On Sun, Apr 10, 2022 at 5:14 AM Dongliang Mu <dzm91@xxxxxxxxxxx> wrote: > > From: Dongliang Mu <mudongliangabcd@xxxxxxxxx> > > cdc_ncm_bind calls cdc_ncm_bind_common and sets dev->data[0] > with ctx. However, in the unbind function - cdc_ncm_unbind, > it calls cdc_ncm_free and frees ctx, leaving dev->data[0] as > a dangling pointer. The following ioctl operation will trigger > the UAF in the function cdc_ncm_set_dgram_size. First of all, please use the standard form of referring to the func() as in this sentence. > Fix this by setting dev->data[0] as zero. > > ================================================================== > BUG: KASAN: use-after-free in cdc_ncm_set_dgram_size+0xc91/0xde0 > Read of size 8 at addr ffff8880755210b0 by task dhcpcd/3174 > Please, avoid SO noisy commit messages. Find the core part of the traceback(s) which should be rarely more than 5-10 lines. ... The code seems fine. -- With Best Regards, Andy Shevchenko
