In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: Fix double free of 'buf' in error path
smatch warning: drivers/misc/fastrpc.c:1926 fastrpcreqmmap() error: double free of 'buf'
In fastrpcreqmmap() error path, the fastrpc buffer is freed in fastrpcreqmunmap_impl() if unmap is successful.
But in the end, there is an unconditional call to fastrpcbuffree(). So the above case triggers the double free of fastrpc buf.