CVE-2025-38027

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> regulator: max20086: fix invalid memory access<br /> <br /> max20086_parse_regulators_dt() calls of_regulator_match() using an<br /> array of struct of_regulator_match allocated on the stack for the<br /> matches argument.<br /> <br /> of_regulator_match() calls devm_of_regulator_put_matches(), which calls<br /> devres_alloc() to allocate a struct devm_of_regulator_matches which will<br /> be de-allocated using devm_of_regulator_put_matches().<br /> <br /> struct devm_of_regulator_matches is populated with the stack allocated<br /> matches array.<br /> <br /> If the device fails to probe, devm_of_regulator_put_matches() will be<br /> called and will try to call of_node_put() on that stack pointer,<br /> generating the following dmesg entries:<br /> <br /> max20086 6-0028: Failed to read DEVICE_ID reg: -121<br /> kobject: &amp;#39;\xc0$\xa5\x03&amp;#39; (000000002cebcb7a): is not initialized, yet<br /> kobject_put() is being called.<br /> <br /> Followed by a stack trace matching the call flow described above.<br /> <br /> Switch to allocating the matches array using devm_kcalloc() to<br /> avoid accessing the stack pointer long after it&amp;#39;s out of scope.<br /> <br /> This also has the advantage of allowing multiple max20086 to probe<br /> without overriding the data stored inside the global of_regulator_match.