- Kernel - mailweb.openeuler.org

[openeuler:OLK-6.6 13/13] drivers/ub/urma/uburma/uburma_mmap.c:20:6: warning: no previous prototype for 'uburma_umap_priv_init'
by kernel test robot 28 Dec '25

28 Dec '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 03c9c649e6f28e26260d276ce755f785b2435da3 commit: f01eef756655bd5f66bd1e3770da92e31982556d [13/13] uburma: introduce uburma basic types and helper functions config: arm64-randconfig-004-20251226 (https://download.01.org/0day-ci/archive/20251228/202512282153.oGLU3b14-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.4.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251228/202512282153.oGLU3b14-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512282153.oGLU3b14-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/ub/urma/uburma/uburma_mmap.c:20:6: warning: no previous prototype for 'uburma_umap_priv_init' [-Wmissing-prototypes] 20 | void uburma_umap_priv_init(struct uburma_umap_priv *priv, | ^~~~~~~~~~~~~~~~~~~~~ >> drivers/ub/urma/uburma/uburma_mmap.c:33:6: warning: no previous prototype for 'uburma_unmap_vma_pages' [-Wmissing-prototypes] 33 | void uburma_unmap_vma_pages(struct uburma_file *ufile) | ^~~~~~~~~~~~~~~~~~~~~~ >> drivers/ub/urma/uburma/uburma_mmap.c:169:36: warning: no previous prototype for 'uburma_get_umap_ops' [-Wmissing-prototypes] 169 | const struct vm_operations_struct *uburma_get_umap_ops(void) | ^~~~~~~~~~~~~~~~~~~ Kconfig warnings: (for reference only) WARNING: unmet direct dependencies detected for RESCTRL_FS Depends on [n]: MISC_FILESYSTEMS [=n] && ARCH_HAS_CPU_RESCTRL [=y] Selected by [y]: - ARM64_MPAM [=y] vim +/uburma_umap_priv_init +20 drivers/ub/urma/uburma/uburma_mmap.c 19 > 20 void uburma_umap_priv_init(struct uburma_umap_priv *priv, 21 struct vm_area_struct *vma) 22 { 23 struct uburma_file *ufile = vma->vm_file->private_data; 24 25 priv->vma = vma; 26 vma->vm_private_data = priv; 27 28 mutex_lock(&ufile->umap_mutex); 29 list_add(&priv->node, &ufile->umaps_list); 30 mutex_unlock(&ufile->umap_mutex); 31 } 32 > 33 void uburma_unmap_vma_pages(struct uburma_file *ufile) 34 { 35 struct uburma_umap_priv *priv, *next_priv; 36 struct mm_struct *mm; 37 38 if (list_empty(&ufile->umaps_list)) 39 return; 40 41 lockdep_assert_held(&ufile->cleanup_rwsem); 42 while (1) { 43 struct list_head local_list; 44 45 INIT_LIST_HEAD(&local_list); 46 mm = NULL; 47 mutex_lock(&ufile->umap_mutex); 48 list_for_each_entry_safe(priv, next_priv, &ufile->umaps_list, 49 node) { 50 struct mm_struct *curr_mm = priv->vma->vm_mm; 51 52 if (!mm) { 53 if (!mmget_not_zero(curr_mm)) { 54 list_del_init(&priv->node); 55 continue; 56 } 57 mm = curr_mm; 58 list_move_tail(&priv->node, &local_list); 59 } else if (curr_mm == mm) { 60 list_move_tail(&priv->node, &local_list); 61 } 62 } 63 mutex_unlock(&ufile->umap_mutex); 64 65 if (list_empty(&local_list)) { 66 if (mm) 67 mmput(mm); 68 return; 69 } 70 71 mmap_read_lock(mm); 72 73 list_for_each_entry_safe(priv, next_priv, &local_list, node) { 74 struct vm_area_struct *vma = priv->vma; 75 76 list_del_init(&priv->node); 77 if (vma->vm_mm == mm) 78 zap_vma_ptes(vma, vma->vm_start, 79 vma->vm_end - vma->vm_start); 80 } 81 mmap_read_unlock(mm); 82 83 mmput(mm); 84 } 85 } 86 87 static void uburma_umap_open(struct vm_area_struct *vma) 88 { 89 struct uburma_file *ufile = vma->vm_file->private_data; 90 struct uburma_umap_priv *priv; 91 92 if (!down_read_trylock(&ufile->cleanup_rwsem)) 93 goto out_zap; 94 95 priv = kzalloc(sizeof(*priv), GFP_KERNEL); 96 if (!priv) 97 goto out_unlock; 98 99 uburma_umap_priv_init(priv, vma); 100 101 up_read(&ufile->cleanup_rwsem); 102 return; 103 104 out_unlock: 105 up_read(&ufile->cleanup_rwsem); 106 out_zap: 107 vma->vm_private_data = NULL; 108 zap_vma_ptes(vma, vma->vm_start, vma->vm_end - vma->vm_start); 109 } 110 111 static void uburma_umap_close(struct vm_area_struct *vma) 112 { 113 struct uburma_file *ufile = vma->vm_file->private_data; 114 struct uburma_umap_priv *priv = vma->vm_private_data; 115 116 if (!priv) 117 return; 118 119 mutex_lock(&ufile->umap_mutex); 120 list_del(&priv->node); 121 mutex_unlock(&ufile->umap_mutex); 122 kfree(priv); 123 vma->vm_private_data = NULL; 124 } 125 126 static vm_fault_t uburma_umap_fault(struct vm_fault *vmf) 127 { 128 struct uburma_file *ufile = vmf->vma->vm_file->private_data; 129 struct uburma_umap_priv *priv = vmf->vma->vm_private_data; 130 struct page *page; 131 132 if (unlikely(!priv)) 133 return VM_FAULT_SIGBUS; 134 135 if (!(vmf->vma->vm_flags & (VM_WRITE | VM_MAYWRITE))) { 136 vmf->page = ZERO_PAGE(0); 137 get_page(vmf->page); 138 return 0; 139 } 140 141 page = READ_ONCE(ufile->fault_page); 142 if (likely(page)) { 143 vmf->page = page; 144 get_page(vmf->page); 145 return 0; 146 } 147 148 mutex_lock(&ufile->umap_mutex); 149 if (!ufile->fault_page) { 150 ufile->fault_page = alloc_pages(vmf->gfp_mask | __GFP_ZERO, 0); 151 if (!ufile->fault_page) { 152 mutex_unlock(&ufile->umap_mutex); 153 return VM_FAULT_SIGBUS; 154 } 155 } 156 vmf->page = ufile->fault_page; 157 get_page(vmf->page); 158 mutex_unlock(&ufile->umap_mutex); 159 160 return 0; 161 } 162 163 static const struct vm_operations_struct g_urma_umap_ops = { 164 .open = uburma_umap_open, 165 .close = uburma_umap_close, 166 .fault = uburma_umap_fault, 167 }; 168 > 169 const struct vm_operations_struct *uburma_get_umap_ops(void) -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 13/13] drivers/ub/ubus/services/hotplug/hotplug_msg.c:48:6: warning: no previous prototype for 'ubhp_handle_event'
by kernel test robot 28 Dec '25

