==================================================================
BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0x101c/0x1090 drivers/hid/hid-mcp2221.c:964
Read of size 1 at addr ffff88811ad37fff by task syz.1.5600/27981
CPU: 0 UID: 0 PID: 27981 Comm: syz.1.5600 Not tainted syzkaller #0 PREEMPT(lazy)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x13d/0x4b0 mm/kasan/report.c:482
kasan_report+0xdf/0x1d0 mm/kasan/report.c:595
mcp2221_raw_event+0x101c/0x1090 drivers/hid/hid-mcp2221.c:964
__hid_input_report.constprop.0+0x319/0x470 drivers/hid/hid-core.c:2161
hid_irq_in+0x55d/0x710 drivers/hid/usbhid/hid-core.c:286
__usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657
usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741
dummy_timer+0xda1/0x36c0 drivers/usb/gadget/udc/dummy_hcd.c:2005
__run_hrtimer kernel/time/hrtimer.c:1930 [inline]
__hrtimer_run_queues+0x470/0xa00 kernel/time/hrtimer.c:1994
hrtimer_run_softirq+0x17d/0x2c0 kernel/time/hrtimer.c:2011
handle_softirqs+0x1dd/0x9e0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x160/0x210 kernel/softirq.c:735
irq_exit_rcu+0x9/0x30 kernel/softirq.c:752
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline]
sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1061
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:finish_task_switch.isra.0+0x21a/0xa20 kernel/sched/core.c:5245
Code: 08 3c 03 0f 8e 26 06 00 00 c7 83 00 0d 00 00 00 00 00 00 48 8d 7b 48 e8 94 5e ec 05 e8 ef e7 36 00 fb 49 8d bc 24 e8 15 00 00 <48> b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6 04 02 84
RSP: 0018:ffffc90003977a18 EFLAGS: 00000206
RAX: 00000000000003a5 RBX: ffff8881f5639680 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff890c9ef8 RDI: ffff88810aaeef28
RBP: ffffc90003977a58 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff88810aaed940
R13: ffff8881226e3b80 R14: 0000000000000000 R15: ffff8881f563a380
context_switch kernel/sched/core.c:5391 [inline]
__schedule+0x1140/0x47e0 kernel/sched/core.c:7189
__schedule_loop kernel/sched/core.c:7268 [inline]
schedule+0xdd/0x390 kernel/sched/core.c:7283
schedule_timeout+0x1b2/0x280 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:100 [inline]
__wait_for_common+0x2e7/0x4c0 kernel/sched/completion.c:121
wait_for_common kernel/sched/completion.c:132 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:221
raw_process_ep0_io+0x3af/0x9c0 drivers/usb/gadget/legacy/raw_gadget.c:736
raw_ioctl_ep0_write drivers/usb/gadget/legacy/raw_gadget.c:767 [inline]
raw_ioctl+0x1369/0x2b80 drivers/usb/gadget/legacy/raw_gadget.c:1313
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x10b/0x7f0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f351581caeb
Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
RSP: 002b:00007f3514274f00 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f351581caeb
RDX: 00007f3514274fc0 RSI: 0000000040085503 RDI: 0000000000000003
RBP: 00007f3514275fd0 R08: 00007f35156e4ba7 R09: 00007f3514274fc8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000080085502
R13: 0000000800000000 R14: 0000000000000008 R15: 00007f35158d125f
Allocated by task 18501:
kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
kasan_save_track+0x14/0x30 mm/kasan/common.c:78
unpoison_slab_object mm/kasan/common.c:340 [inline]
__kasan_slab_alloc+0x6e/0x70 mm/kasan/common.c:366
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4570 [inline]
