In the Linux kernel, the following vulnerability has been resolved:
drm/prime: Fix use after free in mmap with drmgemttm_mmap
drmgemttmmmap() drops a reference to the gem object on success. If the gem object's refcount == 1 on entry to drmgemprimemmap(), that drop will free the gem object, and the subsequent drmgemobject_get() will be a UAF. Fix by grabbing a reference before calling the mmap helper.
This issue was forseen when the reference dropping was adding in commit 9786b65bc61ac ("drm/ttm: fix mmap refcounting"): "For that to work properly the drmgemobjectget() call in drmgemttmmmap() must be moved so it happens before calling obj->funcs->mmap(), otherwise the gem refcount would go down to zero."