[BUG] KASAN: slab-use-after-free in _raw_spin_lock_irqsave from hid-sensor-custom

[BUG] KASAN: slab-use-after-free in _raw_spin_lock_irqsave from hid-sensor-custom

[Shuangpeng Bai]

Hi Kernel Maintainers,

I hit the following report while testing current upstream kernel:

KASAN: slab-use-after-free in _raw_spin_lock_irqsave from hid-sensor-custom

on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)

The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/d82ac0d19fda016e81d7fa1ab028d967

I'm happy to test debug patches or provide additional information.

Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>

[   73.157590][ T8356] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave (include/linux/instrumented.h:112 include/linux/atomic/atomic-instrumented.h:1300 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:133 kernel/locking/spinlock.c:166)
[   73.161235][ T8356] Write of size 4 at addr ffff88810eb72528 by task hid_sensor_cust/8356
[   73.163453][ T8356] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   73.163457][ T8356] Call Trace:
[   73.163461][ T8356]  <TASK>
[   73.163464][ T8356]  dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[   73.163471][ T8356]  print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[   73.163486][ T8356]  kasan_report (mm/kasan/report.c:595)
[   73.163495][ T8356]  kasan_check_range (mm/kasan/generic.c:? mm/kasan/generic.c:200)
[   73.163500][ T8356]  _raw_spin_lock_irqsave (include/linux/instrumented.h:112 include/linux/atomic/atomic-instrumented.h:1300 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:133 kernel/locking/spinlock.c:166)
[   73.163539][ T8356]  add_wait_queue (kernel/sched/wait.c:23)
[   73.163547][ T8356]  hid_sensor_custom_poll (include/linux/poll.h:45 drivers/hid/hid-sensor-custom.c:706)
[   73.163556][ T8356]  do_sys_poll (include/linux/poll.h:82 fs/select.c:877 fs/select.c:920 fs/select.c:1015)
[   73.163692][ T8356]  __x64_sys_poll (fs/select.c:1072 fs/select.c:1060 fs/select.c:1060)
[   73.163708][ T8356]  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[   73.163714][ T8356]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[   73.163755][ T8356]  </TASK>
[   73.214615][ T8356] Freed by task 781 on cpu 1 at 72.569353s:
[   73.215524][ T8356]  kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
[   73.216247][ T8356]  kasan_save_free_info (mm/kasan/generic.c:584)
[   73.217018][ T8356]  __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
[   73.217739][ T8356]  kfree (include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
[   73.218335][ T8356]  devres_release_all (drivers/base/devres.c:50 drivers/base/devres.c:547 drivers/base/devres.c:576)
[   73.219108][ T8356]  device_release_driver_internal (drivers/base/dd.c:598 drivers/base/dd.c:1357 drivers/base/dd.c:1375)
[   73.220034][ T8356]  bus_remove_device (drivers/base/bus.c:657)
[   73.220796][ T8356]  device_del (drivers/base/core.c:3895)
[   73.221458][ T8356]  platform_device_unregister (drivers/base/platform.c:797 drivers/base/platform.c:839)
[   73.222310][ T8356]  mfd_remove_devices_fn (drivers/mfd/mfd-core.c:385)
[   73.223121][ T8356]  device_for_each_child_reverse (drivers/base/core.c:4065)
[   73.224033][ T8356]  mfd_remove_devices (drivers/mfd/mfd-core.c:401)
[   73.224779][ T8356]  hid_device_remove (drivers/hid/hid-core.c:?)
[   73.225537][ T8356]  device_release_driver_internal (drivers/base/dd.c:619 drivers/base/dd.c:1352 drivers/base/dd.c:1375)
[   73.226449][ T8356]  bus_remove_device (drivers/base/bus.c:657)
[   73.227200][ T8356]  device_del (drivers/base/core.c:3895)
[   73.227857][ T8356]  hid_destroy_device (drivers/hid/hid-core.c:3064 drivers/hid/hid-core.c:3086)
[   73.228617][ T8356]  usbhid_disconnect (drivers/hid/usbhid/hid-core.c:1476)
[   73.238613][ T8356] The buggy address belongs to the object at ffff88810eb72400
[   73.238613][ T8356]  which belongs to the cache kmalloc-512 of size 512
[   73.240744][ T8356] The buggy address is located 296 bytes inside of
[   73.240744][ T8356]  freed 512-byte region [ffff88810eb72400, ffff88810eb72600)


