]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
ieee802154: ca8210: fix cas_ctl leak on spi_async failure
authorShitalkumar Gandhi <shital.gandhi45@gmail.com>
Tue, 21 Apr 2026 07:32:59 +0000 (13:02 +0530)
committerStefan Schmidt <stefan@datenfreihafen.org>
Fri, 19 Jun 2026 20:16:13 +0000 (22:16 +0200)
commite09390e439bd7cca30dd10893b1f64802961667a
tree5f0674ff12e703915e5d7ff95ce3efde99724027
parente69ed6fc9fb3b386b5fcdb9f51623f122cee2ebd
ieee802154: ca8210: fix cas_ctl leak on spi_async failure

ca8210_spi_transfer() allocates cas_ctl with kzalloc_obj(GFP_ATOMIC)
and relies entirely on the SPI completion callback
ca8210_spi_transfer_complete() to free it.

The spi_async() API only invokes the completion callback on successful
submission.  On failure it returns a negative error code without ever
queuing the callback, which leaves cas_ctl and its embedded spi_message
and spi_transfer orphaned.  Every kfree(cas_ctl) in the driver is
inside the completion callback, so there is no other reclamation path.

ca8210_spi_transfer() is called from ca8210_spi_exchange(), the
interrupt handler ca8210_interrupt_handler(), and from the retry path
inside the completion callback itself.  The exchange and interrupt
handler paths loop on -EBUSY, so under sustained SPI bus contention
every retry iteration leaks a fresh cas_ctl (~600 bytes per
occurrence).

Fix it by freeing cas_ctl on the spi_async() error path.  While here,
correct the misleading error string: the function calls spi_async(),
not spi_sync().

Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver")
Cc: stable@vger.kernel.org
Signed-off-by: Shitalkumar Gandhi <shitalkumar.gandhi@cambiumnetworks.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/20260421073259.2259783-1-shitalkumar.gandhi@cambiumnetworks.com
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
drivers/net/ieee802154/ca8210.c