From: Greg Kroah-Hartman Date: Fri, 21 Nov 2025 10:43:22 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v6.6.117~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cf2613fcfc337f036ebf3ea891aae90b34b56580;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: isdn-misdn-hfcsusb-fix-memory-leak-in-hfcsusb_probe.patch --- diff --git a/queue-6.6/isdn-misdn-hfcsusb-fix-memory-leak-in-hfcsusb_probe.patch b/queue-6.6/isdn-misdn-hfcsusb-fix-memory-leak-in-hfcsusb_probe.patch new file mode 100644 index 0000000000..df94820b74 --- /dev/null +++ b/queue-6.6/isdn-misdn-hfcsusb-fix-memory-leak-in-hfcsusb_probe.patch @@ -0,0 +1,75 @@ +From 3f978e3f1570155a1327ffa25f60968bc7b9398f Mon Sep 17 00:00:00 2001 +From: Abdun Nihaal +Date: Thu, 30 Oct 2025 09:55:22 +0530 +Subject: isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() + +From: Abdun Nihaal + +commit 3f978e3f1570155a1327ffa25f60968bc7b9398f upstream. + +In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when +setup_instance() fails with an error code. Fix that by freeing the urb +before freeing the hw structure. Also change the error paths to use the +goto ladder style. + +Compile tested only. Issue found using a prototype static analysis tool. + +Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver") +Signed-off-by: Abdun Nihaal +Link: https://patch.msgid.link/20251030042524.194812-1-nihaal@cse.iitm.ac.in +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/hardware/mISDN/hfcsusb.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/drivers/isdn/hardware/mISDN/hfcsusb.c ++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c +@@ -1903,13 +1903,13 @@ out: + mISDN_freebchannel(&hw->bch[1]); + mISDN_freebchannel(&hw->bch[0]); + mISDN_freedchannel(&hw->dch); +- kfree(hw); + return err; + } + + static int + hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id) + { ++ int err; + struct hfcsusb *hw; + struct usb_device *dev = interface_to_usbdev(intf); + struct usb_host_interface *iface = intf->cur_altsetting; +@@ -2100,20 +2100,28 @@ hfcsusb_probe(struct usb_interface *intf + if (!hw->ctrl_urb) { + pr_warn("%s: No memory for control urb\n", + driver_info->vend_name); +- kfree(hw); +- return -ENOMEM; ++ err = -ENOMEM; ++ goto err_free_hw; + } + + pr_info("%s: %s: detected \"%s\" (%s, if=%d alt=%d)\n", + hw->name, __func__, driver_info->vend_name, + conf_str[small_match], ifnum, alt_used); + +- if (setup_instance(hw, dev->dev.parent)) +- return -EIO; ++ if (setup_instance(hw, dev->dev.parent)) { ++ err = -EIO; ++ goto err_free_urb; ++ } + + hw->intf = intf; + usb_set_intfdata(hw->intf, hw); + return 0; ++ ++err_free_urb: ++ usb_free_urb(hw->ctrl_urb); ++err_free_hw: ++ kfree(hw); ++ return err; + } + + /* function called when an active device is removed */ diff --git a/queue-6.6/series b/queue-6.6/series index 17ab305f5f..62952d9e77 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -519,3 +519,4 @@ filemap-cap-pte-range-to-be-created-to-allowed-zero-fill-in-folio_map_range.patc mm-memory-do-not-populate-page-table-entries-beyond-i_size.patch mm-truncate-unmap-large-folio-on-split-failure.patch mm-secretmem-fix-use-after-free-race-in-fault-handler.patch +isdn-misdn-hfcsusb-fix-memory-leak-in-hfcsusb_probe.patch