Best,
Shuangpeng

Re: [BUG] KASAN: slab-use-after-free in _raw_spin_lock_irqsave from hid-sensor-custom

[Maxwell Doose]

Hi Shuangpeng,

On Sun, 14 Jun 2026 15:19:21 -0400
Shuangpeng Bai <shuangpeng.kernel@gmail.com> wrote:

> I hit the following report while testing current upstream kernel:
> 
> KASAN: slab-use-after-free in _raw_spin_lock_irqsave from
> hid-sensor-custom
> 
> on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
> 

Is this correct? It seems to point to changes in HPFS.

>
> The reproducer and .config files are here.
> https://gist.github.com/shuangpengbai/d82ac0d19fda016e81d7fa1ab028d967
> 
> I'm happy to test debug patches or provide additional information.
> 
> Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
> 

This bug report also seems to have nothing to do with IIO after
investigating the call trace, seems more like for the HID/input folks
than iio. HID folks, seems like it was caused here:

[   73.163547][ T8356]  hid_sensor_custom_poll (include/linux/poll.h:45 drivers/hid/hid-sensor-custom.c:706)

before _raw_spin_lock_irqsave() gets called and KASAN triggers the slab-use-after-free.

-- 
best regards,
max

Re: [BUG] KASAN: slab-use-after-free in _raw_spin_lock_irqsave from hid-sensor-custom

[Shuangpeng]

> On Jun 14, 2026, at 17:02, Maxwell Doose <m32285159@gmail.com> wrote:
> 
> Hi Shuangpeng,
> 
> On Sun, 14 Jun 2026 15:19:21 -0400
> Shuangpeng Bai <shuangpeng.kernel@gmail.com> wrote:
> 
>> I hit the following report while testing current upstream kernel:
>> 
>> KASAN: slab-use-after-free in _raw_spin_lock_irqsave from
>> hid-sensor-custom
>> 
>> on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
>> 
> 
> Is this correct? It seems to point to changes in HPFS.
> 

That commit was the linux.git HEAD where I reproduced the crash. I did not mean 
to imply that the HPFS merge introduced the issue.

>> 
>> The reproducer and .config files are here.
>> https://gist.github.com/shuangpengbai/d82ac0d19fda016e81d7fa1ab028d967
>> 
>> I'm happy to test debug patches or provide additional information.
>> 
>> Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
>> 
> 
> This bug report also seems to have nothing to do with IIO after
> investigating the call trace, seems more like for the HID/input folks
> than iio. HID folks, seems like it was caused here:
> 
> [   73.163547][ T8356]  hid_sensor_custom_poll (include/linux/poll.h:45 drivers/hid/hid-sensor-custom.c:706)
> 
> before _raw_spin_lock_irqsave() gets called and KASAN triggers the slab-use-after-free.
> 

Thanks for checking.

I agree that this does not look like an IIO-specific issue from the trace. The crash
is reported from hid_sensor_custom_poll() in drivers/hid/hid-sensor-custom.c.

> -- 
> best regards,
> max

Re: [BUG] KASAN: slab-use-after-free in _raw_spin_lock_irqsave from hid-sensor-custom

[Maxwell Doose]

On Sun, 14 Jun 2026 17:24:12 -0400
Shuangpeng <shuangpeng.kernel@gmail.com> wrote:

> > On Jun 14, 2026, at 17:02, Maxwell Doose <m32285159@gmail.com> wrote:
> > 
> > Hi Shuangpeng,
> > 
> > On Sun, 14 Jun 2026 15:19:21 -0400
> > Shuangpeng Bai <shuangpeng.kernel@gmail.com> wrote:
> >   
> >> I hit the following report while testing current upstream kernel:
> >> 
> >> KASAN: slab-use-after-free in _raw_spin_lock_irqsave from
> >> hid-sensor-custom
> >> 
> >> on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
> >>   
> > 
> > Is this correct? It seems to point to changes in HPFS.
> >   
> 
> That commit was the linux.git HEAD where I reproduced the crash. I did not mean 
> to imply that the HPFS merge introduced the issue.
> 

If you have (a lot of) time, it may be worth trying git bisect to get
the exact commit. No worries if you don't of course, but it would be
incredibly helpful to the HID folks.

