In the Linux kernel, the following vulnerability has been resolved:
spi: lpspi: Avoid potential use-after-free in probe()
fsllpspiprobe() is allocating/disposing memory manually with spiallochost()/spialloctarget(), but uses devmspiregistercontroller(). In case of error after the latter call the memory will be explicitly freed in the probe function by spicontrollerput() call, but used afterwards by "devm" management outside probe() (spiunregistercontroller() <- devmspi_unregister() below).
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000070 ... Call trace: kernfsfindns kernfsfindandgetns sysfsremovegroup sysfsremovegroups deviceremoveattrs devicedel spiunregistercontroller devmspiunregister releasenodes devresreleaseall reallyprobe driverprobedevice _deviceattachdriver busforeachdrv _deviceattach deviceinitialprobe busprobedevice deferredprobeworkfunc processonework workerthread kthread retfrom_fork