Lv Yunlong

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use after free vulnerability in the `siw alloc mr` function. The vulnerability occurs when `mem` is assigned to `mr->mem` and then freed via `kfree(mem)` if `xa alloc cyclic()` fails. The execution continues, and the freed `mr->mem` is used in `siw mr drop mem(mr)`, causing a use after free error. The patch moves the assignment of `mr->mem = mem` behind the `if (xa alloc cyclic(..)<0)` section to avoid the issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use after free bug in the `enic hard start xmit` function. This function calls `enic queue wq skb()`, which may free the `skb` if an error occurs. However, the freed `skb` is still used in `skb tx timestamp(skb)`, potentially leading to a denial of service. The solution involves making `enic queue wq skb()` return an error and goto `spin unlock()` in case of an error. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to two use-after-free bugs in the `ibmasm init one` function. In this function, `ibmasm init remote input dev()` is called, which allocates `mouse dev` and `keybd dev` using `input allocate device()` and assigns them to `sp->remote.mouse dev` and `sp->remote.keybd dev`, respectively. When an error occurs, `mouse dev` and `keybd dev` are freed by `input free device()`, but then the execution proceeds to the `error send message` error branch, where `ibmasm free remote input dev(sp)` is called to unregister the already freed devices. A patch has been added to handle the error of `ibmasm init remote input dev()` by introducing an "error init remote" label to avoid these use-after-free bugs. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use after free issue has been resolved in the Linux kernel. The issue occurs in the `emac mac tx buf send` function, which calls `emac tx fill tpd(..,skb,..)`. If an error happens in `emac tx fill tpd()`, the `skb` will be freed via `dev kfree skb(skb)` in the error branch of `emac tx fill tpd()`. However, the freed `skb` is still used via `skb->len` by `netdev sent queue(,skb->len)`. To fix this issue, the patch assigns `skb->len` to `'len'` before the possible free and uses `'len'` instead of `skb->len` later. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use after free issue has been resolved in the Linux kernel, specifically in the ath10k htc send bundle function. The `bundle skb` could be freed by `dev kfree skb any(bundle skb)`, but it is used later by `bundle skb->len`. To fix this, the patch replaces `bundle skb->len` with `skb len` after `bundle skb` has been freed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.