==================================================================
BUG: KASAN: use-after-free in mcp2221_raw_event+0x106a/0x1240 drivers/hid/hid-mcp2221.c:950
Read of size 1 at addr ffff888022adbfff by task udevd/5193

CPU: 0 UID: 0 PID: 5193 Comm: udevd Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
 <IRQ>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xba/0x230 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 mcp2221_raw_event+0x106a/0x1240 drivers/hid/hid-mcp2221.c:950
 __hid_input_report drivers/hid/hid-core.c:2140 [inline]
 hid_input_report+0x41d/0x580 drivers/hid/hid-core.c:2167
 hid_irq_in+0x47e/0x6d0 drivers/hid/usbhid/hid-core.c:286
 __usb_hcd_giveback_urb+0x376/0x540 drivers/usb/core/hcd.c:1657
 dummy_timer+0xbbd/0x45d0 drivers/usb/gadget/udc/dummy_hcd.c:1995
 __run_hrtimer kernel/time/hrtimer.c:1785 [inline]
 __hrtimer_run_queues+0x53a/0xcc0 kernel/time/hrtimer.c:1849
 hrtimer_run_softirq+0x182/0x5a0 kernel/time/hrtimer.c:1866
 handle_softirqs+0x22a/0x870 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:hlist_bl_first_rcu include/linux/rculist_bl.h:24 [inline]
RIP: 0010:__d_lookup+0x10d/0x780 fs/dcache.c:2447
Code: 05 52 17 b2 0d 01 48 c7 c7 80 12 de 8b be 54 03 00 00 48 c7 c2 c0 12 de 8b e8 7f 49 58 ff 49 89 de 49 c1 ee 03 43 80 3c 26 00 <74> 08 48 89 df e8 19 77 e6 ff 4c 8b 3b e8 51 fb 65 09 89 c5 31 ff
RSP: 0018:ffffc90002f47768 EFLAGS: 00000246
RAX: ffffffff82498c39 RBX: ffffc90000739598 RCX: ffff88807cb50000
RDX: 0000000000000000 RSI: ffffffff8c27d0e0 RDI: ffffffff8c27d0a0
RBP: 0000000000000001 R08: ffffffff82498bf6 R09: ffffffff8e75e5e0
R10: 000000000000002f R11: 0000000000000000 R12: dffffc0000000000
R13: ffffffff82498bf6 R14: 1ffff920000e72b3 R15: 1ffff920005e8f8b
 lookup_fast+0x84/0x5b0 fs/namei.c:1874
 walk_component fs/namei.c:2275 [inline]
 link_path_walk+0x720/0x18d0 fs/namei.c:2653
 path_openat+0x2c3/0x3860 fs/namei.c:4832
 do_file_open+0x23e/0x4a0 fs/namei.c:4865
 do_sys_openat2+0x113/0x200 fs/open.c:1366
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_openat fs/open.c:1388 [inline]
 __se_sys_openat fs/open.c:1383 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1383
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7e2aca7407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007ffcd725de30 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f7e2b362880 RCX: 00007f7e2aca7407
RDX: 0000000000080000 RSI: 00007ffcd725dfb0 RDI: ffffffffffffff9c
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 000055719409a7f5
R13: 000055719409a7f5 R14: 0000000000000001 R15: 0000000000000000
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888022adb000 pfn:0x22adb
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea00019c6748 ffffea0001274148 0000000000000000
raw: ffff888022adb000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x440dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_COMP), pid 6577, tgid 6577 (syz.1.4571), ts 1150309354549, free_ts 1150691521740
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2490
 alloc_frozen_pages_noprof mm/mempolicy.c:2561 [inline]
 alloc_pages_noprof+0xa8/0x1a0 mm/mempolicy.c:2581
 pagetable_alloc_noprof include/linux/mm.h:3404 [inline]
 __pud_alloc_one_noprof include/asm-generic/pgalloc.h:181 [inline]
 pud_alloc_one_noprof include/asm-generic/pgalloc.h:206 [inline]
 __pud_alloc+0x3a/0x460 mm/memory.c:6686
 pud_alloc include/linux/mm.h:3314 [inline]
 __handle_mm_fault mm/memory.c:6377 [inline]
 handle_mm_fault+0x2040/0x3310 mm/memory.c:6624
 do_user_addr_fault+0xa73/0x1340 arch/x86/mm/fault.c:1334
 handle_page_fault arch/x86/mm/fault.c:1474 [inline]
 exc_page_fault+0x6a/0xc0 arch/x86/mm/fault.c:1527
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
page last free pid 15 tgid 15 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
 __tlb_remove_table_free mm/mmu_gather.c:228 [inline]
 tlb_remove_table_rcu+0x85/0x100 mm/mmu_gather.c:291
 rcu_do_batch kernel/rcu/tree.c:2617 [inline]
 rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869
 handle_softirqs+0x22a/0x870 kernel/softirq.c:622
 run_ksoftirqd+0x36/0x60 kernel/softirq.c:1063
 smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff888022adbe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888022adbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888022adbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                ^
 ffff888022adc000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888022adc080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	05 52 17 b2 0d       	add    $0xdb21752,%eax
   5:	01 48 c7             	add    %ecx,-0x39(%rax)
   8:	c7 80 12 de 8b be 54 	movl   $0x354,-0x417421ee(%rax)
   f:	03 00 00
  12:	48 c7 c2 c0 12 de 8b 	mov    $0xffffffff8bde12c0,%rdx
  19:	e8 7f 49 58 ff       	call   0xff58499d
  1e:	49 89 de             	mov    %rbx,%r14
  21:	49 c1 ee 03          	shr    $0x3,%r14
  25:	43 80 3c 26 00       	cmpb   $0x0,(%r14,%r12,1)
* 2a:	74 08                	je     0x34 <-- trapping instruction
  2c:	48 89 df             	mov    %rbx,%rdi
  2f:	e8 19 77 e6 ff       	call   0xffe6774d
  34:	4c 8b 3b             	mov    (%rbx),%r15
  37:	e8 51 fb 65 09       	call   0x965fb8d
  3c:	89 c5                	mov    %eax,%ebp
  3e:	31 ff                	xor    %edi,%edi