Re: [BUG] KASAN: slab-use-after-free in _raw_spin_lock_irqsave from hid-sensor-custom

From: Shuangpeng

Date: Sun Jun 14 2026 - 17:50:55 EST



> On Jun 14, 2026, at 17:35, Maxwell Doose <m32285159@xxxxxxxxx> wrote:
>
> On Sun, 14 Jun 2026 17:24:12 -0400
> Shuangpeng <shuangpeng.kernel@xxxxxxxxx> wrote:
>
>>> On Jun 14, 2026, at 17:02, Maxwell Doose <m32285159@xxxxxxxxx> wrote:
>>>
>>> Hi Shuangpeng,
>>>
>>> On Sun, 14 Jun 2026 15:19:21 -0400
>>> Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx> wrote:
>>>
>>>> I hit the following report while testing current upstream kernel:
>>>>
>>>> KASAN: slab-use-after-free in _raw_spin_lock_irqsave from
>>>> hid-sensor-custom
>>>>
>>>> on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
>>>>
>>>
>>> Is this correct? It seems to point to changes in HPFS.
>>>
>>
>> That commit was the linux.git HEAD where I reproduced the crash. I did not mean
>> to imply that the HPFS merge introduced the issue.
>>
>
> If you have (a lot of) time, it may be worth trying git bisect to get
> the exact commit. No worries if you don't of course, but it would be
> incredibly helpful to the HID folks.
>

Thanks for the suggestion.

Unfortunately, I don’t have enough time to run a bisect right now,
but I’ll keep it in mind and will follow up if I get a chance to look
into it later.

Best,
Shuangpeng

> --
> best regards,
> max
>
>
>
>>>>
>>>> The reproducer and .config files are here.
>>>> https://gist.github.com/shuangpengbai/d82ac0d19fda016e81d7fa1ab028d967
>>>>
>>>> I'm happy to test debug patches or provide additional information.
>>>>
>>>> Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>
>>>>
>>>
>>> This bug report also seems to have nothing to do with IIO after
>>> investigating the call trace, seems more like for the HID/input folks
>>> than iio. HID folks, seems like it was caused here:
>>>
>>> [ 73.163547][ T8356] hid_sensor_custom_poll (include/linux/poll.h:45 drivers/hid/hid-sensor-custom.c:706)
>>>
>>> before _raw_spin_lock_irqsave() gets called and KASAN triggers the slab-use-after-free.
>>>
>>
>> Thanks for checking.
>>
>> I agree that this does not look like an IIO-specific issue from the trace. The crash
>> is reported from hid_sensor_custom_poll() in drivers/hid/hid-sensor-custom.c.