CVE-2026-45891

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: hns3: fix double free issue for tx spare buffer<br /> <br /> In hns3_set_ringparam(), a temporary copy (tmp_rings) of the ring structure<br /> is created for rollback. However, the tx_spare pointer in the original<br /> ring handle is incorrectly left pointing to the old backup memory.<br /> <br /> Later, if memory allocation fails in hns3_init_all_ring() during the setup,<br /> the error path attempts to free all newly allocated rings. Since tx_spare<br /> contains a stale (non-NULL) pointer from the backup, it is mistaken for<br /> a newly allocated buffer and is erroneously freed, leading to a double-free<br /> of the backup memory.<br /> <br /> The root cause is that the tx_spare field was not cleared after its value<br /> was saved in tmp_rings, leaving a dangling pointer.<br /> <br /> Fix this by setting tx_spare to NULL in the original ring structure<br /> when the creation of the new `tx_spare` fails. This ensures the<br /> error cleanup path only frees genuinely newly allocated buffers.