From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-oi1-f177.google.com (mail-oi1-f177.google.com [209.85.167.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0A9EC2D7DE7
	for <linux-kernel@vger.kernel.org>; Sun, 14 Jun 2026 21:35:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.177
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1781472923; cv=none; b=EgIIOyRhQmdkVAUN8Kovp30AeIhGpDj/zj1P8hUtSnHjB3VvAXW4TLuXDs1zk4MGN3RCHkgDIeij+xzLqrfQcJ2Cojs/gBVQYCqc0/naTlQs2q5YpMyzr89OJAU32LHXd+reF8xB3/GBmbLZN70xHnWtTPTDldE6vxInfyTzm2c=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1781472923; c=relaxed/simple;
	bh=uq5dAQBgUlv4fuqbOf8/PJcw7d2cLX4l7Buv5XYVS24=;
	h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type; b=T0ieJyO7/vrNZ1QgeCyu6REWVgyQjsq7X6H2t0+UmQJcwpzwxswe6BvGX/iOa1LhuA42mEXWN3im2Xn0uvaMnd/OBbsOCywc9AGi/Uw5/xhyRAGPFa+0d3zv9M86gR7ahyUl5RVMvaEzwjWA6nC/dPW3SiU9RYc/FIEEnVHyezw=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ORnl8K5m; arc=none smtp.client-ip=209.85.167.177
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ORnl8K5m"
Received: by mail-oi1-f177.google.com with SMTP id 5614622812f47-4864ebb6268so1660916b6e.3
        for <linux-kernel@vger.kernel.org>; Sun, 14 Jun 2026 14:35:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1781472921; x=1782077721; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:from:to:cc:subject:date
         :message-id:reply-to;
        bh=bvgAYyCQGx+STgxeSTHJf5dS9VjipJF2G2cnTNc8eVo=;
        b=ORnl8K5mkHKs8eDLA+R3WqECgc46k7N/AP8JXO9lOkn6pqQf1jBgyOpvC3Ih6vRHlO
         dglUtn8A2ZVdOWljq61+cHMluJunmW2GT4t6M5TH6zkHfBY+axAoTLererJSWAW0Lgcv
         jzVnSdsygVt1sXWYCjMuGveAvua+Wyz0Nne6RFWuerp+HNRpR8uqsrP5Whc3Bvbv8TL0
         mnAYcqnOwPpyiVkibFb+/DyDr5HTPA0msHgMH8t1LfXg73T8rUxPI3+NxnHmmEl4OfiA
         wBWyq/WOqViuSkrZWiTlQqqyXeTEpa1gN4xRWWFRcMhKEm7deTMmZumw9TtMZwuBm1M1
         rFCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1781472921; x=1782077721;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=bvgAYyCQGx+STgxeSTHJf5dS9VjipJF2G2cnTNc8eVo=;
        b=qEqfwZMjgS8DrokZ0H1FnBa/Bgjs7T/erP7bAgEkQ3YCEcj5j00YWo4BQjwWC4Rq2H
         j4w6vG4zwubk0tLJmNTeJ6s+GcWVrBBxj0DLS5yrsTXuVH+ZKTeCDzksMH2QAAxmxUl5
         XA2tiO7C+fR3754xEus/23J+qKcDbmTFSWYdVBhAkdbrCzwjxERfF2KU6a9n8ZrYglx0
         9Y4rfXB0HtwyyxsbpspE2baZd/HHFquNiLHlelZgO9xXKfZp4ALpG55tX12fppnSh44C
         vfT+K4zI6LjLfCtWh46KXCoWtAn9yRTqFddPYigduqbZ/hsCFUI9hPmosebOcS+s++Ym
         3FNg==
X-Forwarded-Encrypted: i=1; AFNElJ9tk9vQoI8aTwBCSFs0Lu15H0ge7ohY3rKFQ4JsflI/yfWl98Fp1H10F/Y8b8qKVn7PpqrJs+0BEcmI5NM=@vger.kernel.org
X-Gm-Message-State: AOJu0YxUh5dcd/fz/64w2iFv02aBgO8rw+mxGVCYIwzwxsx4nHf8dhVk
	9OtvZPEIXrzoXUEZT3RNmOJhuIkItmWo1VkLhheX5WcbQfpDU6m39PfX
X-Gm-Gg: Acq92OHIghEHBLnPeONrViI2mYxDHI1BjJUXDjEron1IBhIN6mITXkUXJgpD+zDaq6P
	eM4cHKR27DQM0uWblsVISZFSRvrHWgmWND/Ey+qovzqE5eueS/RArlabcQ6LWijldB6oVNwtdEl
	wfvc1DqtfZG5T1Hgd254COMnYxxXThwpeRG0mn1kRgqZfQFgaDGSy2ai8wZ3/wP4nlHU5U7xlGs
	SOUfiYsQbZi9/ilRiGYtJwrRAkgAmii2kN/om6Mk31hiV5Z5dvbuL8K8RPEUalFcMlsybx5jQpk
	4pvP5iprb5a8YcC2ma4HsmFDV+dNpPlRZcA9eMKXtiDur0RxpRhWA+0OPum3nmC4VahgcjqVUgf
	pfDEldBTAsdVjX23CclTUxLbgyHAkJMwH+hkFMVCS1JcptK0bH9roHBBh4OqXDxUEyes0VdVsOX
	ClHRImMwO2HF+Gek+otfe1VnDJlartWqEgtcjtUSjvtWXcv9hKxplr
X-Received: by 2002:a05:6808:c1e3:b0:486:498d:f500 with SMTP id 5614622812f47-4872f380b4dmr8274028b6e.18.1781472921015;
        Sun, 14 Jun 2026 14:35:21 -0700 (PDT)
Received: from linuxescape (23-88-128-2.fttp.usinternet.com. [23.88.128.2])
        by smtp.gmail.com with ESMTPSA id 5614622812f47-4875dfe4a89sm1628361b6e.18.2026.06.14.14.35.19
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 14 Jun 2026 14:35:20 -0700 (PDT)
Date: Sun, 14 Jun 2026 16:35:18 -0500
From: Maxwell Doose <m32285159@gmail.com>
To: Shuangpeng <shuangpeng.kernel@gmail.com>
Cc: jikos@kernel.org, jic23@kernel.org, srinivas.pandruvada@linux.intel.com,
 bentiss@kernel.org, linux-input@vger.kernel.org, linux-iio@vger.kernel.org,
 linux-kernel@vger.kernel.org
Subject: Re: [BUG] KASAN: slab-use-after-free in _raw_spin_lock_irqsave from
 hid-sensor-custom
Message-ID: <20260614163518.2a265172@linuxescape>
In-Reply-To: <C79160E7-5244-407D-81E7-2A1B14231B22@gmail.com>
References: <178144969601.60470.12928355382146160896@gmail.com>
	<20260614160213.085e1efc@linuxescape>
	<C79160E7-5244-407D-81E7-2A1B14231B22@gmail.com>
X-Mailer: Claws Mail 4.4.0 (GTK 3.24.52; x86_64-pc-linux-gnu)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Sun, 14 Jun 2026 17:24:12 -0400
Shuangpeng <shuangpeng.kernel@gmail.com> wrote:

