In the Linux kernel, the following vulnerability has been resolved:
dpll: fix dpllxaref*del() for multiple registrations
Currently, if there are multiple registrations of the same pin on the same dpll device, following warnings are observed: WARNING: CPU: 5 PID: 2212 at drivers/dpll/dpllcore.c:143 dpllxarefpindel.isra.0+0x21e/0x230 WARNING: CPU: 5 PID: 2212 at drivers/dpll/dpllcore.c:223 _dpllpin_unregister+0x2b3/0x2c0
The problem is, that in both dpllxarefdplldel() and dpllxarefpindel() registration is only removed from list in case the reference count drops to zero. That is wrong, the registration has to be removed always.
To fix this, remove the registration from the list and free it unconditionally, instead of doing it only when the ref reference counter reaches zero.