==================================================================
BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0x1070/0x10a0 drivers/hid/hid-mcp2221.c:948
Read of size 1 at addr ffff88805226ffff by task syz.3.494/7790
CPU: 1 UID: 0 PID: 7790 Comm: syz.3.494 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
mcp2221_raw_event+0x1070/0x10a0 drivers/hid/hid-mcp2221.c:948
__hid_input_report.constprop.0+0x314/0x450 drivers/hid/hid-core.c:2139
hid_irq_in+0x35e/0x870 drivers/hid/usbhid/hid-core.c:286
__usb_hcd_giveback_urb+0x38b/0x610 drivers/usb/core/hcd.c:1661
usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745
dummy_timer+0x1809/0x3a00 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1777 [inline]
__hrtimer_run_queues+0x202/0xad0 kernel/time/hrtimer.c:1841
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1858
handle_softirqs+0x219/0x8e0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1052
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:finish_task_switch.isra.0+0x22a/0xc10 kernel/sched/core.c:5193
Code: fb 09 00 00 44 8b 05 49 36 f8 0e 45 85 c0 0f 85 be 01 00 00 4c 89 e7 e8 a4 f6 ff ff e8 bf d3 3a 00 fb 65 48 8b 1d ee 99 17 12 <48> 8d bb 58 16 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1
RSP: 0018:ffffc9001b7ef4a8 EFLAGS: 00000206
RAX: 000000000000b70f RBX: ffff888073d3a480 RCX: ffffffff81c4e8df
RDX: 0000000000000000 RSI: ffffffff8da2c9e6 RDI: ffffffff8bf073c0
RBP: ffffc9001b7ef4f0 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff90821bd7 R11: 0000000000000001 R12: ffff8880b853a380
R13: ffff88802784a480 R14: ffff8880b843a380 R15: ffff8880b853b1b0
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0x1198/0x5de0 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
schedule+0xe7/0x3a0 kernel/sched/core.c:7026
schedule_timeout+0x257/0x290 kernel/time/sleep_timeout.c:75
unix_wait_for_peer+0x24e/0x280 net/unix/af_unix.c:1639
unix_dgram_sendmsg+0x1419/0x17f0 net/unix/af_unix.c:2273
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
____sys_sendmsg+0xa98/0xc70 net/socket.c:2630
___sys_sendmsg+0x134/0x1d0 net/socket.c:2684
__sys_sendmmsg+0x200/0x420 net/socket.c:2773
__do_sys_sendmmsg net/socket.c:2800 [inline]
__se_sys_sendmmsg net/socket.c:2797 [inline]
__x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2797
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f732bd8f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f732cb75038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f732bfe5fa0 RCX: 00007f732bd8f749
RDX: 0000000000000651 RSI: 0000200000000000 RDI: 0000000000000008
RBP: 00007f732be13f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f732bfe6038 R14: 00007f732bfe5fa0 R15: 00007fff4090db58
Allocated by task 7582:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
unpoison_slab_object mm/kasan/common.c:342 [inline]
__kasan_slab_alloc+0x89/0x90 mm/kasan/common.c:368
kasan_slab_alloc include/linux/kasan.h:252 [inline]
slab_post_alloc_hook mm/slub.c:4978 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x28a/0x770 mm/slub.c:5340
kmalloc_reserve+0x18b/0x2c0 net/core/skbuff.c:579
__alloc_skb+0x166/0x380 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
__ip_append_data+0x30b3/0x41a0 net/ipv4/ip_output.c:1133
ip_append_data net/ipv4/ip_output.c:1378 [inline]
ip_append_data+0x10f/0x1a0 net/ipv4/ip_output.c:1357
raw_sendmsg+0xeee/0x38b0 net/ipv4/raw.c:651
inet_sendmsg+0x11c/0x140 net/ipv4/af_inet.c:853
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
____sys_sendmsg+0x973/0xc70 net/socket.c:2630
___sys_sendmsg+0x134/0x1d0 net/socket.c:2684
__sys_sendmmsg+0x200/0x420 net/socket.c:2773
__do_sys_sendmmsg net/socket.c:2800 [inline]
__se_sys_sendmmsg net/socket.c:2797 [inline]
__x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2797
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 7582:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
__kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587
kasan_save_free_info mm/kasan/kasan.h:406 [inline]
