Re: [BUG] KASAN: slab-use-after-free in _raw_spin_lock_irqsave from hid-sensor-custom

[Maxwell Doose]

On Sun, 14 Jun 2026 17:24:12 -0400
Shuangpeng <shuangpeng.kernel@xxxxxxxxx> wrote:

> > On Jun 14, 2026, at 17:02, Maxwell Doose <m32285159@xxxxxxxxx> wrote:
> > 
> > Hi Shuangpeng,
> > 
> > On Sun, 14 Jun 2026 15:19:21 -0400
> > Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx> wrote:
> >   
> >> I hit the following report while testing current upstream kernel:
> >> 
> >> KASAN: slab-use-after-free in _raw_spin_lock_irqsave from
> >> hid-sensor-custom
> >> 
> >> on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
> >>   
> > 
> > Is this correct? It seems to point to changes in HPFS.
> >   
> 
> That commit was the linux.git HEAD where I reproduced the crash. I did not mean 
> to imply that the HPFS merge introduced the issue.
> 

If you have (a lot of) time, it may be worth trying git bisect to get
the exact commit. No worries if you don't of course, but it would be
incredibly helpful to the HID folks.

-- 
best regards,
max



> >> 
> >> The reproducer and .config files are here.
> >> https://gist.github.com/shuangpengbai/d82ac0d19fda016e81d7fa1ab028d967
> >> 
> >> I'm happy to test debug patches or provide additional information.
> >> 
> >> Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>
> >>   
> > 
> > This bug report also seems to have nothing to do with IIO after
> > investigating the call trace, seems more like for the HID/input folks
> > than iio. HID folks, seems like it was caused here:
> > 
> > [   73.163547][ T8356]  hid_sensor_custom_poll (include/linux/poll.h:45 drivers/hid/hid-sensor-custom.c:706)
> > 
> > before _raw_spin_lock_irqsave() gets called and KASAN triggers the slab-use-after-free.
> >   
> 
> Thanks for checking.
> 
> I agree that this does not look like an IIO-specific issue from the trace. The crash
> is reported from hid_sensor_custom_poll() in drivers/hid/hid-sensor-custom.c.
>