28 Dec '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 03c9c649e6f28e26260d276ce755f785b2435da3 commit: 03f481a88c6b72336d8e6cba6f2b71d6f28e2027 [13/13] ub:ubus: Support processing protocol link messages config: arm64-randconfig-004-20251226 (https://download.01.org/0day-ci/archive/20251228/202512281950.nFNoH9PH-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.4.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251228/202512281950.nFNoH9PH-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512281950.nFNoH9PH-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/ub/ubus/services/hotplug/hotplug_msg.c:48:6: warning: no previous prototype for 'ubhp_handle_event' [-Wmissing-prototypes] 48 | void ubhp_handle_event(struct ub_slot *slot, enum hotplug_event event) | ^~~~~~~~~~~~~~~~~ Kconfig warnings: (for reference only) WARNING: unmet direct dependencies detected for RESCTRL_FS Depends on [n]: MISC_FILESYSTEMS [=n] && ARCH_HAS_CPU_RESCTRL [=y] Selected by [y]: - ARM64_MPAM [=y] vim +/ubhp_handle_event +48 drivers/ub/ubus/services/hotplug/hotplug_msg.c 47 > 48 void ubhp_handle_event(struct ub_slot *slot, enum hotplug_event event) 49 { 50 bool queued = false; 51 u32 flag; 52 53 if (!ubhp_confirm_event(slot, event)) 54 return; 55 56 /** 57 * get slot if work is queued 58 * queue_work: return false if work already exists 59 * mod_delayed_work: return true if work exists, with its timer modified 60 */ 61 if (event == HPE_BUTTON_PRESSED) { 62 queued = queue_work(get_rx_msg_wq(UB_MSG_CODE_LINK), 63 &slot->button_work); 64 } else if (event == HPE_PRESENCE_DETECT) { 65 flag = work_busy(&slot->present_work.work); 66 if (!(flag & WORK_BUSY_RUNNING)) 67 queued = !mod_delayed_work( 68 get_rx_msg_wq(UB_MSG_CODE_LINK), 69 &slot->present_work, 0); 70 } 71 if (queued) 72 ubhp_get_slot(slot); 73 } 74 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 13/13] drivers/ub/ubus/services/gucd.c:198:5: warning: no previous prototype for 'ub_services_init'
by kernel test robot 28 Dec '25

