==================================================================
BUG: KASAN: use-after-free in mcp2221_raw_event+0xf94/0x1030 drivers/hid/hid-mcp2221.c:854
Read of size 1 at addr ffff888023f6bfff by task kworker/u8:9/3454

CPU: 0 UID: 0 PID: 3454 Comm: kworker/u8:9 Not tainted 6.16.0-rc3-syzkaller-00233-g35e261cd95dd #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: bat_events batadv_nc_worker
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xcd/0x680 mm/kasan/report.c:521
 kasan_report+0xe0/0x110 mm/kasan/report.c:634
 mcp2221_raw_event+0xf94/0x1030 drivers/hid/hid-mcp2221.c:854
 __hid_input_report.constprop.0+0x314/0x450 drivers/hid/hid-core.c:2117
 hid_irq_in+0x35e/0x870 drivers/hid/usbhid/hid-core.c:286
 __usb_hcd_giveback_urb+0x38d/0x6e0 drivers/usb/core/hcd.c:1650
 usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1734
 dummy_timer+0x180e/0x3a20 drivers/usb/gadget/udc/dummy_hcd.c:1995
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x202/0xad0 kernel/time/hrtimer.c:1825
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1842
 handle_softirqs+0x216/0x8e0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lockdep_enabled kernel/locking/lockdep.c:124 [inline]
RIP: 0010:lock_acquire kernel/locking/lockdep.c:5847 [inline]
RIP: 0010:lock_acquire+0x127/0x350 kernel/locking/lockdep.c:5828
Code: 0d a2 ca 0f 0f 85 c9 0f 84 b1 00 00 00 65 8b 05 17 a4 34 12 85 c0 0f 85 a2 00 00 00 65 48 8b 05 57 62 34 12 8b 90 ec 0a 00 00 <85> d2 0f 85 8c 00 00 00 9c 8f 04 24 fa 48 c7 c7 d3 c4 f0 8d e8 20
RSP: 0018:ffffc9000d047ab0 EFLAGS: 00000246
RAX: ffff888033084880 RBX: ffffffff8e5c4940 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff8b4e101a RDI: fffffbfff1cb8928
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000400 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 rcu_read_lock include/linux/rcupdate.h:841 [inline]
 batadv_nc_purge_orig_hash net/batman-adv/network-coding.c:408 [inline]
 batadv_nc_worker+0x16a/0x1030 net/batman-adv/network-coding.c:719
 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3321 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402
 kthread+0x3c2/0x780 kernel/kthread.c:464
 ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23f6b
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea00008fda88 ffffea0001efccc8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0xcc0(GFP_KERNEL), pid 13173, tgid 13169 (syz.3.1611), ts 648248041908, free_ts 661191852808
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x1321/0x3890 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:4959
 __alloc_pages_noprof mm/page_alloc.c:4993 [inline]
 alloc_pages_bulk_noprof+0x71c/0x1410 mm/page_alloc.c:4913
 ___alloc_pages_bulk mm/kasan/shadow.c:344 [inline]
 __kasan_populate_vmalloc mm/kasan/shadow.c:368 [inline]
 kasan_populate_vmalloc+0xf1/0x1f0 mm/kasan/shadow.c:417
 alloc_vmap_area+0x959/0x29c0 mm/vmalloc.c:2084
 __get_vm_area_node+0x1ca/0x330 mm/vmalloc.c:3179
 __vmalloc_node_range_noprof+0x271/0x14b0 mm/vmalloc.c:3845
 __vmalloc_node_noprof+0xad/0xf0 mm/vmalloc.c:3948
 __snd_dma_alloc_pages+0x53/0x90 sound/core/memalloc.c:45
 snd_dma_alloc_dir_pages+0x151/0x240 sound/core/memalloc.c:79
 do_alloc_pages+0x115/0x280 sound/core/pcm_memory.c:69
 snd_pcm_lib_malloc_pages+0x3df/0x980 sound/core/pcm_memory.c:455
 snd_pcm_hw_params+0x15e1/0x1b40 sound/core/pcm_native.c:790
 snd_pcm_kernel_ioctl+0x147/0x2e0 sound/core/pcm_native.c:3457
 snd_pcm_oss_change_params_locked+0x1432/0x3a30 sound/core/oss/pcm_oss.c:965
page last free pid 5923 tgid 5923 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 __free_frozen_pages+0x7fe/0x1180 mm/page_alloc.c:2706
 kasan_depopulate_vmalloc_pte+0x5f/0x80 mm/kasan/shadow.c:472
 apply_to_pte_range mm/memory.c:3032 [inline]
 apply_to_pmd_range mm/memory.c:3076 [inline]
 apply_to_pud_range mm/memory.c:3112 [inline]
 apply_to_p4d_range mm/memory.c:3148 [inline]
 __apply_to_page_range+0xa92/0x1350 mm/memory.c:3184
 kasan_release_vmalloc+0xd1/0xe0 mm/kasan/shadow.c:593
 kasan_release_vmalloc_node mm/vmalloc.c:2241 [inline]
 purge_vmap_node+0x1c4/0xa30 mm/vmalloc.c:2258
 __purge_vmap_area_lazy+0xa06/0xc60 mm/vmalloc.c:2348
 drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2382
 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3321 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402
 kthread+0x3c2/0x780 kernel/kthread.c:464
 ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff888023f6be80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888023f6bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888023f6bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                ^
 ffff888023f6c000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888023f6c080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	0d a2 ca 0f 0f       	or     $0xf0fcaa2,%eax
   5:	85 c9                	test   %ecx,%ecx
   7:	0f 84 b1 00 00 00    	je     0xbe
   d:	65 8b 05 17 a4 34 12 	mov    %gs:0x1234a417(%rip),%eax        # 0x1234a42b
  14:	85 c0                	test   %eax,%eax
  16:	0f 85 a2 00 00 00    	jne    0xbe
  1c:	65 48 8b 05 57 62 34 	mov    %gs:0x12346257(%rip),%rax        # 0x1234627b
  23:	12
  24:	8b 90 ec 0a 00 00    	mov    0xaec(%rax),%edx
* 2a:	85 d2                	test   %edx,%edx <-- trapping instruction
  2c:	0f 85 8c 00 00 00    	jne    0xbe
  32:	9c                   	pushf
  33:	8f 04 24             	pop    (%rsp)
  36:	fa                   	cli
  37:	48 c7 c7 d3 c4 f0 8d 	mov    $0xffffffff8df0c4d3,%rdi
  3e:	e8                   	.byte 0xe8
  3f:	20                   	.byte 0x20