==================================================================
BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0x10b0/0x12a0 drivers/hid/hid-mcp2221.c:964
Read of size 1 at addr ffff888054c73fff by task syz.0.771/7860
CPU: 0 UID: 0 PID: 7860 Comm: syz.0.771 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description+0x55/0x1e0 mm/kasan/report.c:378
print_report+0x58/0x70 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
mcp2221_raw_event+0x10b0/0x12a0 drivers/hid/hid-mcp2221.c:964
__hid_input_report+0x428/0x590 drivers/hid/hid-core.c:2161
hid_irq_in+0x495/0x710 drivers/hid/usbhid/hid-core.c:286
__usb_hcd_giveback_urb+0x376/0x540 drivers/usb/core/hcd.c:1655
dummy_timer+0xbc0/0x4650 drivers/usb/gadget/udc/dummy_hcd.c:2005
__run_hrtimer kernel/time/hrtimer.c:1930 [inline]
__hrtimer_run_queues+0x3c0/0xa20 kernel/time/hrtimer.c:1994
hrtimer_run_softirq+0x17a/0x240 kernel/time/hrtimer.c:2011
handle_softirqs+0x22a/0x840 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0xca/0x220 kernel/softirq.c:735
irq_exit_rcu+0x9/0x30 kernel/softirq.c:752
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1061
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:__schedule+0x187f/0x5740 kernel/sched/core.c:7197
Code: 04 30 00 00 00 00 4a c7 44 30 08 00 00 00 00 65 48 8b 05 04 ea 8f 07 48 3b 84 24 c0 01 00 00 0f 85 b1 07 00 00 48 8d 65 d8 5b <41> 5c 41 5d 41 5e 41 5f 5d e9 ce ea 67 f5 cc 49 8d bd 38 06 00 00
RSP: 0018:ffffc9000459fa90 EFLAGS: 00000246
RAX: cab570628cbd7b00 RBX: ffffffff81338b46 RCX: 0000000080000002
RDX: 0000000000000000 RSI: ffffffff8c28b8c0 RDI: ffffffff8c28b880
RBP: ffffc9000459fab0 R08: ffffffff90302af7 R09: 1ffffffff206055e
R10: dffffc0000000000 R11: fffffbfff206055f R12: ffff888027b21f00
R13: ffff8880277a8000 R14: dffffc0000000000 R15: ffff888027b23510
preempt_schedule_common+0x82/0xd0 kernel/sched/core.c:7370
preempt_schedule_thunk+0x16/0x30 arch/x86/entry/thunk.S:12
class_preempt_destructor include/linux/preempt.h:468 [inline]
try_to_wake_up+0x828/0x1380 kernel/sched/core.c:4309
wake_up_process kernel/sched/core.c:4434 [inline]
wake_up_q+0x85/0xd0 kernel/sched/core.c:1158
futex_wake+0x49a/0x580 kernel/futex/waitwake.c:198
do_futex+0x395/0x420 kernel/futex/syscalls.c:135
__do_sys_futex kernel/futex/syscalls.c:207 [inline]
__se_sys_futex+0x3a8/0x450 kernel/futex/syscalls.c:188
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4761f9ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd4ef9c528 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4761f9ce59
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f4762215fa8
RBP: 0000000000001e4a R08: 000000000000001b R09: 0000000000000000
R10: 00007f4762215fa0 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f4762215fac R14: 00007f4762215fa8 R15: 00007f4762215fa0
Allocated by task 5627:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__do_kmalloc_node mm/slub.c:5296 [inline]
__kmalloc_noprof+0x35c/0x760 mm/slub.c:5308
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
fib6_info_alloc+0x30/0xf0 net/ipv6/ip6_fib.c:155
ip6_route_info_create+0x142/0x860 net/ipv6/route.c:3831
ip6_route_add+0x49/0x1b0 net/ipv6/route.c:3960
addrconf_add_mroute+0x2d1/0x370 net/ipv6/addrconf.c:2552
addrconf_add_dev net/ipv6/addrconf.c:2570 [inline]
addrconf_dev_config net/ipv6/addrconf.c:3484 [inline]
addrconf_init_auto_addrs+0x4d7/0xa50 net/ipv6/addrconf.c:3572
addrconf_notify+0xb1e/0x1050 net/ipv6/addrconf.c:3752
notifier_call_chain+0x1ad/0x3d0 kernel/notifier.c:85
call_netdevice_notifiers_extack net/core/dev.c:2287 [inline]
call_netdevice_notifiers net/core/dev.c:2301 [inline]
__dev_notify_flags+0x1a9/0x310 net/core/dev.c:9797
netif_change_flags+0xe8/0x1a0 net/core/dev.c:9826
do_setlink+0xfa5/0x45a0 net/core/rtnetlink.c:3181
rtnl_changelink net/core/rtnetlink.c:3800 [inline]
__rtnl_newlink net/core/rtnetlink.c:3973 [inline]
rtnl_newlink+0x15ad/0x1bb0 net/core/rtnetlink.c:4110
rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6997
netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2555
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x75c/0x8e0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1899
sock_sendmsg_nosec net/socket.c:787 [inline]
__sock_sendmsg net/socket.c:802 [inline]
__sys_sendto+0x672/0x710 net/socket.c:2265
__do_sys_sendto net/socket.c:2272 [inline]
__se_sys_sendto net/socket.c:2268 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2268
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888054c73c00
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 719 bytes to the right of
allocated 304-byte region [ffff888054c73c00, ffff888054c73d30)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x54c70
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813fe17c80 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813fe17c80 dead000000000100 dead000000000122
head: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffffffffffff01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5631, tgid 5631 (syz-executor), ts 88965926304, free_ts 25443579589
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853
prep_new_page mm/page_alloc.c:1861 [inline]
get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221
alloc_slab_page mm/slub.c:3278 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3467
new_slab mm/slub.c:3525 [inline]
refill_objects+0x339/0x3d0 mm/slub.c:7272
refill_sheaf mm/slub.c:2816 [inline]
__pcs_replace_empty_main+0x321/0x720 mm/slub.c:4652
alloc_from_pcs mm/slub.c:4750 [inline]
slab_alloc_node mm/slub.c:4884 [inline]
__do_kmalloc_node mm/slub.c:5295 [inline]
__kmalloc_noprof+0x474/0x760 mm/slub.c:5308
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
fib6_info_alloc+0x30/0xf0 net/ipv6/ip6_fib.c:155
ip6_route_info_create+0x142/0x860 net/ipv6/route.c:3831
ip6_route_add+0x49/0x1b0 net/ipv6/route.c:3960
addrconf_prefix_route+0x3a2/0x480 net/ipv6/addrconf.c:2488
fixup_permanent_addr net/ipv6/addrconf.c:3603 [inline]
addrconf_permanent_addr+0x70b/0xa20 net/ipv6/addrconf.c:3639
addrconf_notify+0x864/0x1050 net/ipv6/addrconf.c:3706
notifier_call_chain+0x1ad/0x3d0 kernel/notifier.c:85
call_netdevice_notifiers_extack net/core/dev.c:2287 [inline]
call_netdevice_notifiers net/core/dev.c:2301 [inline]
__dev_notify_flags+0x1a9/0x310 net/core/dev.c:9797
netif_change_flags+0xe8/0x1a0 net/core/dev.c:9826
page last free pid 1 tgid 1 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1397 [inline]
__free_frozen_pages+0xc1c/0xd30 mm/page_alloc.c:2938
__free_pages mm/page_alloc.c:5340 [inline]
free_contig_range+0xb7/0x100 mm/page_alloc.c:7308
destroy_args+0x4e5/0x570 mm/debug_vm_pgtable.c:993
debug_vm_pgtable+0x3f8/0x410 mm/debug_vm_pgtable.c:1368
do_one_initcall+0x250/0x870 init/main.c:1392
do_initcall_level+0x104/0x190 init/main.c:1454
do_initcalls+0x59/0xa0 init/main.c:1470
kernel_init_freeable+0x2a6/0x3e0 init/main.c:1703
kernel_init+0x1d/0x1d0 init/main.c:1593
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Memory state around the buggy address:
ffff888054c73e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888054c73f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888054c73f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888054c74000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888054c74080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 04 30 add $0x30,%al
2: 00 00 add %al,(%rax)
4: 00 00 add %al,(%rax)
6: 4a c7 44 30 08 00 00 movq $0x0,0x8(%rax,%r14,1)
d: 00 00
f: 65 48 8b 05 04 ea 8f mov %gs:0x78fea04(%rip),%rax # 0x78fea1b
16: 07
17: 48 3b 84 24 c0 01 00 cmp 0x1c0(%rsp),%rax
1e: 00
1f: 0f 85 b1 07 00 00 jne 0x7d6
25: 48 8d 65 d8 lea -0x28(%rbp),%rsp
29: 5b pop %rbx
* 2a: 41 5c pop %r12 <-- trapping instruction
2c: 41 5d pop %r13
2e: 41 5e pop %r14
30: 41 5f pop %r15
32: 5d pop %rbp
33: e9 ce ea 67 f5 jmp 0xf567eb06
38: cc int3
39: 49 8d bd 38 06 00 00 lea 0x638(%r13),%rdi