==================================================================
BUG: KASAN: use-after-free in mcp2221_raw_event+0x103c/0x10a0 drivers/hid/hid-mcp2221.c:950
Read of size 1 at addr ffff888121283fff by task syz.3.1003/8741

CPU: 0 UID: 0 PID: 8741 Comm: syz.3.1003 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x156/0x4c9 mm/kasan/report.c:482
 kasan_report+0xdf/0x1e0 mm/kasan/report.c:595
 mcp2221_raw_event+0x103c/0x10a0 drivers/hid/hid-mcp2221.c:950
 __hid_input_report.constprop.0+0x314/0x460 drivers/hid/hid-core.c:2139
 hid_irq_in+0x52e/0x6b0 drivers/hid/usbhid/hid-core.c:286
 __usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657
 usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741
 dummy_timer+0xd85/0x3670 drivers/usb/gadget/udc/dummy_hcd.c:1995
 __run_hrtimer kernel/time/hrtimer.c:1785 [inline]
 __hrtimer_run_queues+0x50e/0xa70 kernel/time/hrtimer.c:1849
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1866
 handle_softirqs+0x1de/0x9d0 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1056
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:lock_release+0x19e/0x320 kernel/locking/lockdep.c:5893
Code: ff 65 0f c1 05 6b 21 64 0b 83 f8 01 0f 85 3d 01 00 00 9c 58 f6 c4 02 0f 85 28 01 00 00 41 f7 c6 00 02 00 00 0f 85 de 00 00 00 <48> 8b 44 24 10 65 48 2b 05 1d dd 63 0b 0f 85 63 01 00 00 48 83 c4
RSP: 0018:ffffc90015affd38 EFLAGS: 00000206
RAX: 0000000000000046 RBX: ffff8881212fa740 RCX: ffffc90015affd44
RDX: 0000000000000000 RSI: ffffffff88fef29e RDI: ffffffff87afc6a0
RBP: ffffffff81fec705 R08: 0000000000000001 R09: 00000000000001a0
R10: 0000000000000200 R11: 0000000000000000 R12: ffff888113bb1d80
R13: ffffffff81fec705 R14: 0000000000000283 R15: 0000000000000001
 __might_fault+0x10c/0x140 mm/memory.c:7218
 _inline_copy_from_user include/linux/uaccess.h:169 [inline]
 _copy_from_user+0x29/0xd0 lib/usercopy.c:18
 copy_from_user include/linux/uaccess.h:223 [inline]
 get_timespec64+0x8d/0x240 kernel/time/time.c:873
 __do_sys_clock_nanosleep kernel/time/posix-timers.c:1380 [inline]
 __se_sys_clock_nanosleep kernel/time/posix-timers.c:1368 [inline]
 __x64_sys_clock_nanosleep+0x1ce/0x480 kernel/time/posix-timers.c:1368
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0x7b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f99b69ed04e
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f99b5485f38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e6
RAX: ffffffffffffffda RBX: 00007f99b54876c0 RCX: 00007f99b69ed04e
RDX: 00007f99b5485f90 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000200000000140
R13: 0000000000000000 R14: 00007f99b6ca5fa0 R15: 00007ffd5a47c758
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x121283
flags: 0x200000000000000(node=0|zone=2)
raw: 0200000000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x440dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_COMP), pid 8327, tgid 8327 (v4l_id), ts 591457772058, free_ts 591897094944
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0xf10/0x39f0 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x273/0x2860 mm/page_alloc.c:5250
 alloc_pages_mpol+0xe8/0x410 mm/mempolicy.c:2484
 alloc_frozen_pages_noprof mm/mempolicy.c:2555 [inline]
 alloc_pages_noprof+0x131/0x390 mm/mempolicy.c:2575
 pagetable_alloc_noprof include/linux/mm.h:3404 [inline]
 pmd_alloc_one_noprof include/asm-generic/pgalloc.h:143 [inline]
 __pmd_alloc+0x3b/0x8d0 mm/memory.c:6710
 pmd_alloc include/linux/mm.h:3320 [inline]
 __handle_mm_fault+0xe86/0x2d60 mm/memory.c:6407
 handle_mm_fault+0x36d/0xa20 mm/memory.c:6624
 do_user_addr_fault+0x74c/0x11d0 arch/x86/mm/fault.c:1385
 handle_page_fault arch/x86/mm/fault.c:1474 [inline]
 exc_page_fault+0x66/0xc0 arch/x86/mm/fault.c:1527
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
page last free pid 5221 tgid 5221 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0x7b1/0xfb0 mm/page_alloc.c:2978
 __pagetable_free include/linux/mm.h:3414 [inline]
 pagetable_free include/linux/mm.h:3438 [inline]
 pagetable_dtor_free include/linux/mm.h:3537 [inline]
 __tlb_remove_table include/asm-generic/tlb.h:221 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:228 [inline]
 tlb_remove_table_rcu+0x2cf/0x380 mm/mmu_gather.c:291
 rcu_do_batch kernel/rcu/tree.c:2617 [inline]
 rcu_core+0x5a2/0x10d0 kernel/rcu/tree.c:2869
 handle_softirqs+0x1de/0x9d0 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1056
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697

Memory state around the buggy address:
 ffff888121283e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888121283f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888121283f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                ^
 ffff888121284000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888121284080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	ff 65 0f             	jmp    *0xf(%rbp)
   3:	c1 05 6b 21 64 0b 83 	roll   $0x83,0xb64216b(%rip)        # 0xb642175
   a:	f8                   	clc
   b:	01 0f                	add    %ecx,(%rdi)
   d:	85 3d 01 00 00 9c    	test   %edi,-0x63ffffff(%rip)        # 0x9c000014
  13:	58                   	pop    %rax
  14:	f6 c4 02             	test   $0x2,%ah
  17:	0f 85 28 01 00 00    	jne    0x145
  1d:	41 f7 c6 00 02 00 00 	test   $0x200,%r14d
  24:	0f 85 de 00 00 00    	jne    0x108
* 2a:	48 8b 44 24 10       	mov    0x10(%rsp),%rax <-- trapping instruction
  2f:	65 48 2b 05 1d dd 63 	sub    %gs:0xb63dd1d(%rip),%rax        # 0xb63dd54
  36:	0b
  37:	0f 85 63 01 00 00    	jne    0x1a0
  3d:	48                   	rex.W
  3e:	83                   	.byte 0x83
  3f:	c4                   	.byte 0xc4