> > On Jun 14, 2026, at 17:02, Maxwell Doose <m32285159@gmail.com> wrote:
> > 
> > Hi Shuangpeng,
> > 
> > On Sun, 14 Jun 2026 15:19:21 -0400
> > Shuangpeng Bai <shuangpeng.kernel@gmail.com> wrote:
> >   
> >> I hit the following report while testing current upstream kernel:
> >> 
> >> KASAN: slab-use-after-free in _raw_spin_lock_irqsave from
> >> hid-sensor-custom
> >> 
> >> on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
> >>   
> > 
> > Is this correct? It seems to point to changes in HPFS.
> >   
> 
> That commit was the linux.git HEAD where I reproduced the crash. I did not mean 
> to imply that the HPFS merge introduced the issue.
> 

If you have (a lot of) time, it may be worth trying git bisect to get
the exact commit. No worries if you don't of course, but it would be
incredibly helpful to the HID folks.

-- 
best regards,
max



> >> 
> >> The reproducer and .config files are here.
> >> https://gist.github.com/shuangpengbai/d82ac0d19fda016e81d7fa1ab028d967
> >> 
> >> I'm happy to test debug patches or provide additional information.
> >> 
> >> Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
> >>   
> > 
> > This bug report also seems to have nothing to do with IIO after
> > investigating the call trace, seems more like for the HID/input folks
> > than iio. HID folks, seems like it was caused here:
> > 
> > [   73.163547][ T8356]  hid_sensor_custom_poll (include/linux/poll.h:45 drivers/hid/hid-sensor-custom.c:706)
> > 
> > before _raw_spin_lock_irqsave() gets called and KASAN triggers the slab-use-after-free.
> >   
> 
> Thanks for checking.
> 
> I agree that this does not look like an IIO-specific issue from the trace. The crash
> is reported from hid_sensor_custom_poll() in drivers/hid/hid-sensor-custom.c.
>