Re: [BUG] KASAN: slab-use-after-free in dev_driver_string from chaoskey_release

[Alan Stern]

On Mon, Jun 08, 2026 at 05:11:27PM +0200, Johan Hovold wrote:
> On Mon, Jun 08, 2026 at 09:29:23AM -0400, Alan Stern wrote:
> 
> > You're partly right.  Both my original patch and yours ignored the fact 
> > that the driver takes a reference to the interface structure.  That 
> > reference isn't dropped until chaoskey_free() runs, so the only 
> > debugging statements that need to be removed are the ones following 
> > calls to chaoskey_free().
> 
> > Index: usb-devel/drivers/usb/misc/chaoskey.c
> > ===================================================================
> > --- usb-devel.orig/drivers/usb/misc/chaoskey.c
> > +++ usb-devel/drivers/usb/misc/chaoskey.c
> > @@ -248,7 +248,6 @@ static void chaoskey_disconnect(struct u
> >  		mutex_unlock(&dev->lock);
> >  
> >  	mutex_unlock(&chaoskey_list_lock);
> > -	usb_dbg(interface, "disconnect done");
> 
> There is no need to remove this one as driver core holds a reference to
> the interface until after disconnect() returns.

Yes, you're right of course.  And I'm annoyed, because I had realized 
exactly the same thing before noticing the usb_get_intf() and 
usb_put_intf() calls, and then forgot about it when updating the patch!

The final version of the patch is below.

Alan Stern


Index: usb-devel/drivers/usb/misc/chaoskey.c
===================================================================
--- usb-devel.orig/drivers/usb/misc/chaoskey.c
+++ usb-devel/drivers/usb/misc/chaoskey.c
@@ -320,7 +320,6 @@ bail:
 	mutex_unlock(&dev->lock);
 destruction:
 	mutex_unlock(&chaoskey_list_lock);
-	usb_dbg(interface, "release success");
 	return rv;
 }