In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: Don't remove map on createrprocess and devicerelease
Do not remove the map from the list on error path in fastrpcinitcreateprocess, instead call fastrpcmapput, to avoid use-after-free. Do not remove it on fastrpcdevicerelease either, call fastrpcmap_put instead.
The fastrpcfreemap is the only proper place to remove the map. This is called only after the reference count is 0.