[PATCH OLK-6.6 0/2] CVE-2026-31759 - Kernel - mailweb.openeuler.org

newer
[PATCH OLK-5.10 0/2] CVE-2026-31759

[PATCH OLK-6.6 0/2] CVE-2026-31759

older
[PATCH] usb: ulpi: fix double free...

Liu Mingrui

1 Jun 2026 1 Jun '26

5:24 p.m.

CVE-2026-31759 Felix Gu (1): usb: ulpi: fix memory leak on ulpi_register() error paths Guangshuo Li (1): usb: ulpi: fix double free in ulpi_register_interface() error path drivers/usb/common/ulpi.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) -- 2.34.1

Reply

Sign in to reply online Use email software

Show replies by date

patchwork bot

1 Jun 1 Jun

9:47 a.m.

反馈：您发送到kernel@openeuler.org的补丁/补丁集，已成功转换为PR！ PR链接地址： https://atomgit.com/openeuler/kernel/merge_requests/23247 邮件列表地址：https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/SCP... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://atomgit.com/openeuler/kernel/merge_requests/23247 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/SCP...

Reply

Sign in to reply online Use email software

Liu Mingrui

5:24 p.m.

New subject: [PATCH OLK-6.6 1/2] usb: ulpi: fix double free in ulpi_register_interface() error path

From: Guangshuo Li <lgs201920130244@gmail.com> stable inclusion from stable-v6.6.134 commit aaeae6533d77e6ed4def85baec01e2815ebbef61 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14509 CVE: CVE-2026-31759 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- commit 01af542392b5d41fd659d487015a71f627accce3 upstream. When device_register() fails, ulpi_register() calls put_device() on ulpi->dev. The device release callback ulpi_dev_release() drops the OF node reference and frees ulpi, but the current error path in ulpi_register_interface() then calls kfree(ulpi) again, causing a double free. Let put_device() handle the cleanup through ulpi_dev_release() and avoid freeing ulpi again in ulpi_register_interface(). Fixes: 289fcff4bcdb1 ("usb: add bus type for USB ULPI") Cc: stable <stable@kernel.org> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com> Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> Link: https://patch.msgid.link/20260401025142.1398996-1-lgs201920130244@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Yuan Can <yuancan@huawei.com> Signed-off-by: Liu Mingrui <liumingrui@huawei.com> --- drivers/usb/common/ulpi.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/usb/common/ulpi.c b/drivers/usb/common/ulpi.c index 0886b19d2e1c..c9f52cd1cfb2 100644 --- a/drivers/usb/common/ulpi.c +++ b/drivers/usb/common/ulpi.c @@ -331,10 +331,9 @@ struct ulpi *ulpi_register_interface(struct device *dev, ulpi->ops = ops; ret = ulpi_register(dev, ulpi); - if (ret) { - kfree(ulpi); + if (ret) return ERR_PTR(ret); - } + return ulpi; } -- 2.34.1

Reply

Sign in to reply online Use email software

Liu Mingrui

5:24 p.m.

New subject: [PATCH OLK-6.6 2/2] usb: ulpi: fix memory leak on ulpi_register() error paths

From: Felix Gu <ustc.gu@gmail.com> mainline inclusion from mainline-v7.1-rc3 commit 0b9fcab1b8608d429e5f239afb197de928d4de7d category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14509 CVE: CVE-2026-31759 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- Commit 01af542392b5 ("usb: ulpi: fix double free in ulpi_register_interface() error path") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails. But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked. Add kfree(ulpi) on both error paths to properly clean up the allocation. Fixes: 01af542392b5 ("usb: ulpi: fix double free in ulpi_register_interface() error path") Cc: stable <stable@kernel.org> Signed-off-by: Felix Gu <ustc.gu@gmail.com> Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> Link: https://patch.msgid.link/20260407-ulpi-v1-1-f3fafe53f7b2@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Liu Mingrui <liumingrui@huawei.com> --- drivers/usb/common/ulpi.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/usb/common/ulpi.c b/drivers/usb/common/ulpi.c index c9f52cd1cfb2..b1957dc687a8 100644 --- a/drivers/usb/common/ulpi.c +++ b/drivers/usb/common/ulpi.c @@ -286,12 +286,15 @@ static int ulpi_register(struct device *dev, struct ulpi *ulpi) ACPI_COMPANION_SET(&ulpi->dev, ACPI_COMPANION(dev)); ret = ulpi_of_register(ulpi); - if (ret) + if (ret) { + kfree(ulpi); return ret; + } ret = ulpi_read_id(ulpi); if (ret) { of_node_put(ulpi->dev.of_node); + kfree(ulpi); return ret; } -- 2.34.1

Reply

Sign in to reply online Use email software

0

Age (days ago)

0

Last active (days ago)

3 comments

2 participants

tags

participants (2)

Liu Mingrui
patchwork bot