5.10-stable patches

added patches:
	isdn-misdn-hfcsusb-fix-memory-leak-in-hfcsusb_probe.patch

diff --git a/queue-5.10/isdn-misdn-hfcsusb-fix-memory-leak-in-hfcsusb_probe.patch b/queue-5.10/isdn-misdn-hfcsusb-fix-memory-leak-in-hfcsusb_probe.patch
new file mode 100644 (file)
index 0000000..df94820
--- /dev/null
+++ b/queue-5.10/isdn-misdn-hfcsusb-fix-memory-leak-in-hfcsusb_probe.patch
@@ -0,0 +1,75 @@
+From 3f978e3f1570155a1327ffa25f60968bc7b9398f Mon Sep 17 00:00:00 2001
+From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
+Date: Thu, 30 Oct 2025 09:55:22 +0530
+Subject: isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()
+
+From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
+
+commit 3f978e3f1570155a1327ffa25f60968bc7b9398f upstream.
+
+In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when
+setup_instance() fails with an error code. Fix that by freeing the urb
+before freeing the hw structure. Also change the error paths to use the
+goto ladder style.
+
+Compile tested only. Issue found using a prototype static analysis tool.
+
+Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver")
+Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
+Link: https://patch.msgid.link/20251030042524.194812-1-nihaal@cse.iitm.ac.in
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/hardware/mISDN/hfcsusb.c |   18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
+@@ -1903,13 +1903,13 @@ out:
+       mISDN_freebchannel(&hw->bch[1]);
+       mISDN_freebchannel(&hw->bch[0]);
+       mISDN_freedchannel(&hw->dch);
+-      kfree(hw);
+       return err;
+ }
+ 
+ static int
+ hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id)
+ {
++      int err;
+       struct hfcsusb                  *hw;
+       struct usb_device               *dev = interface_to_usbdev(intf);
+       struct usb_host_interface       *iface = intf->cur_altsetting;
+@@ -2100,20 +2100,28 @@ hfcsusb_probe(struct usb_interface *intf
+       if (!hw->ctrl_urb) {
+               pr_warn("%s: No memory for control urb\n",
+                       driver_info->vend_name);
+-              kfree(hw);
+-              return -ENOMEM;
++              err = -ENOMEM;
++              goto err_free_hw;
+       }
+ 
+       pr_info("%s: %s: detected \"%s\" (%s, if=%d alt=%d)\n",
+               hw->name, __func__, driver_info->vend_name,
+               conf_str[small_match], ifnum, alt_used);
+ 
+-      if (setup_instance(hw, dev->dev.parent))
+-              return -EIO;
++      if (setup_instance(hw, dev->dev.parent)) {
++              err = -EIO;
++              goto err_free_urb;
++      }
+ 
+       hw->intf = intf;
+       usb_set_intfdata(hw->intf, hw);
+       return 0;
++
++err_free_urb:
++      usb_free_urb(hw->ctrl_urb);
++err_free_hw:
++      kfree(hw);
++      return err;
+ }
+ 
+ /* function called when an active device is removed */

diff --git a/queue-5.10/series b/queue-5.10/series
index 73e7bbccc0a2aaf3bf7e4c7b3a1d6708ee902332..1d23a66c05b556a897b6eec4ab8f50ffd1320296 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -211,3 +211,4 @@ fs-proc-fix-uaf-in-proc_readdir_de.patch
 spi-try-to-get-acpi-gpio-irq-earlier.patch
 edac-altera-handle-ocram-ecc-enable-after-warm-reset.patch
 edac-altera-use-inttest-register-for-ethernet-and-usb-sbe-injection.patch
+isdn-misdn-hfcsusb-fix-memory-leak-in-hfcsusb_probe.patch