Re: [BUG] KASAN: slab-use-after-free in dev_driver_string from chaoskey_release
From: Oliver Neukum
Date: Mon Jun 08 2026 - 07:30:14 EST
On 07.06.26 04:29, Alan Stern wrote:
The simple explanation is that the chaoskey_release() routine contains
debugging statements that reference an interface for the USB device even
after that data structure may have been deallocated. Since they are
merely debugging statements, the simplest solution to the problem is to
get rid of them.
That's what the patch below does. You can try it out and see if it
works.
Hi,
correct but it misses the same issue in disconnect.
You need this one on top.
Regards
Oliver
From 5864a7f4580707a39e3f5881ce31289095984dff Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@xxxxxxxx>
Date: Mon, 8 Jun 2026 13:20:35 +0200
Subject: [PATCH] usb: misc: chaoskey: fix UAF in disconnect
disconnect has the same issue as release.
The debug output refers to a potentially freed device.
Just remove it.
Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx>
---
drivers/usb/misc/chaoskey.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/usb/misc/chaoskey.c b/drivers/usb/misc/chaoskey.c
index bf4d9294c7c9..0df337089618 100644
--- a/drivers/usb/misc/chaoskey.c
+++ b/drivers/usb/misc/chaoskey.c
@@ -222,12 +222,9 @@ static void chaoskey_disconnect(struct usb_interface *interface)
{
struct chaoskey *dev;
- usb_dbg(interface, "disconnect");
dev = usb_get_intfdata(interface);
- if (!dev) {
- usb_dbg(interface, "disconnect failed - no dev");
+ if (!dev)
return;
- }
if (dev->hwrng_registered)
hwrng_unregister(&dev->hwrng);
@@ -248,7 +245,6 @@ static void chaoskey_disconnect(struct usb_interface *interface)
mutex_unlock(&dev->lock);
mutex_unlock(&chaoskey_list_lock);
- usb_dbg(interface, "disconnect done");
}
static int chaoskey_open(struct inode *inode, struct file *file)
--
2.54.0