28 Dec '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 03c9c649e6f28e26260d276ce755f785b2435da3 commit: 4885c5bba9c1b11faff1754a6e323b40872e82ad [13/13] ub:ubus: Add generic ub component driver config: arm64-randconfig-004-20251226 (https://download.01.org/0day-ci/archive/20251228/202512281721.3GHguL2r-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.4.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251228/202512281721.3GHguL2r-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512281721.3GHguL2r-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/ub/ubus/services/gucd.c:198:5: warning: no previous prototype for 'ub_services_init' [-Wmissing-prototypes] 198 | int ub_services_init(void) | ^~~~~~~~~~~~~~~~ >> drivers/ub/ubus/services/gucd.c:205:6: warning: no previous prototype for 'ub_services_exit' [-Wmissing-prototypes] 205 | void ub_services_exit(void) | ^~~~~~~~~~~~~~~~ Kconfig warnings: (for reference only) WARNING: unmet direct dependencies detected for RESCTRL_FS Depends on [n]: MISC_FILESYSTEMS [=n] && ARCH_HAS_CPU_RESCTRL [=y] Selected by [y]: - ARM64_MPAM [=y] vim +/ub_services_init +198 drivers/ub/ubus/services/gucd.c 197 > 198 int ub_services_init(void) 199 { 200 ub_init_services(); 201 202 return ub_register_driver(&ub_component_device_driver); 203 } 204 > 205 void ub_services_exit(void) -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS 0/2] CVE-2025-68285
by Zhang Changzhong 27 Dec '25

27 Dec '25

Ilya Dryomov (1): libceph: fix potential use-after-free in have_mon_and_osd_map() Wang Liang (1): libceph: Fix kabi breakage net/ceph/ceph_common.c | 56 +++++++++++++++++++++++++++++++------------------- net/ceph/debugfs.c | 14 +++++++++---- 2 files changed, 45 insertions(+), 25 deletions(-) -- 2.9.5

2 3

[PATCH OLK-6.6] [Backport] Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()
by Zhang Hongtao 27 Dec '25

27 Dec '25

From: Ilia Gavrilov <Ilia.Gavrilov(a)infotecs.ru> stable inclusion from stable-v6.6.117 commit 5f7350ff2b179764a4f40ba4161b60b8aaef857b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDBA8B CVE: CVE-2025-40294 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------------------------ commit 8d59fba49362c65332395789fd82771f1028d87e upstream. In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'value' array in the 'mgmt_adv_pattern' structure will break the userspace. Considering this, and to avoid OOB access revert the limits for 'offset' and 'length' back to the value of HCI_MAX_AD_LENGTH. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. Fixes: db08722fc7d4 ("Bluetooth: hci_core: Fix missing instances using HCI_MAX_AD_LENGTH") Cc: stable(a)vger.kernel.org Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov(a)infotecs.ru> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhang Hongtao <zhanghongtao35(a)huawei.com> --- include/net/bluetooth/mgmt.h | 2 +- net/bluetooth/mgmt.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/include/net/bluetooth/mgmt.h b/include/net/bluetooth/mgmt.h index d382679efd2b..e083f0fa0113 100644 --- a/include/net/bluetooth/mgmt.h +++ b/include/net/bluetooth/mgmt.h @@ -774,7 +774,7 @@ struct mgmt_adv_pattern { __u8 ad_type; __u8 offset; __u8 length; - __u8 value[31]; + __u8 value[HCI_MAX_AD_LENGTH]; } __packed; #define MGMT_OP_ADD_ADV_PATTERNS_MONITOR 0x0052 diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index 205aadf01513..226e266a2ec6 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -5335,9 +5335,9 @@ static u8 parse_adv_monitor_pattern(struct adv_monitor *m, u8 pattern_count, for (i = 0; i < pattern_count; i++) { offset = patterns[i].offset; length = patterns[i].length; - if (offset >= HCI_MAX_EXT_AD_LENGTH || - length > HCI_MAX_EXT_AD_LENGTH || - (offset + length) > HCI_MAX_EXT_AD_LENGTH) + if (offset >= HCI_MAX_AD_LENGTH || + length > HCI_MAX_AD_LENGTH || + (offset + length) > HCI_MAX_AD_LENGTH) return MGMT_STATUS_INVALID_PARAMS; p = kmalloc(sizeof(*p), GFP_KERNEL); -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS 0/2] CVE-2025-68285
by Zhang Changzhong 27 Dec '25

