In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in createspaceinfo() error path When kobjectinitandadd() fails, the call chain is: createspaceinfo() -> btrfssysfsaddspaceinfotype() -> kobjectinitandadd() -> failure -> kobjectput(&spaceinfo->kobj) -> spaceinforelease() -> kfree(spaceinfo) Then control returns to createspaceinfo(): btrfssysfsaddspaceinfotype() returns error -> goto outfree -> kfree(spaceinfo) This causes a double free. Keep the direct kfree(spaceinfo) for the earlier failure path, but after btrfssysfsaddspaceinfotype() has called kobjectput(), let the kobject release callback handle the cleanup.