slab_alloc_node mm/slub.c:4899 [inline]
kmem_cache_alloc_noprof+0x2e7/0x6a0 mm/slub.c:4906
sk_prot_alloc+0x60/0x2a0 net/core/sock.c:2241
sk_alloc+0x36/0xe80 net/core/sock.c:2303
inet_create net/ipv4/af_inet.c:333 [inline]
inet_create+0x3a0/0x1060 net/ipv4/af_inet.c:259
__sock_create+0x339/0x860 net/socket.c:1664
sock_create net/socket.c:1722 [inline]
__sys_socket_create net/socket.c:1759 [inline]
__sys_socket+0x14d/0x260 net/socket.c:1806
__do_sys_socket net/socket.c:1820 [inline]
__se_sys_socket net/socket.c:1818 [inline]
__x64_sys_socket+0x72/0xb0 net/socket.c:1818
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x10b/0x7f0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 14:
kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
kasan_save_track+0x14/0x30 mm/kasan/common.c:78
kasan_save_free_info+0x3b/0x70 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x43/0x70 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2689 [inline]
slab_free_after_rcu_debug+0xa2/0x100 mm/slub.c:6313
rcu_do_batch kernel/rcu/tree.c:2617 [inline]
rcu_core+0x5a2/0x10d0 kernel/rcu/tree.c:2869
handle_softirqs+0x1dd/0x9e0 kernel/softirq.c:622
run_ksoftirqd kernel/softirq.c:1076 [inline]
run_ksoftirqd+0x38/0x60 kernel/softirq.c:1068
smpboot_thread_fn+0x3d3/0xaa0 kernel/smpboot.c:160
kthread+0x370/0x450 kernel/kthread.c:436
ret_from_fork+0x69a/0xc80 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Last potentially related work creation:
kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
kasan_record_aux_stack+0x8c/0xa0 mm/kasan/generic.c:556
slab_free_hook mm/slub.c:2650 [inline]
slab_free mm/slub.c:6251 [inline]
kmem_cache_free+0x414/0x660 mm/slub.c:6378
sk_prot_free net/core/sock.c:2284 [inline]
__sk_destruct+0x62a/0xab0 net/core/sock.c:2386
sk_destruct+0xc8/0xf0 net/core/sock.c:2414
__sk_free+0xf4/0x3e0 net/core/sock.c:2425
sk_free+0x61/0x90 net/core/sock.c:2436
sock_put include/net/sock.h:2010 [inline]
tcp_close+0xc6/0x110 net/ipv4/tcp.c:3317
inet_release+0xed/0x200 net/ipv4/af_inet.c:442
__sock_release+0xb3/0x260 net/socket.c:722
sock_close+0x1c/0x30 net/socket.c:1514
__fput+0x3ff/0xb50 fs/file_table.c:510
fput_close_sync+0x118/0x250 fs/file_table.c:615
__do_sys_close fs/open.c:1507 [inline]
__se_sys_close fs/open.c:1492 [inline]
__x64_sys_close+0x8b/0x120 fs/open.c:1492
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x10b/0x7f0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88811ad36800
which belongs to the cache TCP of size 3200
The buggy address is located 2943 bytes to the right of
allocated 3200-byte region [ffff88811ad36800, ffff88811ad37480)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11ad30
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88811ad37501
flags: 0x200000000000040(head|node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000040 ffff888106699780 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800090009 00000000f5000000 ffff88811ad37501
head: 0200000000000040 ffff888106699780 dead000000000100 dead000000000122
head: 0000000000000000 0000000800090009 00000000f5000000 ffff88811ad37501
head: 0200000000000003 fffffffffffffe01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 19235, tgid 19235 (syz-executor), ts 3153086566967, free_ts 3152829583757
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853
prep_new_page mm/page_alloc.c:1861 [inline]
