drivers/net/usb/rtl8150.c | 7 +++++++ 1 file changed, 7 insertions(+)
When rtl8150_start_xmit() fails to submit the tx URB, the URB is never
handed to the USB core and write_bulk_callback() will not run. The
driver returns NETDEV_TX_OK, which tells the networking stack that the
skb has been consumed, but nothing actually frees the skb on this
error path:
dev->tx_skb = skb;
...
if ((res = usb_submit_urb(dev->tx_urb, GFP_ATOMIC))) {
...
/* no kfree_skb here */
}
return NETDEV_TX_OK;
This leaks the skb on every submit failure and also leaves dev->tx_skb
pointing at memory that the driver itself may later free, which is
fragile.
Free the skb with dev_kfree_skb_any() in the error path and clear
dev->tx_skb so no stale pointer is left behind.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Morduan Zang <zhangdandan@uniontech.com>
---
Changes in v2:
- Rebase on net/main as requested (Jakub Kicinski). v1 was based on
a tree that also carried the pending UAF fix ("net: usb: rtl8150:
fix use-after-free in rtl8150_start_xmit()"), so v1 did not apply
on net/main. v2 is an independent fix that applies cleanly to
net/main on its own; it does not depend on the UAF fix being
applied first.
- No code change besides the rebase context.
v1: https://lore.kernel.org/all/678BC10BB9E39322+20260421111025.15833-1-zhangdandan@uniontech.com/
---
drivers/net/usb/rtl8150.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index 4cda0643afb6..9999484d2c5e 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -707,6 +707,13 @@ static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
netdev->stats.tx_errors++;
netif_start_queue(netdev);
}
+ /*
+ * The URB was not submitted, so write_bulk_callback() will
+ * never run to free dev->tx_skb. Drop the skb here and
+ * clear tx_skb to avoid leaving a stale pointer.
+ */
+ dev->tx_skb = NULL;
+ dev_kfree_skb_any(skb);
} else {
netdev->stats.tx_packets++;
netdev->stats.tx_bytes += skb->len;
--
2.50.1On 4/24/26 3:55 AM, Morduan Zang wrote:
> When rtl8150_start_xmit() fails to submit the tx URB, the URB is never
> handed to the USB core and write_bulk_callback() will not run. The
> driver returns NETDEV_TX_OK, which tells the networking stack that the
> skb has been consumed, but nothing actually frees the skb on this
> error path:
>
> dev->tx_skb = skb;
> ...
> if ((res = usb_submit_urb(dev->tx_urb, GFP_ATOMIC))) {
> ...
> /* no kfree_skb here */
> }
> return NETDEV_TX_OK;
>
> This leaks the skb on every submit failure and also leaves dev->tx_skb
> pointing at memory that the driver itself may later free, which is
> fragile.
>
> Free the skb with dev_kfree_skb_any() in the error path and clear
> dev->tx_skb so no stale pointer is left behind.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reviewed-by: Andrew Lunn <andrew@lunn.ch>
> Signed-off-by: Morduan Zang <zhangdandan@uniontech.com>
Applied (by Jakub, AFAICS the bot did not send out the notification for
some reason), thanks!
/P
On Tue, 28 Apr 2026 13:32:13 +0200 Paolo Abeni wrote:
> > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > Reviewed-by: Andrew Lunn <andrew@lunn.ch>
> > Signed-off-by: Morduan Zang <zhangdandan@uniontech.com>
>
> Applied (by Jakub, AFAICS the bot did not send out the notification for
> some reason), thanks!
my bad, yes, the patch was conflicting with another one, I had to tweak.
Morduan, please use patch series if you need to submit patches which
overlap in context.
© 2016 - 2026 Red Hat, Inc.