In the Linux kernel, the following vulnerability has been resolved:
misc/libmasm/module: Fix two use after free in ibmasminitone
In ibmasminitone, it calls ibmasminitremoteinputdev(). Inside ibmasminitremoteinputdev, mousedev and keybddev are allocated by inputallocatedevice(), and assigned to sp->remote.mousedev and sp->remote.keybddev respectively.
In the errfreedevices error branch of ibmasminitone, mousedev and keybddev are freed by inputfreedevice(), and return error. Then the execution runs into errorsendmessage error branch of ibmasminitone, where ibmasmfreeremoteinputdev(sp) is called to unregister the freed sp->remote.mousedev and sp->remote.keybddev.
My patch add a "errorinitremote" label to handle the error of ibmasminitremoteinputdev(), to avoid the uaf bugs.