27 Dec '25

Ilya Dryomov (1): libceph: fix potential use-after-free in have_mon_and_osd_map() Wang Liang (1): libceph: Fix kabi breakage net/ceph/ceph_common.c | 56 +++++++++++++++++++++++++++++++------------------- net/ceph/debugfs.c | 14 +++++++++---- 2 files changed, 45 insertions(+), 25 deletions(-) -- 2.9.5

2 3

[PATCH OLK-6.6] bpf: Handle return value of ftrace_set_filter_ip in register_fentry
by Tengda Wu 27 Dec '25

27 Dec '25

From: Menglong Dong <menglong8.dong(a)gmail.com> mainline inclusion from mainline-v6.19 commit fea3f5e83c5cd80a76d97343023a2f2e6bd862bf category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/8306 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The error that returned by ftrace_set_filter_ip() in register_fentry() is not handled properly. Just fix it. Fixes: 00963a2e75a8 ("bpf: Support bpf_trampoline on functions with IPMODIFY (e.g. livepatch)") Signed-off-by: Menglong Dong <dongml2(a)chinatelecom.cn> Acked-by: Song Liu <song(a)kernel.org> Link: https://lore.kernel.org/r/20251110120705.1553694-1-dongml2@chinatelecom.cn Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Tengda Wu <wutengda2(a)huawei.com> --- kernel/bpf/trampoline.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c index bcf8e4bad210..9218286a3c42 100644 --- a/kernel/bpf/trampoline.c +++ b/kernel/bpf/trampoline.c @@ -216,7 +216,9 @@ static int register_fentry(struct bpf_trampoline *tr, void *new_addr) } if (tr->func.ftrace_managed) { - ftrace_set_filter_ip(tr->fops, (unsigned long)ip, 0, 1); + ret = ftrace_set_filter_ip(tr->fops, (unsigned long)ip, 0, 1); + if (ret) + return ret; ret = register_ftrace_direct(tr->fops, (long)new_addr); } else { ret = bpf_arch_text_poke(ip, BPF_MOD_CALL, NULL, new_addr); -- 2.34.1

2 1

[PATCH OLK-6.6] isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()
by Zhang Kunbo 27 Dec '25

