In the Linux kernel, the following vulnerability has been resolved:
fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal
CXL is linked before fwctl in drivers/Makefile. Both use module_init, so
cxl_pci_driver_init() runs first. When cxl_pci_probe() calls
fwctl_register() and then device_add(), fwctl_class is not yet
registered because fwctl_init() hasn't run, causing class_to_subsys() to
return NULL and skip knode_class initialization.
On device removal, class_to_subsys() returns non-NULL, and
device_del() calls klist_del()` on the uninitialized knode, triggering
a NULL pointer dereference.