Linux Dangling PFN Mapping / Use-After-Free –

– An error path in usbdev_mmap() (where remap_pfn_range() fails midway through) frees pages before the PFN mapping pointing to those pages is cleaned up, making physical page use-after-free possible. Some other drivers look like they might have similar issues. – Read More  – Packet Storm