==================================================================
BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0x1070/0x10a0 drivers/hid/hid-mcp2221.c:948
Read of size 1 at addr ffff88811cc1ffff by task kworker/0:7/6680

CPU: 0 UID: 0 PID: 6680 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT(voluntary) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: usb_hub_wq hub_event
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xcd/0x630 mm/kasan/report.c:482
 kasan_report+0xe0/0x110 mm/kasan/report.c:595
 mcp2221_raw_event+0x1070/0x10a0 drivers/hid/hid-mcp2221.c:948
 __hid_input_report.constprop.0+0x314/0x470 drivers/hid/hid-core.c:2139
 hid_irq_in+0x35e/0x870 drivers/hid/usbhid/hid-core.c:286
 __usb_hcd_giveback_urb+0x38b/0x610 drivers/usb/core/hcd.c:1661
 usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745
 dummy_timer+0x1809/0x3ad0 drivers/usb/gadget/udc/dummy_hcd.c:1995
 __run_hrtimer kernel/time/hrtimer.c:1777 [inline]
 __hrtimer_run_queues+0x202/0xc40 kernel/time/hrtimer.c:1841
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1858
 handle_softirqs+0x208/0x940 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:723
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1056
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:finish_task_switch.isra.0+0x1cf/0x990 kernel/sched/core.c:5114
Code: 0f 85 0a 07 00 00 8b 0d e3 88 54 09 85 c9 0f 85 2d 03 00 00 48 89 df e8 6f 68 09 06 e8 8a f3 37 00 fb 65 48 8b 1d 69 a0 52 0b <48> 8d bb 40 15 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1
RSP: 0018:ffffc90015086858 EFLAGS: 00000206
RAX: 000000000066a63f RBX: ffff8881227b0000 RCX: 0000000000000006
RDX: 0000000000000000 RSI: ffffffff88d036ab RDI: ffffffff878a7200
RBP: ffffc90015086898 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff8aa48bd7 R11: ffff8881227b0aa8 R12: ffff88810be93a80
R13: 0000000000000000 R14: ffff8881f5639bd8 R15: ffff8881f56390d8
 context_switch kernel/sched/core.c:5259 [inline]
 __schedule+0x1465/0x4a00 kernel/sched/core.c:6863
 __schedule_loop kernel/sched/core.c:6945 [inline]
 schedule+0xe7/0x3a0 kernel/sched/core.c:6960
 schedule_hrtimeout_range_clock+0x217/0x320 kernel/time/sleep_timeout.c:216
 schedule_hrtimeout_range kernel/time/sleep_timeout.c:263 [inline]
 usleep_range_state+0x16c/0x220 kernel/time/sleep_timeout.c:373
 usleep_range include/linux/delay.h:77 [inline]
 mcp_set_i2c_speed drivers/hid/hid-mcp2221.c:244 [inline]
 mcp2221_probe+0xa69/0xc50 drivers/hid/hid-mcp2221.c:1273
 __hid_device_probe drivers/hid/hid-core.c:2775 [inline]
 hid_device_probe+0x5ba/0x8d0 drivers/hid/hid-core.c:2812
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xb20 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x470 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x350 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
 __device_attach+0x1e4/0x4e0 drivers/base/dd.c:1031
 device_initial_probe+0xaa/0xc0 drivers/base/dd.c:1086
 bus_probe_device+0x64/0x150 drivers/base/bus.c:574
 device_add+0x116e/0x1980 drivers/base/core.c:3689
 hid_add_device+0x31b/0x5c0 drivers/hid/hid-core.c:2951
 usbhid_probe+0xd5d/0x1410 drivers/hid/usbhid/hid-core.c:1435
 usb_probe_interface+0x303/0xa80 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xb20 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x470 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x350 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
 __device_attach+0x1e4/0x4e0 drivers/base/dd.c:1031
 device_initial_probe+0xaa/0xc0 drivers/base/dd.c:1086
 bus_probe_device+0x64/0x150 drivers/base/bus.c:574
 device_add+0x116e/0x1980 drivers/base/core.c:3689
 usb_set_configuration+0x1187/0x1e50 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
 usb_probe_device+0xef/0x400 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xb20 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x470 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x350 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
 __device_attach+0x1e4/0x4e0 drivers/base/dd.c:1031
 device_initial_probe+0xaa/0xc0 drivers/base/dd.c:1086
 bus_probe_device+0x64/0x150 drivers/base/bus.c:574
 device_add+0x116e/0x1980 drivers/base/core.c:3689
 usb_new_device+0xd07/0x1a90 drivers/usb/core/hub.c:2695
 hub_port_connect drivers/usb/core/hub.c:5567 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
 port_event drivers/usb/core/hub.c:5871 [inline]
 hub_event+0x31bf/0x5420 drivers/usb/core/hub.c:5953
 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
 process_scheduled_works kernel/workqueue.c:3340 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x74f/0xa30 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>

