In the Linux kernel, the following vulnerability has been resolved:
ceph: prevent use-after-free in encodecapmsg()
In fs/ceph/caps.c, in encodecapmsg(), "use after free" error was caught by KASAN at this line - 'cephbufferget(arg->xattr_buf);'. This implies before the refcount could be increment here, it was freed.
In same file, in "handlecapgrant()" refcount is decremented by this line - 'cephbufferput(ci->i_xattrs.blob);'. It appears that a race occurred and resource was freed by the latter line before the former line could increment it.
encodecapmsg() is called by _sendcap() and _sendcap() is called by cephcheckcaps() after calling _prepcap(). _prepcap() is where arg->xattrbuf is assigned to ci->ixattrs.blob. This is the spot where the refcount must be increased to prevent "use after free" error.