From: Johan Hovold <johan@kernel.org>
To: Oliver Neukum <oneukum@suse.com>
Cc: Alan Stern <stern@rowland.harvard.edu>,
Shuangpeng <shuangpeng.kernel@gmail.com>,
keithp@keithp.com, gregkh@linuxfoundation.org,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [BUG] KASAN: slab-use-after-free in dev_driver_string from chaoskey_release
Date: Mon, 8 Jun 2026 16:10:21 +0200 [thread overview]
Message-ID: <aibNTeX696gw0xs1@hovoldconsulting.com> (raw)
In-Reply-To: <2a50158f-34ff-41ae-8899-ba2ec6d550b3@suse.com>
On Mon, Jun 08, 2026 at 01:24:03PM +0200, Oliver Neukum wrote:
> On 07.06.26 04:29, Alan Stern wrote:
>
> > The simple explanation is that the chaoskey_release() routine contains
> > debugging statements that reference an interface for the USB device even
> > after that data structure may have been deallocated. Since they are
> > merely debugging statements, the simplest solution to the problem is to
> > get rid of them.
> >
> > That's what the patch below does. You can try it out and see if it
> > works.
> correct but it misses the same issue in disconnect.
> You need this one on top.
No, it's perfectly fine to access the interface in the disconnect
callback.
It's only after disconnect() returns that you need an extra reference.
Johan
prev parent reply other threads:[~2026-06-08 14:10 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-07 1:31 [BUG] KASAN: slab-use-after-free in dev_driver_string from chaoskey_release Shuangpeng
2026-06-07 2:29 ` Alan Stern
2026-06-07 19:37 ` Shuangpeng
2026-06-08 11:24 ` Oliver Neukum
2026-06-08 13:29 ` Alan Stern
2026-06-08 15:11 ` Johan Hovold
2026-06-08 16:03 ` Alan Stern
2026-06-09 15:54 ` Shuangpeng
2026-06-08 14:10 ` Johan Hovold [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aibNTeX696gw0xs1@hovoldconsulting.com \
--to=johan@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=keithp@keithp.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=oneukum@suse.com \
--cc=shuangpeng.kernel@gmail.com \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox