In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: msft: fix slab-use-after-free in msftdoclose()
Tying the msft->data lifetime to hdev by freeing it in hcireleasedev() to fix the following case:
[use] msftdoclose() msft = hdev->msftdata; if (!msft) ...(1) <- passed. return; mutexlock(&msft->filter_lock); ...(4) <- used after freed.
[free] msftunregister() msft = hdev->msftdata; hdev->msft_data = NULL; ...(2) kfree(msft); ...(3) <- msft is freed.
================================================================== BUG: KASAN: slab-use-after-free in _mutexlockcommon kernel/locking/mutex.c:587 [inline] BUG: KASAN: slab-use-after-free in _mutex_lock+0x8f/0xc30 kernel/locking/mutex.c:752 Read of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309