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:234 [inline]
slab_free_hook mm/slub.c:2543 [inline]
slab_free mm/slub.c:6642 [inline]
kmem_cache_free+0x2d4/0x6c0 mm/slub.c:6752
skb_kfree_head net/core/skbuff.c:1046 [inline]
skb_kfree_head net/core/skbuff.c:1043 [inline]
skb_free_head+0x1b7/0x210 net/core/skbuff.c:1060
skb_release_data+0x795/0x9e0 net/core/skbuff.c:1087
skb_release_all net/core/skbuff.c:1152 [inline]
__kfree_skb net/core/skbuff.c:1166 [inline]
sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1204
kfree_skb_reason include/linux/skbuff.h:1322 [inline]
ip_protocol_deliver_rcu+0x213/0x4c0 net/ipv4/ip_input.c:219
ip_local_deliver_finish+0x3f2/0x720 net/ipv4/ip_input.c:239
NF_HOOK include/linux/netfilter.h:318 [inline]
NF_HOOK include/linux/netfilter.h:312 [inline]
ip_local_deliver+0x18e/0x1f0 net/ipv4/ip_input.c:260
dst_input include/net/dst.h:474 [inline]
ip_rcv_finish net/ipv4/ip_input.c:453 [inline]
NF_HOOK include/linux/netfilter.h:318 [inline]
NF_HOOK include/linux/netfilter.h:312 [inline]
ip_rcv+0x2e0/0x600 net/ipv4/ip_input.c:573
__netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:6079
__netif_receive_skb+0x1d/0x160 net/core/dev.c:6192
process_backlog+0x439/0x15e0 net/core/dev.c:6544
__napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7594
napi_poll net/core/dev.c:7657 [inline]
net_rx_action+0x97f/0xef0 net/core/dev.c:7784
handle_softirqs+0x219/0x8e0 kernel/softirq.c:622
do_softirq kernel/softirq.c:523 [inline]
do_softirq+0xb2/0xf0 kernel/softirq.c:510
__local_bh_enable_ip+0x100/0x120 kernel/softirq.c:450
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:936 [inline]
__dev_queue_xmit+0xb06/0x4490 net/core/dev.c:4790
dev_queue_xmit include/linux/netdevice.h:3365 [inline]
neigh_hh_output include/net/neighbour.h:531 [inline]
neigh_output include/net/neighbour.h:545 [inline]
ip_finish_output2+0xc38/0x21a0 net/ipv4/ip_output.c:237
__ip_finish_output.part.0+0x1b4/0x350 net/ipv4/ip_output.c:315
__ip_finish_output net/ipv4/ip_output.c:303 [inline]
ip_finish_output net/ipv4/ip_output.c:325 [inline]
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip_output+0x35f/0xa90 net/ipv4/ip_output.c:438
dst_output include/net/dst.h:464 [inline]
ip_local_out net/ipv4/ip_output.c:131 [inline]
ip_send_skb net/ipv4/ip_output.c:1508 [inline]
ip_push_pending_frames+0x30e/0x5d0 net/ipv4/ip_output.c:1528
raw_sendmsg+0x144e/0x38b0 net/ipv4/raw.c:657
inet_sendmsg+0x11c/0x140 net/ipv4/af_inet.c:853
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
____sys_sendmsg+0x973/0xc70 net/socket.c:2630
___sys_sendmsg+0x134/0x1d0 net/socket.c:2684
__sys_sendmmsg+0x200/0x420 net/socket.c:2773
__do_sys_sendmmsg net/socket.c:2800 [inline]
__se_sys_sendmmsg net/socket.c:2797 [inline]
__x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2797
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88805226fa80
which belongs to the cache skbuff_small_head of size 704
The buggy address is located 703 bytes to the right of
allocated 704-byte region [ffff88805226fa80, ffff88805226fd40)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5226c
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801e6c9b40 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000130013 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801e6c9b40 dead000000000122 0000000000000000
head: 0000000000000000 0000000000130013 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea0001489b01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 00 00 add %al,(%rax)
2: 44 8b 05 49 36 f8 0e mov 0xef83649(%rip),%r8d # 0xef83652
9: 45 85 c0 test %r8d,%r8d
c: 0f 85 be 01 00 00 jne 0x1d0
12: 4c 89 e7 mov %r12,%rdi
15: e8 a4 f6 ff ff call 0xfffff6be
1a: e8 bf d3 3a 00 call 0x3ad3de
1f: fb sti
20: 65 48 8b 1d ee 99 17 mov %gs:0x121799ee(%rip),%rbx # 0x12179a16
27: 12
* 28: 48 8d bb 58 16 00 00 lea 0x1658(%rbx),%rdi <-- trapping instruction
2f: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
36: fc ff df
39: 48 89 fa mov %rdi,%rdx
3c: 48 rex.W
3d: c1 .byte 0xc1