27 Dec '25

From: Abdun Nihaal <nihaal(a)cse.iitm.ac.in> stable inclusion from stable-v6.6.117 commit 03695541b3349bc40bf5d6563d44d6147fb20260 category: bugfix bugzilla: https://gitcode.com/src-openeuler/kernel/issues/12813 CVE: CVE-2025-68734 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 3f978e3f1570155a1327ffa25f60968bc7b9398f upstream. In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when setup_instance() fails with an error code. Fix that by freeing the urb before freeing the hw structure. Also change the error paths to use the goto ladder style. Compile tested only. Issue found using a prototype static analysis tool. Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver") Signed-off-by: Abdun Nihaal <nihaal(a)cse.iitm.ac.in> Link: https://patch.msgid.link/20251030042524.194812-1-nihaal@cse.iitm.ac.in Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com> --- drivers/isdn/hardware/mISDN/hfcsusb.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c index b82b89888a5e..c55438e1f678 100644 --- a/drivers/isdn/hardware/mISDN/hfcsusb.c +++ b/drivers/isdn/hardware/mISDN/hfcsusb.c @@ -1903,13 +1903,13 @@ setup_instance(struct hfcsusb *hw, struct device *parent) mISDN_freebchannel(&hw->bch[1]); mISDN_freebchannel(&hw->bch[0]); mISDN_freedchannel(&hw->dch); - kfree(hw); return err; } static int hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id) { + int err; struct hfcsusb *hw; struct usb_device *dev = interface_to_usbdev(intf); struct usb_host_interface *iface = intf->cur_altsetting; @@ -2100,20 +2100,28 @@ hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id) if (!hw->ctrl_urb) { pr_warn("%s: No memory for control urb\n", driver_info->vend_name); - kfree(hw); - return -ENOMEM; + err = -ENOMEM; + goto err_free_hw; } pr_info("%s: %s: detected \"%s\" (%s, if=%d alt=%d)\n", hw->name, __func__, driver_info->vend_name, conf_str[small_match], ifnum, alt_used); - if (setup_instance(hw, dev->dev.parent)) - return -EIO; + if (setup_instance(hw, dev->dev.parent)) { + err = -EIO; + goto err_free_urb; + } hw->intf = intf; usb_set_intfdata(hw->intf, hw); return 0; + +err_free_urb: + usb_free_urb(hw->ctrl_urb); +err_free_hw: + kfree(hw); + return err; } /* function called when an active device is removed */ -- 2.34.1

2 1

[PATCH OLK-5.10] isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()
by Zhang Kunbo 27 Dec '25

27 Dec '25

From: Abdun Nihaal <nihaal(a)cse.iitm.ac.in> stable inclusion from stable-v5.10.247 commit adb7577e23a431fc53aa1b6107733c0d751015fb category: bugfix bugzilla: https://gitcode.com/src-openeuler/kernel/issues/12813 CVE: CVE-2025-68734 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 3f978e3f1570155a1327ffa25f60968bc7b9398f upstream. In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when setup_instance() fails with an error code. Fix that by freeing the urb before freeing the hw structure. Also change the error paths to use the goto ladder style. Compile tested only. Issue found using a prototype static analysis tool. Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver") Signed-off-by: Abdun Nihaal <nihaal(a)cse.iitm.ac.in> Link: https://patch.msgid.link/20251030042524.194812-1-nihaal@cse.iitm.ac.in Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com> --- drivers/isdn/hardware/mISDN/hfcsusb.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c index e8b37bd5e34a..a9565ebaab00 100644 --- a/drivers/isdn/hardware/mISDN/hfcsusb.c +++ b/drivers/isdn/hardware/mISDN/hfcsusb.c @@ -1903,13 +1903,13 @@ setup_instance(struct hfcsusb *hw, struct device *parent) mISDN_freebchannel(&hw->bch[1]); mISDN_freebchannel(&hw->bch[0]); mISDN_freedchannel(&hw->dch); - kfree(hw); return err; } static int hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id) { + int err; struct hfcsusb *hw; struct usb_device *dev = interface_to_usbdev(intf); struct usb_host_interface *iface = intf->cur_altsetting; @@ -2100,20 +2100,28 @@ hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id) if (!hw->ctrl_urb) { pr_warn("%s: No memory for control urb\n", driver_info->vend_name); - kfree(hw); - return -ENOMEM; + err = -ENOMEM; + goto err_free_hw; } pr_info("%s: %s: detected \"%s\" (%s, if=%d alt=%d)\n", hw->name, __func__, driver_info->vend_name, conf_str[small_match], ifnum, alt_used); - if (setup_instance(hw, dev->dev.parent)) - return -EIO; + if (setup_instance(hw, dev->dev.parent)) { + err = -EIO; + goto err_free_urb; + } hw->intf = intf; usb_set_intfdata(hw->intf, hw); return 0; + +err_free_urb: + usb_free_urb(hw->ctrl_urb); +err_free_hw: + kfree(hw); + return err; } /* function called when an active device is removed */ -- 2.34.1

2 1

[PATCH OLK-6.6 0/1] CVE-2025-39673
by Yongqiang Liu 27 Dec '25

27 Dec '25

Qingfang Deng (1): ppp: fix race conditions in ppp_fill_forward_path drivers/net/ppp/ppp_generic.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) -- 2.43.0

2 2