Allocated by task 2856:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
 kasan_save_track+0x14/0x30 mm/kasan/common.c:77
 unpoison_slab_object mm/kasan/common.c:339 [inline]
 __kasan_slab_alloc+0x6e/0x70 mm/kasan/common.c:365
 kasan_slab_alloc include/linux/kasan.h:252 [inline]
 slab_post_alloc_hook mm/slub.c:4953 [inline]
 slab_alloc_node mm/slub.c:5263 [inline]
 kmem_cache_alloc_noprof+0x26e/0x740 mm/slub.c:5270
 alloc_empty_file+0x55/0x1e0 fs/file_table.c:237
 path_openat+0xde/0x3140 fs/namei.c:4773
 do_filp_open+0x20b/0x470 fs/namei.c:4814
 do_sys_openat2+0x11f/0x250 fs/open.c:1430
 do_sys_open fs/open.c:1436 [inline]
 __do_sys_openat fs/open.c:1452 [inline]
 __se_sys_openat fs/open.c:1447 [inline]
 __x64_sys_openat+0x174/0x210 fs/open.c:1447
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x570 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 14:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
 kasan_save_track+0x14/0x30 mm/kasan/common.c:77
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:252 [inline]
 __kasan_slab_free+0x43/0x70 mm/kasan/common.c:284
 kasan_slab_free include/linux/kasan.h:234 [inline]
 slab_free_hook mm/slub.c:2540 [inline]
 slab_free_after_rcu_debug+0xc9/0x250 mm/slub.c:6727
 rcu_do_batch kernel/rcu/tree.c:2605 [inline]
 rcu_core+0x79c/0x15f0 kernel/rcu/tree.c:2857
 handle_softirqs+0x208/0x940 kernel/softirq.c:622
 run_ksoftirqd kernel/softirq.c:1063 [inline]
 run_ksoftirqd+0x3a/0x60 kernel/softirq.c:1055
 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x74f/0xa30 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

Last potentially related work creation:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
 kasan_record_aux_stack+0x8c/0xa0 mm/kasan/generic.c:556
 slab_free_hook mm/slub.c:2501 [inline]
 slab_free mm/slub.c:6668 [inline]
 kmem_cache_free+0x13f/0x710 mm/slub.c:6779
 file_free fs/file_table.c:79 [inline]
 __fput+0x68d/0xb70 fs/file_table.c:481
 fput_close_sync+0x118/0x260 fs/file_table.c:573
 __do_sys_close fs/open.c:1573 [inline]
 __se_sys_close fs/open.c:1558 [inline]
 __x64_sys_close+0x8b/0x120 fs/open.c:1558
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x570 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88811cc1fdc0
 which belongs to the cache filp of size 360
The buggy address is located 215 bytes to the right of
 allocated 360-byte region [ffff88811cc1fdc0, ffff88811cc1ff28)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88811cc1fa40 pfn:0x11cc1e
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88811c5c7801
flags: 0x200000000000240(workingset|head|node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000240 ffff8881012a13c0 ffffea00046cae90 ffffea0004d2de90
raw: ffff88811cc1fa40 0000000000120011 00000000f5000000 ffff88811c5c7801
head: 0200000000000240 ffff8881012a13c0 ffffea00046cae90 ffffea0004d2de90
head: ffff88811cc1fa40 0000000000120011 00000000f5000000 ffff88811c5c7801
head: 0200000000000001 ffffea0004730781 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2856, tgid 2856 (udevd), ts 13861101301, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1af/0x220 mm/page_alloc.c:1846
 prep_new_page mm/page_alloc.c:1854 [inline]
 get_page_from_freelist+0x1058/0x3cb0 mm/page_alloc.c:3915
 __alloc_frozen_pages_noprof+0x259/0x21c0 mm/page_alloc.c:5210
 alloc_pages_mpol+0xe4/0x410 mm/mempolicy.c:2486
 alloc_slab_page mm/slub.c:3075 [inline]
 allocate_slab mm/slub.c:3248 [inline]
 new_slab+0x2c3/0x430 mm/slub.c:3302
 ___slab_alloc+0xe20/0x1ca0 mm/slub.c:4656
 __slab_alloc.constprop.0+0x63/0x110 mm/slub.c:4779
 __slab_alloc_node mm/slub.c:4855 [inline]
 slab_alloc_node mm/slub.c:5251 [inline]
 kmem_cache_alloc_noprof+0x3a1/0x740 mm/slub.c:5270
 alloc_empty_file+0x55/0x1e0 fs/file_table.c:237
 path_openat+0xde/0x3140 fs/namei.c:4773
 do_filp_open+0x20b/0x470 fs/namei.c:4814
 do_sys_openat2+0x11f/0x250 fs/open.c:1430
 do_sys_open fs/open.c:1436 [inline]
 __do_sys_openat fs/open.c:1452 [inline]
 __se_sys_openat fs/open.c:1447 [inline]
 __x64_sys_openat+0x174/0x210 fs/open.c:1447
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x570 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88811cc1fe80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88811cc1ff00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
>ffff88811cc1ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                                ^
 ffff88811cc20000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88811cc20080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	0f 85 0a 07 00 00    	jne    0x710
   6:	8b 0d e3 88 54 09    	mov    0x95488e3(%rip),%ecx        # 0x95488ef
   c:	85 c9                	test   %ecx,%ecx
   e:	0f 85 2d 03 00 00    	jne    0x341
  14:	48 89 df             	mov    %rbx,%rdi
  17:	e8 6f 68 09 06       	call   0x609688b
  1c:	e8 8a f3 37 00       	call   0x37f3ab
  21:	fb                   	sti
  22:	65 48 8b 1d 69 a0 52 	mov    %gs:0xb52a069(%rip),%rbx        # 0xb52a093
  29:	0b
* 2a:	48 8d bb 40 15 00 00 	lea    0x1540(%rbx),%rdi <-- trapping instruction
  31:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  38:	fc ff df
  3b:	48 89 fa             	mov    %rdi,%rdx
  3e:	48                   	rex.W
  3f:	c1                   	.byte 0xc1