==================================================================
BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0x103c/0x10a0 drivers/hid/hid-mcp2221.c:957
Read of size 1 at addr ffff888147477fff by task syz.0.5167/24652

CPU: 1 UID: 0 PID: 24652 Comm: syz.0.5167 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x13d/0x4b0 mm/kasan/report.c:482
 kasan_report+0xdf/0x1d0 mm/kasan/report.c:595
 mcp2221_raw_event+0x103c/0x10a0 drivers/hid/hid-mcp2221.c:957
 __hid_input_report.constprop.0+0x314/0x460 drivers/hid/hid-core.c:2147
 hid_irq_in+0x52e/0x6b0 drivers/hid/usbhid/hid-core.c:286
 __usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657
 usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741
 dummy_timer+0xda1/0x36c0 drivers/usb/gadget/udc/dummy_hcd.c:2005
 __run_hrtimer kernel/time/hrtimer.c:1930 [inline]
 __hrtimer_run_queues+0x470/0xa00 kernel/time/hrtimer.c:1994
 hrtimer_run_softirq+0x17d/0x2c0 kernel/time/hrtimer.c:2011
 handle_softirqs+0x1dd/0x9e0 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0x160/0x210 kernel/softirq.c:735
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline]
 sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1061
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:lock_is_held_type+0xf5/0x140 kernel/locking/lockdep.c:5945
Code: ff ff ff ff 65 0f c1 15 11 2e 8a 05 83 fa 01 8b 44 24 04 75 2d 9c 5a 80 e6 02 75 47 41 f7 c5 00 02 00 00 74 01 fb 48 83 c4 08 <5b> 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc e9 97 e9 02 00 31 c0
RSP: 0018:ffffc90013e07b00 EFLAGS: 00000296
RAX: 0000000000000000 RBX: ffffffff896de880 RCX: 0000000000000001
RDX: 0000000000000046 RSI: ffffffff890a7745 RDI: ffffffff87b08de0
RBP: ffff88810f6d3b80 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000ffffffff
R13: 0000000000000246 R14: ffffc90013e07d20 R15: ffffc90013e07d18
 lock_is_held include/linux/lockdep.h:249 [inline]
 __might_resched+0x248/0x330 kernel/sched/core.c:9125
 __wait_for_common+0x8f/0x4c0 kernel/sched/completion.c:116
 wait_for_common kernel/sched/completion.c:132 [inline]
 wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:221
 raw_process_ep_io+0x66d/0xc40 drivers/usb/gadget/legacy/raw_gadget.c:1122
 raw_ioctl_ep_write drivers/usb/gadget/legacy/raw_gadget.c:1153 [inline]
 raw_ioctl+0x25a/0x2b80 drivers/usb/gadget/legacy/raw_gadget.c:1325
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl fs/ioctl.c:583 [inline]
 __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x10b/0x7f0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0d7613caeb
Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
RSP: 002b:00007f0d74b95f60 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f0d7613caeb
RDX: 00007f0d74b95fe0 RSI: 0000000040085507 RDI: 0000000000000003
RBP: 0000000000000003 R08: 00007f0d764e0320 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 0000200000000140
R13: 0000000000000000 R14: 00007f0d763b5fa0 R15: 00007ffed284c418
 </TASK>

Allocated by task 22593:
 kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
 kasan_save_track+0x14/0x30 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:415
 kmalloc_noprof include/linux/slab.h:950 [inline]
 dummy_urb_enqueue+0xa3/0x880 drivers/usb/gadget/udc/dummy_hcd.c:1277
 usb_hcd_submit_urb+0x26c/0x2150 drivers/usb/core/hcd.c:1542
 usb_submit_urb+0x8aa/0x1910 drivers/usb/core/urb.c:586
 xpad_irq_out+0x184/0x310 drivers/input/joystick/xpad.c:1374
 __usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657
 usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741
 dummy_timer+0xda1/0x36c0 drivers/usb/gadget/udc/dummy_hcd.c:2005
 __run_hrtimer kernel/time/hrtimer.c:1930 [inline]
 __hrtimer_run_queues+0x470/0xa00 kernel/time/hrtimer.c:1994
 hrtimer_run_softirq+0x17d/0x2c0 kernel/time/hrtimer.c:2011
 handle_softirqs+0x1dd/0x9e0 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0x160/0x210 kernel/softirq.c:735
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline]
 sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1061
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697

Freed by task 2856:
 kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
 kasan_save_track+0x14/0x30 mm/kasan/common.c:78
 kasan_save_free_info+0x3b/0x70 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x43/0x70 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2689 [inline]
 slab_free mm/slub.c:6250 [inline]
 kfree+0x204/0x650 mm/slub.c:6565
 dummy_timer+0xd35/0x36c0 drivers/usb/gadget/udc/dummy_hcd.c:1999
 __run_hrtimer kernel/time/hrtimer.c:1930 [inline]
 __hrtimer_run_queues+0x470/0xa00 kernel/time/hrtimer.c:1994
 hrtimer_run_softirq+0x17d/0x2c0 kernel/time/hrtimer.c:2011
 handle_softirqs+0x1dd/0x9e0 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0x160/0x210 kernel/softirq.c:735
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline]
 sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1061
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697

