Re: [BUG] KASAN: slab-use-after-free in _raw_spin_lock_irqsave from hid-sensor-custom

Next message: Dmitry Torokhov: "Re: [PATCH] Input: goodix - clamp the device-reported contact count"
Previous message: Tejun Heo: "[PATCH bpf-next] arm64: mm: Remove misleading pte_none() comment from ptep_try_set()"
In reply to: Shuangpeng Bai: "[BUG] KASAN: slab-use-after-free in _raw_spin_lock_irqsave from hid-sensor-custom"
Next in thread: Shuangpeng: "Re: [BUG] KASAN: slab-use-after-free in _raw_spin_lock_irqsave from hid-sensor-custom"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Maxwell Doose

Date: Sun Jun 14 2026 - 17:02:48 EST

Hi Shuangpeng,

On Sun, 14 Jun 2026 15:19:21 -0400
Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx> wrote:

> I hit the following report while testing current upstream kernel:
>
> KASAN: slab-use-after-free in _raw_spin_lock_irqsave from
> hid-sensor-custom
>
> on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
>

Is this correct? It seems to point to changes in HPFS.

>
> The reproducer and .config files are here.
> https://gist.github.com/shuangpengbai/d82ac0d19fda016e81d7fa1ab028d967
>
> I'm happy to test debug patches or provide additional information.
>
> Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>
>

This bug report also seems to have nothing to do with IIO after
investigating the call trace, seems more like for the HID/input folks
than iio. HID folks, seems like it was caused here:

[ 73.163547][ T8356] hid_sensor_custom_poll (include/linux/poll.h:45 drivers/hid/hid-sensor-custom.c:706)

before _raw_spin_lock_irqsave() gets called and KASAN triggers the slab-use-after-free.

--
best regards,
max