljaGHFgiBNaXJvc8WCYXc=?= , netdev@vger.kernel.org, Andreas Haarmann-Thiemann Subject: Re: [PATCH net] net: ethernet: cortina: Fix SKB leak Message-ID: <20260331191444.79ed1da9@kernel.org> In-Reply-To: <20260330-gemini-ethernet-fix-v1-1-18783a45d13a@kernel.org> References: <20260330-gemini-ethernet-fix-v1-1-18783a45d13a@kernel.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Mon, 30 Mar 2026 08:00:29 +0200 Linus Walleij wrote: > From: Andreas Haarmann-Thiemann >=20 > Under sustained RX load (e.g. large file transfers over the network), the > device freezes completely and requires a hard power cycle. No kernel panic > or oops is produced; the system simply stops responding. >=20 > In gmac_rx() (drivers/net/ethernet/cortina/gemini.c), when > gmac_get_queue_page() returns NULL for the second page of a multi-page > fragment, the driver logs an error and continues =E2=80=94 but does not f= ree the > in-progress skb that was already being assembled via napi_build_skb() / > napi_get_frags(): >=20 > gpage =3D gmac_get_queue_page(geth, port, mapping + PAGE_SIZE); > if (!gpage) { > dev_err(geth->dev, "could not find mapping\n"); > /* BUG: skb leaked here */ > port->stats.rx_dropped++; > continue; > } >=20 > This path is distinct from the similar block in gmac_cleanup_rxq(), which > correctly only logs "could not find page" without an skb in flight. >=20 > Each occurrence of this error path leaks one skb. Under sustained traffic > the leak exhausts kernel memory, causing the observed lockup. >=20 > Free the in-progress skb via napi_free_frags() before continuing, matching > the pattern already used elsewhere in the driver. >=20 > Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethe= rnet") > Signed-off-by: Andreas Haarmann-Thiemann > Signed-off-by: Linus Walleij Thanks for handling (what I assume to be) an external report Linus! Not sure I'm connecting the dots here, tho. Apparently skb is a static variable in this function(!?) so the skb should be flushed on the next SOP? Also I don't see how potential memory leak squares with the first sentence of the commit which reads: device freezes completely and requires a hard power cycle how can kernel mem leak cause a device to wedge? > diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet= /cortina/gemini.c > index 4824232f4890..723d90d5fdf3 100644 > --- a/drivers/net/ethernet/cortina/gemini.c > +++ b/drivers/net/ethernet/cortina/gemini.c > @@ -1491,6 +1491,10 @@ static unsigned int gmac_rx(struct net_device *net= dev, unsigned int budget) > gpage =3D gmac_get_queue_page(geth, port, mapping + PAGE_SIZE); > if (!gpage) { > dev_err(geth->dev, "could not find mapping\n"); > + if (skb) { > + napi_free_frags(&port->napi); > + skb =3D NULL; > + } > continue; > } > page =3D gpage->page; >=20 > --- > base-commit: 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f > change-id: 20260330-gemini-ethernet-fix-604c28c53da1 >=20 > Best regards,