Thread (3 messages) 3 messages, 3 authors, 18d ago
COLD18d

[PATCH] net: dsa: sja1105: fix refcount leak in sja1105_setup_tc_taprio()

From: Wentao Liang <hidden>
Date: 2026-06-09 07:40:21
Also in: lkml, stable
Subsystem: networking drivers, networking [dsa], the rest · Maintainers: Andrew Lunn, "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Vladimir Oltean, Linus Torvalds

In sja1105_setup_tc_taprio(), taprio_offload_get() acquires a
reference on the new offload and stores it in
tas_data->offload[port]. If sja1105_init_scheduling() or
sja1105_static_config_reload() later fails, the function returns
without releasing the reference via taprio_offload_free(). The
stored pointer is thus leaked, as the driver will not clean it up
unless a subsequent TAPRIO_CMD_DESTROY is received, which may
never happen.

Fix the leak by calling taprio_offload_free() and resetting
tas_data->offload[port] to NULL on both error paths.

Cc: stable@vger.kernel.org
Fixes: 317ab5b86c8e ("net: dsa: sja1105: Configure the Time-Aware Scheduler via tc-taprio offload")
Signed-off-by: Wentao Liang <redacted>
---
 drivers/net/dsa/sja1105/sja1105_tas.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/net/dsa/sja1105/sja1105_tas.c b/drivers/net/dsa/sja1105/sja1105_tas.c
index e47967b12d5d..96cb5aa04910 100644
--- a/drivers/net/dsa/sja1105/sja1105_tas.c
+++ b/drivers/net/dsa/sja1105/sja1105_tas.c
@@ -575,10 +575,18 @@ int sja1105_setup_tc_taprio(struct dsa_switch *ds, int port,
 	tas_data->offload[port] = taprio_offload_get(admin);
 
 	rc = sja1105_init_scheduling(priv);
-	if (rc < 0)
+	if (rc < 0) {
+		taprio_offload_free(tas_data->offload[port]);
+		tas_data->offload[port] = NULL;
 		return rc;
+	}
 
-	return sja1105_static_config_reload(priv, SJA1105_SCHEDULING);
+	rc = sja1105_static_config_reload(priv, SJA1105_SCHEDULING);
+	if (rc < 0) {
+		taprio_offload_free(tas_data->offload[port]);
+		tas_data->offload[port] = NULL;
+	}
+	return rc;
 }
 
 static int sja1105_tas_check_running(struct sja1105_private *priv)
-- 
2.34.1
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help