In the Linux kernel, the following vulnerability has been resolved:
virtio-mmio: dont break lifecycle of vm_dev
vm_dev has a separate lifecycle because it has a struct device embedded. Thus, having a release callback for it is correct.
Allocating the vm_dev struct with devres totally breaks this protection, though. Instead of waiting for the vm_dev release callback, the memory is freed when the platform_device is removed. Resulting in a use-after-free when finally the callback is to be called.
To easily see the problem, compile the kernel with CONFIG_DEBUG_KOBJECT_RELEASE and unbind with sysfs.
The fix is easy, dont use devres in this case.
Found during my research about object lifetime problems.