Description
In the Linux kernel, the following vulnerability has been resolved: cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls kobject_put(&dbs_data->attr_set.kobj). The kobject release callback cpufreq_dbs_data_release() calls gov->exit(dbs_data) and kfree(dbs_data), but the current error path then calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a double free. Keep the direct kfree(dbs_data) for the gov->init() failure path, but after kobject_init_and_add() has been called, let kobject_put() handle the cleanup through cpufreq_dbs_data_release().
Product status
4ebe36c94aed95de71a8ce6a6762226d31c938ee (git) before 56bc91ee78babe9578585a2bc137abc4b3115ff3
4ebe36c94aed95de71a8ce6a6762226d31c938ee (git) before 019ea28629720c220daedf38107c8787f330dc05
4ebe36c94aed95de71a8ce6a6762226d31c938ee (git) before da39ee627fd82b52068d4d5f115749a8b7d271f9
4ebe36c94aed95de71a8ce6a6762226d31c938ee (git) before 427d048e4f6acbfa01b5a8062449fe0ee8987c0d
4ebe36c94aed95de71a8ce6a6762226d31c938ee (git) before d2703b4f8fb7cc6f0dfdb2dc2359cc46189e7357
4ebe36c94aed95de71a8ce6a6762226d31c938ee (git) before 3bf9d023d2329a0e5379f2fd09d06ef09729cd9d
4ebe36c94aed95de71a8ce6a6762226d31c938ee (git) before 6dcf9d0064ce2f3e3dfe5755f98b93abe6a98e1e
e977b1477a6725868302957e6b5c330220391797 (git)
5.2
Any version before 5.2
5.10.253 (semver)
6.1.168 (semver)
6.6.134 (semver)
6.12.81 (semver)
6.18.22 (semver)
6.19.12 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/56bc91ee78babe9578585a2bc137abc4b3115ff3
git.kernel.org/...c/019ea28629720c220daedf38107c8787f330dc05
git.kernel.org/...c/da39ee627fd82b52068d4d5f115749a8b7d271f9
git.kernel.org/...c/427d048e4f6acbfa01b5a8062449fe0ee8987c0d
git.kernel.org/...c/d2703b4f8fb7cc6f0dfdb2dc2359cc46189e7357
git.kernel.org/...c/3bf9d023d2329a0e5379f2fd09d06ef09729cd9d
git.kernel.org/...c/6dcf9d0064ce2f3e3dfe5755f98b93abe6a98e1e