Commit adbe2cdf authored Apr 24, 2026 by Morduan Zang Committed by Jakub Kicinski Apr 27, 2026

net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit



When rtl8150_start_xmit() fails to submit the tx URB, the URB is never
handed to the USB core and write_bulk_callback() will not run.  The
driver returns NETDEV_TX_OK, which tells the networking stack that the
skb has been consumed, but nothing actually frees the skb on this
error path:

  dev->tx_skb = skb;
  ...
  if ((res = usb_submit_urb(dev->tx_urb, GFP_ATOMIC))) {
          ...
          /* no kfree_skb here */
  }
  return NETDEV_TX_OK;

This leaks the skb on every submit failure and also leaves dev->tx_skb
pointing at memory that the driver itself may later free, which is
fragile.

Free the skb with dev_kfree_skb_any() in the error path and clear
dev->tx_skb so no stale pointer is left behind.

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Morduan Zang <zhangdandan@uniontech.com>
Link: https://patch.msgid.link/E7D3E1C013C5A859+20260424015517.9574-1-zhangdandan@uniontech.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 23f0e34c

drivers/net/usb/rtl8150.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -710,6 +710,13 @@ static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
		netdev->stats.tx_errors++;
		netif_start_queue(netdev);
		}
		/*
		* The URB was not submitted, so write_bulk_callback() will
		* never run to free dev->tx_skb. Drop the skb here and
		* clear tx_skb to avoid leaving a stale pointer.
		*/
		dev->tx_skb = NULL;
		dev_kfree_skb_any(skb);
		} else {
		netdev->stats.tx_packets++;
		netdev->stats.tx_bytes += skb_len;