==================================================================
BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0xfc1/0x1180 drivers/hid/hid-mcp2221.c:830
Read of size 1 at addr ffff88807c347fff by task kdevtmpfs/25
CPU: 0 PID: 25 Comm: kdevtmpfs Not tainted 6.6.95-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xac/0x230 mm/kasan/report.c:475
kasan_report+0x117/0x150 mm/kasan/report.c:588
mcp2221_raw_event+0xfc1/0x1180 drivers/hid/hid-mcp2221.c:830
hid_input_report+0x400/0x520 drivers/hid/hid-core.c:2086
hid_irq_in+0x479/0x6d0 drivers/hid/usbhid/hid-core.c:284
__usb_hcd_giveback_urb+0x35f/0x520 drivers/usb/core/hcd.c:1650
dummy_timer+0x8a3/0x31b0 drivers/usb/gadget/udc/dummy_hcd.c:1993
__run_hrtimer kernel/time/hrtimer.c:1755 [inline]
__hrtimer_run_queues+0x51e/0xc40 kernel/time/hrtimer.c:1819
hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1836
handle_softirqs+0x280/0x820 kernel/softirq.c:578
__do_softirq kernel/softirq.c:612 [inline]
invoke_softirq kernel/softirq.c:452 [inline]
__irq_exit_rcu+0xc7/0x190 kernel/softirq.c:661
irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:strlen+0x2e/0x70 lib/string.c:425
Code: 41 57 41 56 41 54 53 48 c7 c0 ff ff ff ff 49 be 00 00 00 00 00 fc ff df 48 89 fb 49 89 c7 48 89 d8 48 c1 e8 03 42 0f b6 04 30 <84> c0 75 11 48 ff c3 49 8d 47 01 42 80 7c 3f 01 00 75 de eb 19 89
RSP: 0018:ffffc90000a0fb38 EFLAGS: 00000a06
RAX: 0000000000000006 RBX: ffff8880755ef438 RCX: ffff88801d668000
RDX: 0000000000000000 RSI: ffff8880755ef438 RDI: ffff8880755ef438
RBP: 00000000ffffff9c R08: ffffc90000a0fdff R09: 0000000000000000
R10: ffffc90000a0fdf0 R11: fffff52000141fc0 R12: ffff8880755ef438
R13: dffffc0000000000 R14: dffffc0000000000 R15: ffffffffffffffff
__fortify_strlen include/linux/fortify-string.h:228 [inline]
getname_kernel+0x28/0x2f0 fs/namei.c:226
kern_path_create+0x21/0x50 fs/namei.c:3922
handle_create drivers/base/devtmpfs.c:211 [inline]
handle drivers/base/devtmpfs.c:384 [inline]
devtmpfs_work_loop+0x1e7/0xd00 drivers/base/devtmpfs.c:399
devtmpfsd+0x48/0x50 drivers/base/devtmpfs.c:441
kthread+0x2fa/0x390 kernel/kthread.c:388
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
Allocated by task 5977:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4e/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:198 [inline]
__do_kmalloc_node mm/slab_common.c:1007 [inline]
__kmalloc+0xb4/0x240 mm/slab_common.c:1020
kmalloc include/linux/slab.h:604 [inline]
tomoyo_realpath_from_path+0xe3/0x5d0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_check_open_permission+0x1c3/0x3c0 security/tomoyo/file.c:771
security_file_open+0x62/0xa0 security/security.c:2854
do_dentry_open+0x380/0x1500 fs/open.c:916
do_open fs/namei.c:3632 [inline]
path_openat+0x274b/0x3190 fs/namei.c:3789
do_filp_open+0x1c5/0x3d0 fs/namei.c:3816
do_sys_openat2+0x12c/0x1c0 fs/open.c:1419
do_sys_open fs/open.c:1434 [inline]
__do_sys_openat fs/open.c:1450 [inline]
__se_sys_openat fs/open.c:1445 [inline]
__x64_sys_openat+0x139/0x160 fs/open.c:1445
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Freed by task 5977:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4e/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:522
____kasan_slab_free+0x126/0x1e0 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1806 [inline]
slab_free_freelist_hook+0x130/0x1b0 mm/slub.c:1832
slab_free mm/slub.c:3816 [inline]
__kmem_cache_free+0xba/0x1f0 mm/slub.c:3829
tomoyo_realpath_from_path+0x59d/0x5d0 security/tomoyo/realpath.c:286
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_check_open_permission+0x1c3/0x3c0 security/tomoyo/file.c:771
security_file_open+0x62/0xa0 security/security.c:2854
do_dentry_open+0x380/0x1500 fs/open.c:916
do_open fs/namei.c:3632 [inline]
path_openat+0x274b/0x3190 fs/namei.c:3789
do_filp_open+0x1c5/0x3d0 fs/namei.c:3816
do_sys_openat2+0x12c/0x1c0 fs/open.c:1419
do_sys_open fs/open.c:1434 [inline]
__do_sys_openat fs/open.c:1450 [inline]
__se_sys_openat fs/open.c:1445 [inline]
__x64_sys_openat+0x139/0x160 fs/open.c:1445
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
The buggy address belongs to the object at ffff88807c346000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 4095 bytes to the right of
allocated 4096-byte region [ffff88807c346000, ffff88807c347000)
The buggy address belongs to the physical page:
page:ffffea0001f0d000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7c340
head:ffffea0001f0d000 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888017842140 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 5977, tgid 5977 (udevd), ts 111818495060, free_ts 111781836028
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1cd/0x210 mm/page_alloc.c:1554
prep_new_page mm/page_alloc.c:1561 [inline]
get_page_from_freelist+0x195c/0x19f0 mm/page_alloc.c:3191
__alloc_pages+0x1e3/0x460 mm/page_alloc.c:4457
alloc_slab_page+0x5d/0x170 mm/slub.c:1876
allocate_slab mm/slub.c:2023 [inline]
new_slab+0x87/0x2e0 mm/slub.c:2076
___slab_alloc+0xc6d/0x12f0 mm/slub.c:3230
__slab_alloc mm/slub.c:3329 [inline]
__slab_alloc_node mm/slub.c:3382 [inline]
slab_alloc_node mm/slub.c:3475 [inline]
__kmem_cache_alloc_node+0x1a2/0x260 mm/slub.c:3524
__do_kmalloc_node mm/slab_common.c:1006 [inline]
__kmalloc+0xa4/0x240 mm/slab_common.c:1020
kmalloc include/linux/slab.h:604 [inline]
tomoyo_realpath_from_path+0xe3/0x5d0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x20f/0x4b0 security/tomoyo/file.c:822
tomoyo_path_symlink+0xa4/0xe0 security/tomoyo/tomoyo.c:211
security_path_symlink+0xe0/0x130 security/security.c:1786
do_symlinkat+0x108/0x3f0 fs/namei.c:4497
__do_sys_symlink fs/namei.c:4520 [inline]
__se_sys_symlink fs/namei.c:4518 [inline]
__x64_sys_symlink+0x7e/0x90 fs/namei.c:4518
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1154 [inline]
free_unref_page_prepare+0x7ce/0x8e0 mm/page_alloc.c:2336
free_unref_page+0x32/0x2e0 mm/page_alloc.c:2429
discard_slab mm/slub.c:2122 [inline]
__unfreeze_partials+0x1cf/0x210 mm/slub.c:2662
put_cpu_partial+0x17c/0x250 mm/slub.c:2738
__slab_free+0x31d/0x410 mm/slub.c:3686
qlink_free mm/kasan/quarantine.c:166 [inline]
qlist_free_all+0x75/0xe0 mm/kasan/quarantine.c:185
kasan_quarantine_reduce+0x143/0x160 mm/kasan/quarantine.c:292
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook+0x6e/0x4d0 mm/slab.h:767
slab_alloc_node mm/slub.c:3485 [inline]
slab_alloc mm/slub.c:3493 [inline]
__kmem_cache_alloc_lru mm/slub.c:3500 [inline]
kmem_cache_alloc+0x11e/0x2e0 mm/slub.c:3509
ptlock_alloc+0x20/0x70 mm/memory.c:6155
ptlock_init include/linux/mm.h:2893 [inline]
pagetable_pte_ctor include/linux/mm.h:2916 [inline]
__pte_alloc_one include/asm-generic/pgalloc.h:71 [inline]
pte_alloc_one+0xce/0x540 arch/x86/mm/pgtable.c:33
__pte_alloc+0x22/0x2a0 mm/memory.c:437
copy_pte_range mm/memory.c:1028 [inline]
copy_pmd_range mm/memory.c:1167 [inline]
copy_pud_range mm/memory.c:1204 [inline]
copy_p4d_range mm/memory.c:1228 [inline]
copy_page_range+0x2d72/0x3600 mm/memory.c:1322
dup_mmap kernel/fork.c:764 [inline]
dup_mm kernel/fork.c:1692 [inline]
copy_mm+0x1124/0x1c20 kernel/fork.c:1741
copy_process+0x16d3/0x3d70 kernel/fork.c:2506
Memory state around the buggy address:
ffff88807c347e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807c347f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807c347f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88807c348000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88807c348080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 41 57 push %r15
2: 41 56 push %r14
4: 41 54 push %r12
6: 53 push %rbx
7: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax
e: 49 be 00 00 00 00 00 movabs $0xdffffc0000000000,%r14
15: fc ff df
18: 48 89 fb mov %rdi,%rbx
1b: 49 89 c7 mov %rax,%r15
1e: 48 89 d8 mov %rbx,%rax
21: 48 c1 e8 03 shr $0x3,%rax
25: 42 0f b6 04 30 movzbl (%rax,%r14,1),%eax
* 2a: 84 c0 test %al,%al <-- trapping instruction
2c: 75 11 jne 0x3f
2e: 48 ff c3 inc %rbx
31: 49 8d 47 01 lea 0x1(%r15),%rax
35: 42 80 7c 3f 01 00 cmpb $0x0,0x1(%rdi,%r15,1)
3b: 75 de jne 0x1b
3d: eb 19 jmp 0x58
3f: 89 .byte 0x89