In the Linux kernel, the following vulnerability has been resolved:
drbd: Fix five use after free bugs in getinitialstate
In getinitialstate, it calls notifyinitialstatedone(skb,..) if cb->args[5]==1. If genlmsgput() failed in notifyinitialstatedone(), the skb will be freed by nlmsgfree(skb). Then getinitialstate will goto out and the freed skb will be used by return value skb->len, which is a uaf bug.
What's worse, the same problem goes even further: skb can also be freed in the notify*statechange -> notify*_state calls below. Thus 4 additional uaf bugs happened.
My patch lets the problem callee functions: notifyinitialstatedone and notify*statechange return an error code if errors happen. So that the error codes could be propagated and the uaf bugs can be avoid.
v2 reports a compilation warning. This v3 fixed this warning and built successfully in my local environment with no additional warnings. v2: https://lore.kernel.org/patchwork/patch/1435218/