From: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
To: jikos@kernel.org, jic23@kernel.org,
srinivas.pandruvada@linux.intel.com, bentiss@kernel.org,
linux-input@vger.kernel.org, linux-iio@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [BUG] KASAN: slab-use-after-free in _raw_spin_lock_irqsave from hid-sensor-custom
Date: Sun, 14 Jun 2026 15:19:21 -0400 [thread overview]
Message-ID: <178144969601.60470.12928355382146160896@gmail.com> (raw)
Hi Kernel Maintainers,
I hit the following report while testing current upstream kernel:
KASAN: slab-use-after-free in _raw_spin_lock_irqsave from hid-sensor-custom
on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/d82ac0d19fda016e81d7fa1ab028d967
I'm happy to test debug patches or provide additional information.
Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
[ 73.157590][ T8356] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave (include/linux/instrumented.h:112 include/linux/atomic/atomic-instrumented.h:1300 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:133 kernel/locking/spinlock.c:166)
[ 73.161235][ T8356] Write of size 4 at addr ffff88810eb72528 by task hid_sensor_cust/8356
[ 73.163453][ T8356] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 73.163457][ T8356] Call Trace:
[ 73.163461][ T8356] <TASK>
[ 73.163464][ T8356] dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[ 73.163471][ T8356] print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[ 73.163486][ T8356] kasan_report (mm/kasan/report.c:595)
[ 73.163495][ T8356] kasan_check_range (mm/kasan/generic.c:? mm/kasan/generic.c:200)
[ 73.163500][ T8356] _raw_spin_lock_irqsave (include/linux/instrumented.h:112 include/linux/atomic/atomic-instrumented.h:1300 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:133 kernel/locking/spinlock.c:166)
[ 73.163539][ T8356] add_wait_queue (kernel/sched/wait.c:23)
[ 73.163547][ T8356] hid_sensor_custom_poll (include/linux/poll.h:45 drivers/hid/hid-sensor-custom.c:706)
[ 73.163556][ T8356] do_sys_poll (include/linux/poll.h:82 fs/select.c:877 fs/select.c:920 fs/select.c:1015)
[ 73.163692][ T8356] __x64_sys_poll (fs/select.c:1072 fs/select.c:1060 fs/select.c:1060)
[ 73.163708][ T8356] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[ 73.163714][ T8356] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[ 73.163755][ T8356] </TASK>
[ 73.214615][ T8356] Freed by task 781 on cpu 1 at 72.569353s:
[ 73.215524][ T8356] kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
[ 73.216247][ T8356] kasan_save_free_info (mm/kasan/generic.c:584)
[ 73.217018][ T8356] __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
[ 73.217739][ T8356] kfree (include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
[ 73.218335][ T8356] devres_release_all (drivers/base/devres.c:50 drivers/base/devres.c:547 drivers/base/devres.c:576)
[ 73.219108][ T8356] device_release_driver_internal (drivers/base/dd.c:598 drivers/base/dd.c:1357 drivers/base/dd.c:1375)
[ 73.220034][ T8356] bus_remove_device (drivers/base/bus.c:657)
[ 73.220796][ T8356] device_del (drivers/base/core.c:3895)
[ 73.221458][ T8356] platform_device_unregister (drivers/base/platform.c:797 drivers/base/platform.c:839)
[ 73.222310][ T8356] mfd_remove_devices_fn (drivers/mfd/mfd-core.c:385)
[ 73.223121][ T8356] device_for_each_child_reverse (drivers/base/core.c:4065)
[ 73.224033][ T8356] mfd_remove_devices (drivers/mfd/mfd-core.c:401)
[ 73.224779][ T8356] hid_device_remove (drivers/hid/hid-core.c:?)
[ 73.225537][ T8356] device_release_driver_internal (drivers/base/dd.c:619 drivers/base/dd.c:1352 drivers/base/dd.c:1375)
[ 73.226449][ T8356] bus_remove_device (drivers/base/bus.c:657)
[ 73.227200][ T8356] device_del (drivers/base/core.c:3895)
[ 73.227857][ T8356] hid_destroy_device (drivers/hid/hid-core.c:3064 drivers/hid/hid-core.c:3086)
[ 73.228617][ T8356] usbhid_disconnect (drivers/hid/usbhid/hid-core.c:1476)
[ 73.238613][ T8356] The buggy address belongs to the object at ffff88810eb72400
[ 73.238613][ T8356] which belongs to the cache kmalloc-512 of size 512
[ 73.240744][ T8356] The buggy address is located 296 bytes inside of
[ 73.240744][ T8356] freed 512-byte region [ffff88810eb72400, ffff88810eb72600)
Best,
Shuangpeng
next reply other threads:[~2026-06-14 19:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-14 19:19 Shuangpeng Bai [this message]
2026-06-14 21:02 ` [BUG] KASAN: slab-use-after-free in _raw_spin_lock_irqsave from hid-sensor-custom Maxwell Doose
2026-06-14 21:24 ` Shuangpeng
2026-06-14 21:35 ` Maxwell Doose
2026-06-14 21:50 ` Shuangpeng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178144969601.60470.12928355382146160896@gmail.com \
--to=shuangpeng.kernel@gmail.com \
--cc=bentiss@kernel.org \
--cc=jic23@kernel.org \
--cc=jikos@kernel.org \
--cc=linux-iio@vger.kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=srinivas.pandruvada@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.