Hi,
I spotted this bug through code review and I don't know how to make a
Proof of Concept for this bug so maybe I'm wrong.
Between skel_open() and skel_disconnect(), this scenario can happen
skel_open() skel_disconnect()
dev = usb_get_intfdata(interface);
usb_set_intfdata(interface, NULL);
kref_put(&dev->kref, skel_delete);
kref_get(&dev->kref);
In case dev's refcount is 1 before these events, kref_put() in
skel_disconnect() will call the skel_delete to free dev. As a result, a
UAF will happen when we try to access dev->kref in skel_open(). I can
see this pattern in other USB drivers as well such as usblcd.c, yurex.c, ...
Please correct me if I am wrong.
Thank you,
Quang Minh.