-- 
best regards,
max



> >> 
> >> The reproducer and .config files are here.
> >> https://gist.github.com/shuangpengbai/d82ac0d19fda016e81d7fa1ab028d967
> >> 
> >> I'm happy to test debug patches or provide additional information.
> >> 
> >> Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
> >>   
> > 
> > This bug report also seems to have nothing to do with IIO after
> > investigating the call trace, seems more like for the HID/input folks
> > than iio. HID folks, seems like it was caused here:
> > 
> > [   73.163547][ T8356]  hid_sensor_custom_poll (include/linux/poll.h:45 drivers/hid/hid-sensor-custom.c:706)
> > 
> > before _raw_spin_lock_irqsave() gets called and KASAN triggers the slab-use-after-free.
> >   
> 
> Thanks for checking.
> 
> I agree that this does not look like an IIO-specific issue from the trace. The crash
> is reported from hid_sensor_custom_poll() in drivers/hid/hid-sensor-custom.c.
> 

Re: [BUG] KASAN: slab-use-after-free in _raw_spin_lock_irqsave from hid-sensor-custom

[Shuangpeng]

> On Jun 14, 2026, at 17:35, Maxwell Doose <m32285159@gmail.com> wrote:
> 
> On Sun, 14 Jun 2026 17:24:12 -0400
> Shuangpeng <shuangpeng.kernel@gmail.com> wrote:
> 
>>> On Jun 14, 2026, at 17:02, Maxwell Doose <m32285159@gmail.com> wrote:
>>> 
>>> Hi Shuangpeng,
>>> 
>>> On Sun, 14 Jun 2026 15:19:21 -0400
>>> Shuangpeng Bai <shuangpeng.kernel@gmail.com> wrote:
>>> 
>>>> I hit the following report while testing current upstream kernel:
>>>> 
>>>> KASAN: slab-use-after-free in _raw_spin_lock_irqsave from
>>>> hid-sensor-custom
>>>> 
>>>> on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
>>>> 
>>> 
>>> Is this correct? It seems to point to changes in HPFS.
>>> 
>> 
>> That commit was the linux.git HEAD where I reproduced the crash. I did not mean 
>> to imply that the HPFS merge introduced the issue.
>> 
> 
> If you have (a lot of) time, it may be worth trying git bisect to get
> the exact commit. No worries if you don't of course, but it would be
> incredibly helpful to the HID folks.
> 

Thanks for the suggestion.

Unfortunately, I don’t have enough time to run a bisect right now,
but I’ll keep it in mind and will follow up if I get a chance to look
into it later.

Best,
Shuangpeng

> -- 
> best regards,
> max
> 
> 
> 
>>>> 
>>>> The reproducer and .config files are here.
>>>> https://gist.github.com/shuangpengbai/d82ac0d19fda016e81d7fa1ab028d967
>>>> 
>>>> I'm happy to test debug patches or provide additional information.
>>>> 
>>>> Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
>>>> 
>>> 
>>> This bug report also seems to have nothing to do with IIO after
>>> investigating the call trace, seems more like for the HID/input folks
>>> than iio. HID folks, seems like it was caused here:
>>> 
>>> [   73.163547][ T8356]  hid_sensor_custom_poll (include/linux/poll.h:45 drivers/hid/hid-sensor-custom.c:706)
>>> 
>>> before _raw_spin_lock_irqsave() gets called and KASAN triggers the slab-use-after-free.
>>> 
>> 
>> Thanks for checking.
>> 
>> I agree that this does not look like an IIO-specific issue from the trace. The crash
>> is reported from hid_sensor_custom_poll() in drivers/hid/hid-sensor-custom.c.