In the Linux kernel, the following vulnerability has been resolved:
ath10k: Fix a use after free in ath10khtcsend_bundle
In ath10khtcsendbundle, the bundleskb could be freed by devkfreeskbany(bundleskb). But the bundleskb is used later by bundleskb->len.
As skblen = bundleskb->len, my patch replaces bundleskb->len to skblen after the bundle_skb was freed.