In the Linux kernel, the following vulnerability has been resolved:
regulator: max20086: fix invalid memory access
max20086parseregulatorsdt() calls ofregulatormatch() using an array of struct ofregulator_match allocated on the stack for the matches argument.
ofregulatormatch() calls devmofregulatorputmatches(), which calls devresalloc() to allocate a struct devmofregulatormatches which will be de-allocated using devmofregulatorputmatches().
struct devmofregulator_matches is populated with the stack allocated matches array.
If the device fails to probe, devmofregulatorputmatches() will be called and will try to call ofnodeput() on that stack pointer, generating the following dmesg entries:
max20086 6-0028: Failed to read DEVICEID reg: -121 kobject: '\xc0$\xa5\x03' (000000002cebcb7a): is not initialized, yet kobjectput() is being called.
Followed by a stack trace matching the call flow described above.
Switch to allocating the matches array using devm_kcalloc() to avoid accessing the stack pointer long after it's out of scope.
This also has the advantage of allowing multiple max20086 to probe without overriding the data stored inside the global ofregulatormatch.