The buggy address belongs to the object at ffff888147477f00
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 127 bytes to the right of
 allocated 128-byte region [ffff888147477f00, ffff888147477f80)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x147477
flags: 0x200000000000000(node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000000 ffff888100041a00 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 22593, tgid 22593 (kworker/0:5), ts 2872810266153, free_ts 2871139624614
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x153/0x170 mm/page_alloc.c:1858
 prep_new_page mm/page_alloc.c:1866 [inline]
 get_page_from_freelist+0xf34/0x3a90 mm/page_alloc.c:3946
 __alloc_frozen_pages_noprof+0x273/0x28a0 mm/page_alloc.c:5226
 alloc_slab_page mm/slub.c:3278 [inline]
 allocate_slab mm/slub.c:3467 [inline]
 new_slab+0xa6/0x6b0 mm/slub.c:3525
 refill_objects+0x277/0x420 mm/slub.c:7255
 refill_sheaf mm/slub.c:2816 [inline]
 __pcs_replace_empty_main+0x375/0x650 mm/slub.c:4651
 alloc_from_pcs mm/slub.c:4749 [inline]
 slab_alloc_node mm/slub.c:4883 [inline]
 __kmalloc_cache_noprof+0x52c/0x6b0 mm/slub.c:5414
 kmalloc_noprof include/linux/slab.h:950 [inline]
 dummy_urb_enqueue+0xa3/0x880 drivers/usb/gadget/udc/dummy_hcd.c:1277
 usb_hcd_submit_urb+0x26c/0x2150 drivers/usb/core/hcd.c:1542
 usb_submit_urb+0x8aa/0x1910 drivers/usb/core/urb.c:586
 xpad_irq_out+0x184/0x310 drivers/input/joystick/xpad.c:1374
 __usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657
 usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741
 dummy_timer+0xda1/0x36c0 drivers/usb/gadget/udc/dummy_hcd.c:2005
 __run_hrtimer kernel/time/hrtimer.c:1930 [inline]
 __hrtimer_run_queues+0x470/0xa00 kernel/time/hrtimer.c:1994
 hrtimer_run_softirq+0x17d/0x2c0 kernel/time/hrtimer.c:2011
page last free pid 24607 tgid 24590 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1402 [inline]
 __free_frozen_pages+0x692/0xf10 mm/page_alloc.c:2943
 tlb_batch_list_free mm/mmu_gather.c:161 [inline]
 tlb_finish_mmu+0x27d/0x810 mm/mmu_gather.c:552
 exit_mmap+0x454/0xa10 mm/mmap.c:1313
 __mmput kernel/fork.c:1178 [inline]
 mmput+0xe0/0x430 kernel/fork.c:1201
 exit_mm kernel/exit.c:581 [inline]
 do_exit+0x833/0x2a60 kernel/exit.c:963
 do_group_exit+0xd5/0x2a0 kernel/exit.c:1117
 get_signal+0x1ec7/0x21e0 kernel/signal.c:3037
 arch_do_signal_or_restart+0x91/0x7e0 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
 exit_to_user_mode_loop+0x83/0x480 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
 do_syscall_64+0x682/0x7f0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888147477e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888147477f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888147477f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                                ^
 ffff888147478000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888147478080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess), 3 bytes skipped:
   0:	ff 65 0f             	jmp    *0xf(%rbp)
   3:	c1 15 11 2e 8a 05 83 	rcll   $0x83,0x58a2e11(%rip)        # 0x58a2e1b
   a:	fa                   	cli
   b:	01 8b 44 24 04 75    	add    %ecx,0x75042444(%rbx)
  11:	2d 9c 5a 80 e6       	sub    $0xe6805a9c,%eax
  16:	02 75 47             	add    0x47(%rbp),%dh
  19:	41 f7 c5 00 02 00 00 	test   $0x200,%r13d
  20:	74 01                	je     0x23
  22:	fb                   	sti
  23:	48 83 c4 08          	add    $0x8,%rsp
* 27:	5b                   	pop    %rbx <-- trapping instruction
  28:	5d                   	pop    %rbp
  29:	41 5c                	pop    %r12
  2b:	41 5d                	pop    %r13
  2d:	41 5e                	pop    %r14
  2f:	41 5f                	pop    %r15
  31:	c3                   	ret
  32:	cc                   	int3
  33:	cc                   	int3
  34:	cc                   	int3
  35:	cc                   	int3
  36:	e9 97 e9 02 00       	jmp    0x2e9d2
  3b:	31 c0                	xor    %eax,%eax