Re: [BUG] KASAN: slab-use-after-free in dev_driver_string from chaoskey_release

From: Shuangpeng

Date: Sun Jun 07 2026 - 15:38:21 EST



> On Jun 6, 2026, at 22:29, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:
>
> On Sat, Jun 06, 2026 at 09:31:30PM -0400, Shuangpeng wrote:
>> Hi Kernel Maintainers,
>>
>> I hit the following KASAN report while testing current upstream kernel:
>>
>> KASAN: slab-use-after-free in dev_driver_string from chaoskey_release
>>
>> on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
>>
>> The reproducer and .config files are here.
>> https://gist.github.com/shuangpengbai/167620d391d9634107bfe4d784fcf52b
>>
>> I’m happy to test debug patches or provide additional information.
>>
>> Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>
>>
>>
>> [ 2019.816807][T10106] ==================================================================
>> [ 2019.819081][T10106] BUG: KASAN: slab-use-after-free in dev_driver_string (drivers/base/core.c:2406)
>> [ 2019.820996][T10106] Read of size 8 at addr ffff888168e8a0b8 by task chaoskey_raw_re/10106
>> [ 2019.822432][T10106]
>> [ 2019.822899][T10106] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
>> [ 2019.822904][T10106] Call Trace:
>> [ 2019.822910][T10106] <TASK>
>> [ 2019.822915][T10106] dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
>> [ 2019.822932][T10106] print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
>> [ 2019.822984][T10106] kasan_report (mm/kasan/report.c:595)
>> [ 2019.823015][T10106] dev_driver_string (drivers/base/core.c:2406)
>> [ 2019.823021][T10106] __dynamic_dev_dbg (lib/dynamic_debug.c:906)
>> [ 2019.823282][T10106] chaoskey_release (drivers/usb/misc/chaoskey.c:323)
>
> The simple explanation is that the chaoskey_release() routine contains
> debugging statements that reference an interface for the USB device even
> after that data structure may have been deallocated. Since they are
> merely debugging statements, the simplest solution to the problem is to
> get rid of them.
>
> That's what the patch below does. You can try it out and see if it
> works.

I tried this patch and the bug is no longer triggered on my side.

Thanks for your fix!

>
> Alan Stern
>
>
>
> Index: usb-devel/drivers/usb/misc/chaoskey.c
> ===================================================================
> --- usb-devel.orig/drivers/usb/misc/chaoskey.c
> +++ usb-devel/drivers/usb/misc/chaoskey.c
> @@ -294,15 +294,10 @@ static int chaoskey_release(struct inode
>
> interface = dev->interface;
>
> - usb_dbg(interface, "release");
> -
> mutex_lock(&chaoskey_list_lock);
> mutex_lock(&dev->lock);
>
> - usb_dbg(interface, "open count at release is %d", dev->open);
> -
> if (dev->open <= 0) {
> - usb_dbg(interface, "invalid open count (%d)", dev->open);
> rv = -ENODEV;
> goto bail;
> }
> @@ -320,7 +315,6 @@ bail:
> mutex_unlock(&dev->lock);
> destruction:
> mutex_unlock(&chaoskey_list_lock);
> - usb_dbg(interface, "release success");
> return rv;
> }