Re: [BUG] KASAN: slab-use-after-free in dev_driver_string from chaoskey_release

[Shuangpeng]

> On Jun 8, 2026, at 12:03, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:
> 
> On Mon, Jun 08, 2026 at 05:11:27PM +0200, Johan Hovold wrote:
>> On Mon, Jun 08, 2026 at 09:29:23AM -0400, Alan Stern wrote:
>> 
>>> You're partly right.  Both my original patch and yours ignored the fact 
>>> that the driver takes a reference to the interface structure.  That 
>>> reference isn't dropped until chaoskey_free() runs, so the only 
>>> debugging statements that need to be removed are the ones following 
>>> calls to chaoskey_free().
>> 
>>> Index: usb-devel/drivers/usb/misc/chaoskey.c
>>> ===================================================================
>>> --- usb-devel.orig/drivers/usb/misc/chaoskey.c
>>> +++ usb-devel/drivers/usb/misc/chaoskey.c
>>> @@ -248,7 +248,6 @@ static void chaoskey_disconnect(struct u
>>> mutex_unlock(&dev->lock);
>>> 
>>> mutex_unlock(&chaoskey_list_lock);
>>> - usb_dbg(interface, "disconnect done");
>> 
>> There is no need to remove this one as driver core holds a reference to
>> the interface until after disconnect() returns.
> 
> Yes, you're right of course.  And I'm annoyed, because I had realized 
> exactly the same thing before noticing the usb_get_intf() and 
> usb_put_intf() calls, and then forgot about it when updating the patch!
> 
> The final version of the patch is below.
> 
> Alan Stern
> 

I tested this patch. It works on my side. Thank you!

> 
> Index: usb-devel/drivers/usb/misc/chaoskey.c
> ===================================================================
> --- usb-devel.orig/drivers/usb/misc/chaoskey.c
> +++ usb-devel/drivers/usb/misc/chaoskey.c
> @@ -320,7 +320,6 @@ bail:
> mutex_unlock(&dev->lock);
> destruction:
> mutex_unlock(&chaoskey_list_lock);
> - usb_dbg(interface, "release success");
> return rv;
> }