From: Greg Kroah-Hartman Date: Fri, 21 Nov 2025 10:42:52 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v6.6.117~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f82007b57329b935cdf20fb3dba81afe134777cc;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: isdn-misdn-hfcsusb-fix-memory-leak-in-hfcsusb_probe.patch --- diff --git a/queue-5.10/isdn-misdn-hfcsusb-fix-memory-leak-in-hfcsusb_probe.patch b/queue-5.10/isdn-misdn-hfcsusb-fix-memory-leak-in-hfcsusb_probe.patch new file mode 100644 index 0000000000..df94820b74 --- /dev/null +++ b/queue-5.10/isdn-misdn-hfcsusb-fix-memory-leak-in-hfcsusb_probe.patch @@ -0,0 +1,75 @@ +From 3f978e3f1570155a1327ffa25f60968bc7b9398f Mon Sep 17 00:00:00 2001 +From: Abdun Nihaal +Date: Thu, 30 Oct 2025 09:55:22 +0530 +Subject: isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() + +From: Abdun Nihaal + +commit 3f978e3f1570155a1327ffa25f60968bc7b9398f upstream. + +In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when +setup_instance() fails with an error code. Fix that by freeing the urb +before freeing the hw structure. Also change the error paths to use the +goto ladder style. + +Compile tested only. Issue found using a prototype static analysis tool. + +Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver") +Signed-off-by: Abdun Nihaal +Link: https://patch.msgid.link/20251030042524.194812-1-nihaal@cse.iitm.ac.in +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/hardware/mISDN/hfcsusb.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/drivers/isdn/hardware/mISDN/hfcsusb.c ++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c +@@ -1903,13 +1903,13 @@ out: + mISDN_freebchannel(&hw->bch[1]); + mISDN_freebchannel(&hw->bch[0]); + mISDN_freedchannel(&hw->dch); +- kfree(hw); + return err; + } + + static int + hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id) + { ++ int err; + struct hfcsusb *hw; + struct usb_device *dev = interface_to_usbdev(intf); + struct usb_host_interface *iface = intf->cur_altsetting; +@@ -2100,20 +2100,28 @@ hfcsusb_probe(struct usb_interface *intf + if (!hw->ctrl_urb) { + pr_warn("%s: No memory for control urb\n", + driver_info->vend_name); +- kfree(hw); +- return -ENOMEM; ++ err = -ENOMEM; ++ goto err_free_hw; + } + + pr_info("%s: %s: detected \"%s\" (%s, if=%d alt=%d)\n", + hw->name, __func__, driver_info->vend_name, + conf_str[small_match], ifnum, alt_used); + +- if (setup_instance(hw, dev->dev.parent)) +- return -EIO; ++ if (setup_instance(hw, dev->dev.parent)) { ++ err = -EIO; ++ goto err_free_urb; ++ } + + hw->intf = intf; + usb_set_intfdata(hw->intf, hw); + return 0; ++ ++err_free_urb: ++ usb_free_urb(hw->ctrl_urb); ++err_free_hw: ++ kfree(hw); ++ return err; + } + + /* function called when an active device is removed */ diff --git a/queue-5.10/series b/queue-5.10/series index 73e7bbccc0..1d23a66c05 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -211,3 +211,4 @@ fs-proc-fix-uaf-in-proc_readdir_de.patch spi-try-to-get-acpi-gpio-irq-earlier.patch edac-altera-handle-ocram-ecc-enable-after-warm-reset.patch edac-altera-use-inttest-register-for-ethernet-and-usb-sbe-injection.patch +isdn-misdn-hfcsusb-fix-memory-leak-in-hfcsusb_probe.patch