In the Linux kernel, the following vulnerability has been resolved:
pps: fix warning in pps_register_cdev when register device fail
Similar to previous commit 2a934fdb01db ("media: v4l2-dev: fix error
handling in __video_register_device()"), the release hook should be set
before device_register(). Otherwise, when device_register() return error
and put_device() try to callback the release function, the below warning
may happen.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567
Modules linked in:
CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE
RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567
Call Trace:
<TASK>
kobject_cleanup+0x136/0x410 lib/kobject.c:689
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0xe9/0x130 lib/kobject.c:737
put_device+0x24/0x30 drivers/base/core.c:3797
pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402
pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108
pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57
tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432
tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563
tiocsetd drivers/tty/tty_io.c:2429 [inline]
tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:598 [inline]
__se_sys_ioctl fs/ioctl.c:584 [inline]
__x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
Before commit c79a39dc8d06 ("pps: Fix a use-after-free"),
pps_register_cdev() call device_create() to create pps->dev, which will
init dev->release to device_create_release(). Now the comment is outdated,
just remove it.
Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed
in pps_register_source() to avoid a double free in the failure case.
Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"cveMetadata": {
"cveId": "CVE-2025-40070",
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"dateUpdated": "2025-10-29T13:19:57.243Z",
"dateReserved": "2025-04-16T07:20:57.159Z",
"datePublished": "2025-10-28T11:48:38.838Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux",
"dateUpdated": "2025-10-29T13:19:57.243Z"
},
"title": "pps: fix warning in pps_register_cdev when register device fail",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npps: fix warning in pps_register_cdev when register device fail\n\nSimilar to previous commit 2a934fdb01db (\"media: v4l2-dev: fix error\nhandling in __video_register_device()\"), the release hook should be set\nbefore device_register(). Otherwise, when device_register() return error\nand put_device() try to callback the release function, the below warning\nmay happen.\n\n ------------[ cut here ]------------\n WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567\n Modules linked in:\n CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE\n RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567\n Call Trace:\n <TASK>\n kobject_cleanup+0x136/0x410 lib/kobject.c:689\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0xe9/0x130 lib/kobject.c:737\n put_device+0x24/0x30 drivers/base/core.c:3797\n pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402\n pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108\n pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57\n tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432\n tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563\n tiocsetd drivers/tty/tty_io.c:2429 [inline]\n tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:598 [inline]\n __se_sys_ioctl fs/ioctl.c:584 [inline]\n __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n </TASK>\n\nBefore commit c79a39dc8d06 (\"pps: Fix a use-after-free\"),\npps_register_cdev() call device_create() to create pps->dev, which will\ninit dev->release to device_create_release(). Now the comment is outdated,\njust remove it.\n\nThanks for the reminder from Calvin Owens, 'kfree_pps' should be removed\nin pps_register_source() to avoid a double free in the failure case."
}
],
"affected": [
{
"vendor": "Linux",
"product": "Linux",
"programFiles": [
"drivers/pps/kapi.c",
"drivers/pps/pps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"defaultStatus": "unaffected",
"versions": [
{
"version": "785c78ed0d39d1717cca3ef931d3e51337b5e90e",
"status": "affected",
"versionType": "git",
"lessThan": "38c7bb10aae5118dd48fa7a82f7bf93839bcc320"
},
{
"version": "1a7735ab2cb9747518a7416fb5929e85442dec62",
"status": "affected",
"versionType": "git",
"lessThan": "2a194707ca27a3b0523023fa8b446e5ec922dc51"
},
{
"version": "c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7",
"status": "affected",
"versionType": "git",
"lessThan": "125527db41805693208ee1aacd7f3ffe6a3a489c"
},
{
"version": "91932db1d96b2952299ce30c1c693d834d10ace6",
"status": "affected",
"versionType": "git",
"lessThan": "4cbd7450a22c5ee4842fc4175ad06c0c82ea53a8"
},
{
"version": "cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64",
"status": "affected",
"versionType": "git",
"lessThan": "cf71834a0cfc394c72d62fd6dbb470ee13cf8f5e"
},
{
"version": "7e5ee3281dc09014367f5112b6d566ba36ea2d49",
"status": "affected",
"versionType": "git",
"lessThan": "f01fa3588e0b3cb1540f56d2c6bd99e5b3810234"
},
{
"version": "c79a39dc8d060b9e64e8b0fa9d245d44befeefbe",
"status": "affected",
"versionType": "git",
"lessThan": "0f97564a1fb62f34b3b498e2f12caffbe99c004a"
},
{
"version": "c79a39dc8d060b9e64e8b0fa9d245d44befeefbe",
"status": "affected",
"versionType": "git",
"lessThan": "b0531cdba5029f897da5156815e3bdafe1e9b88d"
},
{
"version": "85241f7de216f8298f6e48540ea13d7dcd100870",
"status": "affected",
"versionType": "git"
}
]
},
{
"vendor": "Linux",
"product": "Linux",
"programFiles": [
"drivers/pps/kapi.c",
"drivers/pps/pps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"defaultStatus": "affected",
"versions": [
{
"version": "6.14",
"status": "affected"
},
{
"version": "0",
"status": "unaffected",
"versionType": "semver",
"lessThan": "6.14"
},
{
"version": "5.4.301",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "5.4.*"
},
{
"version": "5.10.246",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "5.10.*"
},
{
"version": "5.15.195",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "5.15.*"
},
{
"version": "6.1.156",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "6.1.*"
},
{
"version": "6.6.112",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "6.6.*"
},
{
"version": "6.12.53",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "6.12.*"
},
{
"version": "6.17.3",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "6.17.*"
},
{
"version": "6.18-rc1",
"status": "unaffected",
"versionType": "original_commit_for_fix",
"lessThanOrEqual": "*"
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/38c7bb10aae5118dd48fa7a82f7bf93839bcc320"
},
{
"url": "https://git.kernel.org/stable/c/2a194707ca27a3b0523023fa8b446e5ec922dc51"
},
{
"url": "https://git.kernel.org/stable/c/125527db41805693208ee1aacd7f3ffe6a3a489c"
},
{
"url": "https://git.kernel.org/stable/c/4cbd7450a22c5ee4842fc4175ad06c0c82ea53a8"
},
{
"url": "https://git.kernel.org/stable/c/cf71834a0cfc394c72d62fd6dbb470ee13cf8f5e"
},
{
"url": "https://git.kernel.org/stable/c/f01fa3588e0b3cb1540f56d2c6bd99e5b3810234"
},
{
"url": "https://git.kernel.org/stable/c/0f97564a1fb62f34b3b498e2f12caffbe99c004a"
},
{
"url": "https://git.kernel.org/stable/c/b0531cdba5029f897da5156815e3bdafe1e9b88d"
}
]
}
}
}