get_page_from_freelist+0x20a5/0x3850 mm/page_alloc.c:3941
__alloc_frozen_pages_noprof+0x273/0x28a0 mm/page_alloc.c:5221
alloc_slab_page mm/slub.c:3278 [inline]
allocate_slab mm/slub.c:3467 [inline]
new_slab+0xa6/0x6b0 mm/slub.c:3525
refill_objects+0x277/0x420 mm/slub.c:7272
refill_sheaf mm/slub.c:2816 [inline]
__pcs_replace_empty_main+0x375/0x650 mm/slub.c:4652
alloc_from_pcs mm/slub.c:4750 [inline]
slab_alloc_node mm/slub.c:4884 [inline]
kmem_cache_alloc_noprof+0x520/0x6a0 mm/slub.c:4906
sk_prot_alloc+0x60/0x2a0 net/core/sock.c:2241
sk_alloc+0x36/0xe80 net/core/sock.c:2303
inet_create net/ipv4/af_inet.c:333 [inline]
inet_create+0x3a0/0x1060 net/ipv4/af_inet.c:259
__sock_create+0x339/0x860 net/socket.c:1664
sock_create net/socket.c:1722 [inline]
__sys_socket_create net/socket.c:1759 [inline]
__sys_socket+0x14d/0x260 net/socket.c:1806
__do_sys_socket net/socket.c:1820 [inline]
__se_sys_socket net/socket.c:1818 [inline]
__x64_sys_socket+0x72/0xb0 net/socket.c:1818
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x10b/0x7f0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 2961 tgid 2961 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1397 [inline]
__free_frozen_pages+0x6d8/0xf60 mm/page_alloc.c:2938
__folio_put+0x278/0x470 mm/swap.c:112
folio_put include/linux/mm.h:2090 [inline]
put_page include/linux/mm.h:2159 [inline]
put_netmem include/net/netmem.h:394 [inline]
skb_page_unref include/linux/skbuff_ref.h:43 [inline]
__skb_frag_unref include/linux/skbuff_ref.h:56 [inline]
skb_release_data+0x649/0x8e0 net/core/skbuff.c:1108
skb_release_all net/core/skbuff.c:1189 [inline]
__kfree_skb+0x4f/0x70 net/core/skbuff.c:1203
tcp_wmem_free_skb include/net/tcp.h:334 [inline]
tcp_rtx_queue_unlink_and_free include/net/tcp.h:2344 [inline]
tcp_clean_rtx_queue net/ipv4/tcp_input.c:3698 [inline]
tcp_ack+0x1fa2/0x7420 net/ipv4/tcp_input.c:4370
tcp_rcv_established+0x1132/0x3910 net/ipv4/tcp_input.c:6556
tcp_v4_do_rcv+0x5bb/0xc30 net/ipv4/tcp_ipv4.c:1851
sk_backlog_rcv include/net/sock.h:1190 [inline]
__release_sock+0x35a/0x440 net/core/sock.c:3216
release_sock+0x1e5/0x280 net/core/sock.c:3815
tcp_sendmsg+0x38/0x50 net/ipv4/tcp.c:1453
inet_sendmsg+0xb9/0x140 net/ipv4/af_inet.c:866
sock_sendmsg_nosec net/socket.c:787 [inline]
__sock_sendmsg net/socket.c:802 [inline]
sock_write_iter+0x4ea/0x5a0 net/socket.c:1254
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x1f8/0x250 fs/read_write.c:740
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x10b/0x7f0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88811ad37e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88811ad37f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88811ad37f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88811ad38000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88811ad38080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 08 3c 03 or %bh,(%rbx,%rax,1)
3: 0f 8e 26 06 00 00 jle 0x62f
9: c7 83 00 0d 00 00 00 movl $0x0,0xd00(%rbx)
10: 00 00 00
13: 48 8d 7b 48 lea 0x48(%rbx),%rdi
17: e8 94 5e ec 05 call 0x5ec5eb0
1c: e8 ef e7 36 00 call 0x36e810
21: fb sti
22: 49 8d bc 24 e8 15 00 lea 0x15e8(%r12),%rdi
29: 00
* 2a: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax <-- trapping instruction
31: fc ff df
34: 48 89 fa mov %rdi,%rdx
37: 48 c1 ea 03 shr $0x3,%rdx
3b: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax
3f: 84 .byte 0x84