Re: [BUG] KASAN: slab-use-after-free in _raw_spin_lock_irqsave from hid-sensor-custom

[Shuangpeng]

> On Jun 14, 2026, at 17:02, Maxwell Doose <m32285159@xxxxxxxxx> wrote:
> 
> Hi Shuangpeng,
> 
> On Sun, 14 Jun 2026 15:19:21 -0400
> Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx> wrote:
> 
>> I hit the following report while testing current upstream kernel:
>> 
>> KASAN: slab-use-after-free in _raw_spin_lock_irqsave from
>> hid-sensor-custom
>> 
>> on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
>> 
> 
> Is this correct? It seems to point to changes in HPFS.
> 

That commit was the linux.git HEAD where I reproduced the crash. I did not mean 
to imply that the HPFS merge introduced the issue.

>> 
>> The reproducer and .config files are here.
>> https://gist.github.com/shuangpengbai/d82ac0d19fda016e81d7fa1ab028d967
>> 
>> I'm happy to test debug patches or provide additional information.
>> 
>> Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>
>> 
> 
> This bug report also seems to have nothing to do with IIO after
> investigating the call trace, seems more like for the HID/input folks
> than iio. HID folks, seems like it was caused here:
> 
> [   73.163547][ T8356]  hid_sensor_custom_poll (include/linux/poll.h:45 drivers/hid/hid-sensor-custom.c:706)
> 
> before _raw_spin_lock_irqsave() gets called and KASAN triggers the slab-use-after-free.
> 

Thanks for checking.

I agree that this does not look like an IIO-specific issue from the trace. The crash
is reported from hid_sensor_custom_poll() in drivers/hid/hid-sensor-custom.c.

> -- 
> best regards,
> max