In the Linux kernel, the following vulnerability has been resolved:
gpio: Fix resource leaks on errors in gpiochip_add_data_with_key()
Since commit aab5c6f20023 ("gpio: set device type for GPIO chips"),
gdev->dev.release is unset. As a result, the reference count to
gdev->dev isn't dropped on the error handling paths.
Drop the reference on errors.
Also reorder the instructions to make the error handling simpler.
Now gpiochip_add_data_with_key() roughly looks like:
Some memory allocation. Go to ERR ZONE 1 on errors.
device_initialize().
gpiodev_release() takes over the responsibility for freeing the
resources of gdev->dev. The subsequent error handling paths
shouldn't go through ERR ZONE 1 again which leads to double free.
Some initialization mainly on gdev.
The rest of initialization. Go to ERR ZONE 2 on errors.
Chip registration success and exit.
ERR ZONE 2. gpio_device_put() and exit.
ERR ZONE 1.