Re: [BUG] KASAN: slab-use-after-free in dev_driver_string from chaoskey_release

[Alan Stern]

On Mon, Jun 08, 2026 at 01:24:03PM +0200, Oliver Neukum wrote:
> On 07.06.26 04:29, Alan Stern wrote:
> > The simple explanation is that the chaoskey_release() routine contains
> > debugging statements that reference an interface for the USB device even
> > after that data structure may have been deallocated.  Since they are
> > merely debugging statements, the simplest solution to the problem is to
> > get rid of them.
> > 
> > That's what the patch below does.  You can try it out and see if it
> > works.
> 
> Hi,
> 
> correct but it misses the same issue in disconnect.
> You need this one on top.

You're partly right.  Both my original patch and yours ignored the fact 
that the driver takes a reference to the interface structure.  That 
reference isn't dropped until chaoskey_free() runs, so the only 
debugging statements that need to be removed are the ones following 
calls to chaoskey_free().

Shuangpeng, can you test this patch instead of the earlier one?

Alan Stern


Index: usb-devel/drivers/usb/misc/chaoskey.c
===================================================================
--- usb-devel.orig/drivers/usb/misc/chaoskey.c
+++ usb-devel/drivers/usb/misc/chaoskey.c
@@ -248,7 +248,6 @@ static void chaoskey_disconnect(struct u
 		mutex_unlock(&dev->lock);
 
 	mutex_unlock(&chaoskey_list_lock);
-	usb_dbg(interface, "disconnect done");
 }
 
 static int chaoskey_open(struct inode *inode, struct file *file)
@@ -320,7 +319,6 @@ bail:
 	mutex_unlock(&dev->lock);
 destruction:
 	mutex_unlock(&chaoskey_list_lock);
-	usb_dbg(interface, "release success");
 	return rv;
 }