CVE-2025-37989

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: phy: leds: fix memory leak<br /> <br /> A network restart test on a router led to an out-of-memory condition,<br /> which was traced to a memory leak in the PHY LED trigger code.<br /> <br /> The root cause is misuse of the devm API. The registration function<br /> (phy_led_triggers_register) is called from phy_attach_direct, not<br /> phy_probe, and the unregister function (phy_led_triggers_unregister)<br /> is called from phy_detach, not phy_remove. This means the register and<br /> unregister functions can be called multiple times for the same PHY<br /> device, but devm-allocated memory is not freed until the driver is<br /> unbound.<br /> <br /> This also prevents kmemleak from detecting the leak, as the devm API<br /> internally stores the allocated pointer.<br /> <br /> Fix this by replacing devm_kzalloc/devm_kcalloc with standard<br /> kzalloc/kcalloc, and add the corresponding kfree calls in the unregister<br /> path.