Patch "net: renesas: rswitch: fix leaked pointer on error path" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 15 Dec 2024 11:59:00 -0500

This is a note to let you know that I've just added the patch titled

    net: renesas: rswitch: fix leaked pointer on error path

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-renesas-rswitch-fix-leaked-pointer-on-error-path.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 59d8683b570ffc9ce74f275cd7bd824bb2cd16de
Author: Nikita Yushchenko <nikita.yoush@xxxxxxxxxxxxxxxxxx>
Date:   Sun Dec 8 14:50:03 2024 +0500

    net: renesas: rswitch: fix leaked pointer on error path
    
    [ Upstream commit bb617328bafa1023d8e9c25a25345a564c66c14f ]
    
    If error path is taken while filling descriptor for a frame, skb
    pointer is left in the entry. Later, on the ring entry reuse, the
    same entry could be used as a part of a multi-descriptor frame,
    and skb for that new frame could be stored in a different entry.
    
    Then, the stale pointer will reach the completion routine, and passed
    to the release operation.
    
    Fix that by clearing the saved skb pointer at the error path.
    
    Fixes: d2c96b9d5f83 ("net: rswitch: Add jumbo frames handling for TX")
    Signed-off-by: Nikita Yushchenko <nikita.yoush@xxxxxxxxxxxxxxxxxx>
    Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@xxxxxxxxxxx>
    Link: https://patch.msgid.link/20241208095004.69468-4-nikita.yoush@xxxxxxxxxxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c
index 13577fe2c7ec..b1432ca79f1e 100644
--- a/drivers/net/ethernet/renesas/rswitch.c
+++ b/drivers/net/ethernet/renesas/rswitch.c
@@ -1631,6 +1631,7 @@ static netdev_tx_t rswitch_start_xmit(struct sk_buff *skb, struct net_device *nd
 	return ret;
 
 err_unmap:
+	gq->skbs[(gq->cur + nr_desc - 1) % gq->ring_size] = NULL;
 	dma_unmap_single(ndev->dev.parent, dma_addr_orig, skb->len, DMA_TO_DEVICE);
 
 err_kfree:







