In the Linux kernel, the following vulnerability has been resolved:
RDMA/siw: Fix a use after free in siwallocmr
Our code analyzer reported a UAF.
In siwallocmr(), it calls siwmraddmem(mr,..). In the implementation of siwmraddmem(), mem is assigned to mr->mem and then mem is freed via kfree(mem) if xaalloccyclic() failed. Here, mr->mem still point to a freed object. After, the execution continue up to the errout branch of siwallocmr, and the freed mr->mem is used in siwmrdropmem(mr).
My patch moves "mr->mem = mem" behind the if (xaalloccyclic(..)<0) {} section, to avoid the uaf.