* [PATCH] net: dsa: sja1105: fix refcount leak in sja1105_setup_tc_taprio()
@ 2026-06-09 7:40 Wentao Liang
2026-06-11 14:01 ` Simon Horman
0 siblings, 1 reply; 2+ messages in thread
From: Wentao Liang @ 2026-06-09 7:40 UTC (permalink / raw)
To: olteanv, andrew, davem, edumazet, kuba, pabeni
Cc: linux-kernel, netdev, Wentao Liang, stable
In sja1105_setup_tc_taprio(), taprio_offload_get() acquires a
reference on the new offload and stores it in
tas_data->offload[port]. If sja1105_init_scheduling() or
sja1105_static_config_reload() later fails, the function returns
without releasing the reference via taprio_offload_free(). The
stored pointer is thus leaked, as the driver will not clean it up
unless a subsequent TAPRIO_CMD_DESTROY is received, which may
never happen.
Fix the leak by calling taprio_offload_free() and resetting
tas_data->offload[port] to NULL on both error paths.
Cc: stable@vger.kernel.org
Fixes: 317ab5b86c8e ("net: dsa: sja1105: Configure the Time-Aware Scheduler via tc-taprio offload")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
drivers/net/dsa/sja1105/sja1105_tas.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/net/dsa/sja1105/sja1105_tas.c b/drivers/net/dsa/sja1105/sja1105_tas.c
index e47967b12d5d..96cb5aa04910 100644
--- a/drivers/net/dsa/sja1105/sja1105_tas.c
+++ b/drivers/net/dsa/sja1105/sja1105_tas.c
@@ -575,10 +575,18 @@ int sja1105_setup_tc_taprio(struct dsa_switch *ds, int port,
tas_data->offload[port] = taprio_offload_get(admin);
rc = sja1105_init_scheduling(priv);
- if (rc < 0)
+ if (rc < 0) {
+ taprio_offload_free(tas_data->offload[port]);
+ tas_data->offload[port] = NULL;
return rc;
+ }
- return sja1105_static_config_reload(priv, SJA1105_SCHEDULING);
+ rc = sja1105_static_config_reload(priv, SJA1105_SCHEDULING);
+ if (rc < 0) {
+ taprio_offload_free(tas_data->offload[port]);
+ tas_data->offload[port] = NULL;
+ }
+ return rc;
}
static int sja1105_tas_check_running(struct sja1105_private *priv)
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] net: dsa: sja1105: fix refcount leak in sja1105_setup_tc_taprio()
2026-06-09 7:40 [PATCH] net: dsa: sja1105: fix refcount leak in sja1105_setup_tc_taprio() Wentao Liang
@ 2026-06-11 14:01 ` Simon Horman
0 siblings, 0 replies; 2+ messages in thread
From: Simon Horman @ 2026-06-11 14:01 UTC (permalink / raw)
To: Wentao Liang
Cc: olteanv, andrew, davem, edumazet, kuba, pabeni, linux-kernel,
netdev, stable
On Tue, Jun 09, 2026 at 07:40:02AM +0000, Wentao Liang wrote:
> In sja1105_setup_tc_taprio(), taprio_offload_get() acquires a
> reference on the new offload and stores it in
> tas_data->offload[port]. If sja1105_init_scheduling() or
> sja1105_static_config_reload() later fails, the function returns
> without releasing the reference via taprio_offload_free(). The
> stored pointer is thus leaked, as the driver will not clean it up
> unless a subsequent TAPRIO_CMD_DESTROY is received, which may
> never happen.
>
> Fix the leak by calling taprio_offload_free() and resetting
> tas_data->offload[port] to NULL on both error paths.
>
> Cc: stable@vger.kernel.org
> Fixes: 317ab5b86c8e ("net: dsa: sja1105: Configure the Time-Aware Scheduler via tc-taprio offload")
> Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Hi Wentao,
There is AI-generated review of this patch-set available on both
https://sashiko.dev and https://netdev-ai.bots.linux.dev/sashiko/
I would appreciate it if you could look over that with a view
to addressing any issues that directly affect this patch.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-11 14:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-09 7:40 [PATCH] net: dsa: sja1105: fix refcount leak in sja1105_setup_tc_taprio() Wentao Liang
2026-06-11 14:01 ` Simon Horman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox