==================================================================
BUG: KASAN: use-after-free in mcp2221_raw_event+0xf94/0x1030 drivers/hid/hid-mcp2221.c:944
Read of size 1 at addr ffff88806f5e7fff by task syz.2.793/9890
CPU: 0 UID: 0 PID: 9890 Comm: syz.2.793 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
mcp2221_raw_event+0xf94/0x1030 drivers/hid/hid-mcp2221.c:944
__hid_input_report.constprop.0+0x311/0x450 drivers/hid/hid-core.c:2130
hid_irq_in+0x35e/0x870 drivers/hid/usbhid/hid-core.c:286
__usb_hcd_giveback_urb+0x38b/0x610 drivers/usb/core/hcd.c:1661
usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745
dummy_timer+0x1814/0x3a30 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1761 [inline]
__hrtimer_run_queues+0x1ff/0xad0 kernel/time/hrtimer.c:1825
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1842
handle_softirqs+0x216/0x8e0 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:get_task_policy mm/mempolicy.c:351 [inline]
RIP: 0010:get_task_policy mm/mempolicy.c:339 [inline]
RIP: 0010:get_vma_policy+0x185/0x3c0 mm/mempolicy.c:1974
Code: 02 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 09 84 d2 74 05 e8 ee 0c 03 00 49 c1 e4 05 31 ff 49 81 c4 20 ba e7 9a 45 0f b7 7c 24 04 <44> 89 fe e8 a3 ac 9c ff 66 45 85 ff 0f 85 9b 01 00 00 49 c7 c4 20
RSP: 0018:ffffc9001d1bf7c8 EFLAGS: 00000282
RAX: 0000000000000005 RBX: ffff888035b62500 RCX: ffffc9000ef70000
RDX: 0000000000000000 RSI: ffffffff821eda0c RDI: 0000000000000000
RBP: ffffc9001d1bf820 R08: 0000000000000005 R09: 00000000ffffffff
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff9ae7ba20
R13: 0000000000000000 R14: 0000200000446000 R15: 0000000000000001
vma_alloc_folio_noprof+0xcf/0x1e0 mm/mempolicy.c:2469
folio_prealloc mm/memory.c:1061 [inline]
alloc_anon_folio mm/memory.c:4997 [inline]
do_anonymous_page mm/memory.c:5054 [inline]
do_pte_missing+0x2230/0x3ba0 mm/memory.c:4232
handle_pte_fault mm/memory.c:6052 [inline]
__handle_mm_fault+0x152a/0x2a50 mm/memory.c:6195
handle_mm_fault+0x589/0xd10 mm/memory.c:6364
faultin_page mm/gup.c:1144 [inline]
__get_user_pages+0x551/0x34a0 mm/gup.c:1446
populate_vma_page_range+0x267/0x3f0 mm/gup.c:1880
__mm_populate+0x1d8/0x380 mm/gup.c:1983
do_mlock+0x448/0x810 mm/mlock.c:653
__do_sys_mlock mm/mlock.c:661 [inline]
__se_sys_mlock mm/mlock.c:659 [inline]
__x64_sys_mlock+0x59/0x80 mm/mlock.c:659
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc59e98ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc59f83c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000095
RAX: ffffffffffffffda RBX: 00007fc59ebb6180 RCX: 00007fc59e98ebe9
RDX: 0000000000000000 RSI: 0000000000800000 RDI: 0000200000000000
RBP: 00007fc59ea11e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc59ebb6218 R14: 00007fc59ebb6180 R15: 00007ffe2ccbda98
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7f2364935 pfn:0x6f5e7
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 00000007f2364935 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 7687, tgid 7671 (syz.4.338), ts 233267490601, free_ts 258316792268
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2487 [inline]
allocate_slab mm/slub.c:2655 [inline]
new_slab+0x247/0x330 mm/slub.c:2709
___slab_alloc+0xcf2/0x1740 mm/slub.c:3891
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3981
__slab_alloc_node mm/slub.c:4056 [inline]
slab_alloc_node mm/slub.c:4217 [inline]
kmem_cache_alloc_node_noprof+0xf5/0x3b0 mm/slub.c:4281
kmalloc_reserve+0x18b/0x2c0 net/core/skbuff.c:578
__alloc_skb+0x166/0x380 net/core/skbuff.c:669
alloc_skb_fclone include/linux/skbuff.h:1386 [inline]
tcp_stream_alloc_skb+0x34/0x570 net/ipv4/tcp.c:892
tcp_sendmsg_locked+0x12d0/0x42a0 net/ipv4/tcp.c:1198
tcp_sendmsg+0x2e/0x50 net/ipv4/tcp.c:1393
inet_sendmsg+0xb9/0x140 net/ipv4/af_inet.c:851
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg net/socket.c:729 [inline]
__sys_sendto+0x43c/0x520 net/socket.c:2228
__do_sys_sendto net/socket.c:2235 [inline]
__se_sys_sendto net/socket.c:2231 [inline]
__x64_sys_sendto+0xe0/0x1c0 net/socket.c:2231
page last free pid 7959 tgid 7955 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895
discard_slab mm/slub.c:2753 [inline]
__put_partials+0x165/0x1c0 mm/slub.c:3218
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:340
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4180 [inline]
slab_alloc_node mm/slub.c:4229 [inline]
__do_kmalloc_node mm/slub.c:4364 [inline]
__kmalloc_noprof+0x1d4/0x510 mm/slub.c:4377
kmalloc_noprof include/linux/slab.h:909 [inline]
kernfs_fop_write_iter+0x237/0x510 fs/kernfs/file.c:311
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x7d0/0x11d0 fs/read_write.c:686
ksys_write+0x12a/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88806f5e7e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88806f5e7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88806f5e7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88806f5e8000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88806f5e8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 02 48 89 add -0x77(%rax),%cl
3: f8 clc
4: 83 e0 07 and $0x7,%eax
7: 83 c0 01 add $0x1,%eax
a: 38 d0 cmp %dl,%al
c: 7c 09 jl 0x17
e: 84 d2 test %dl,%dl
10: 74 05 je 0x17
12: e8 ee 0c 03 00 call 0x30d05
17: 49 c1 e4 05 shl $0x5,%r12
1b: 31 ff xor %edi,%edi
1d: 49 81 c4 20 ba e7 9a add $0xffffffff9ae7ba20,%r12
24: 45 0f b7 7c 24 04 movzwl 0x4(%r12),%r15d
* 2a: 44 89 fe mov %r15d,%esi <-- trapping instruction
2d: e8 a3 ac 9c ff call 0xff9cacd5
32: 66 45 85 ff test %r15w,%r15w
36: 0f 85 9b 01 00 00 jne 0x1d7
3c: 49 rex.WB
3d: c7 .byte 0xc7
3e: c4 .byte 0xc4
3f: 20 .byte 0x20