Re: [PATCH] net: dsa: sja1105: fix refcount leak in sja1105_setup_tc_taprio()
From: Paolo Abeni
Date: Sat Jun 13 2026 - 04:42:30 EST
On 6/9/26 9:40 AM, Wentao Liang wrote:
> In sja1105_setup_tc_taprio(), taprio_offload_get() acquires a
> reference on the new offload and stores it in
> tas_data->offload[port]. If sja1105_init_scheduling() or
> sja1105_static_config_reload() later fails, the function returns
> without releasing the reference via taprio_offload_free(). The
> stored pointer is thus leaked, as the driver will not clean it up
> unless a subsequent TAPRIO_CMD_DESTROY is received, which may
> never happen.
>
> Fix the leak by calling taprio_offload_free() and resetting
> tas_data->offload[port] to NULL on both error paths.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 317ab5b86c8e ("net: dsa: sja1105: Configure the Time-Aware Scheduler via tc-taprio offload")
> Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
> ---
> drivers/net/dsa/sja1105/sja1105_tas.c | 12 ++++++++++--
> 1 file changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/dsa/sja1105/sja1105_tas.c b/drivers/net/dsa/sja1105/sja1105_tas.c
> index e47967b12d5d..96cb5aa04910 100644
> --- a/drivers/net/dsa/sja1105/sja1105_tas.c
> +++ b/drivers/net/dsa/sja1105/sja1105_tas.c
> @@ -575,10 +575,18 @@ int sja1105_setup_tc_taprio(struct dsa_switch *ds, int port,
> tas_data->offload[port] = taprio_offload_get(admin);
>
> rc = sja1105_init_scheduling(priv);
> - if (rc < 0)
> + if (rc < 0) {
> + taprio_offload_free(tas_data->offload[port]);
> + tas_data->offload[port] = NULL;
> return rc;
> + }
>
> - return sja1105_static_config_reload(priv, SJA1105_SCHEDULING);
> + rc = sja1105_static_config_reload(priv, SJA1105_SCHEDULING);
> + if (rc < 0) {
> + taprio_offload_free(tas_data->offload[port]);
> + tas_data->offload[port] = NULL;
I think the config-cleanup issues mentioned by sashiko here should be
addressed.
/P