RE: [PATCH 0/2] Fix to possible skb leak due to race condtion in tx path

From: Selvamani Rajagopal

Date: Mon Jun 22 2026 - 00:58:18 EST

Sorry that I missed to mention the target tree (net). Will wait for few days anyway and re-submit if needed.

Sincerely
Selva

> -----Original Message-----
> From: Selvamani Rajagopal via B4 Relay
> <devnull+Selvamani.Rajagopal.onsemi.com@xxxxxxxxxx>
> Sent: Sunday, June 21, 2026 9:24 PM
> Subject: [PATCH 0/2] Fix to possible skb leak due to race condtion in tx path
>
>
> This Message Is From an External Sender
> This message came from outside your organization.
>
> Due to the fact that traffic is handled in threaded IRQ,
> and the introduction of disable_traffic flag, introduced
> the race condition where sk buffer may leak if trasmit
> path is interrupted between the condition check and
> initializing the waiting_tx_skb pointer for transmission.
>
> With this change, disable_traffic and waiting_tx_skb
> pointer are protected by spin lock/unlock pair.
>
> This is highlighted in Sashiko review
> https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260611-level-trigger-v5-0-
> 4533a9e85ce2%40onsemi.com
> <https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260611-level-trigger-v5-0-4533a9e85ce2%40onsemi.com
> =netdev-ai.bots.linux.dev>
>
> Also on buffer overrun condition, probably due to loss of
> SPI data chunks, receive path doesn't see the expected
> data chunk with end_valid bit set. As a result, driver
> keeps adding data chunks to the skb before running out
> of space and kernel panic is seen.
>
> With this change, before adding data to the skb, if there
> is no space, skb is freed and driver starts looking for
> new frame by looking for a data chunk with start_valid
> bit set.
>
> [ 705.405490] skbuff: skb_over_panic: text:ffffffd2eb72a264 len:1600 put:64
> head:ffffff804e5cdc40 data:ffffff804e5cdc80 tail:0x680 end:0x640 dev:eth1
> [ 705.405569] ------------[ cut here ]------------
> [ 705.405575] kernel BUG at net/core/skbuff.c:214!
> [ 705.405589] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
>
> [ 6703.427690] Call trace:
> [ 705.925157] skb_panic+0x58/0x68 (P)
> [ 705.928726] skb_put+0x74/0x80
> [ 705.931772] oa_tc6_update_rx_skb+0x44/0x98 [oa_tc6_mod]
> [ 705.937084] oa_tc6_macphy_threaded_irq+0x3f4/0x900 [oa_tc6_mod]
> [ 705.943084] irq_thread_fn+0x34/0xb8
> [ 705.946654] irq_thread+0x1a0/0x300
> [ 705.950134] kthread+0x138/0x150
> [ 705.953356] ret_from_fork+0x10/0x20
>
> Signed-off-by: Selvamani Rajagopal <Selvamani.Rajagopal@xxxxxxxxxx>
> ---
> Selvamani Rajagopal (2):
> Protect skb pointer used by two different kernel instances
> net: ethernet: oa_tc6: Improvement in buffer overflow handling
>
> drivers/net/ethernet/oa_tc6.c | 75 +++++++++++++++++++++++++++----------------
> 1 file changed, 48 insertions(+), 27 deletions(-)
> ---
> base-commit: d07d80b6a129a44538cda1549b7acf95154fb197
> change-id: 20260621-fix-race-condition-and-crash-94d055a665c4
>
> Best regards,
> --
> Selvamani Rajagopal <Selvamani.Rajagopal@xxxxxxxxxx>
>