In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: avoid double fput() on failed usercopy
If the copy back to userland fails for the FASTRPCIOCTLALLOCDMABUFF ioctl(), we shouldn't assume that 'buf->dmabuf' is still valid. In fact, dmabuffd() called fd_install() before, i.e. "consumed" one reference, leaving us with none.
Calling dmabufput() will therefore put a reference we no longer own, leading to a valid file descritor table entry for an already released 'file' object which is a straight use-after-free.
Simply avoid calling dmabufput() and rely on the process exit code to do the necessary cleanup, if needed, i.e. if the file descriptor is still valid.