I recently found an integer overflow in the Linux kernel, which leads to the kernel allocating skb_shared_info in the userspace, which is exploitable in systems without SMAP protection since skb_shared_info contains references to function pointers.
skb_shared_info