==================================================================
BUG: KASAN: null-ptr-deref in mcp2221_raw_event+0xc1f/0x1030 drivers/hid/hid-mcp2221.c:820
Write of size 6 at addr 0000000000000000 by task syz.0.2882/15094

CPU: 0 UID: 0 PID: 15094 Comm: syz.0.2882 Not tainted 6.16.0-rc2-syzkaller-00047-geb90d36bfa06 #0 PREEMPT(voluntary) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 kasan_report+0xe0/0x110 mm/kasan/report.c:634
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189
 __asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106
 mcp2221_raw_event+0xc1f/0x1030 drivers/hid/hid-mcp2221.c:820
 __hid_input_report.constprop.0+0x311/0x450 drivers/hid/hid-core.c:2117
 hid_irq_in+0x35e/0x870 drivers/hid/usbhid/hid-core.c:286
 __usb_hcd_giveback_urb+0x38d/0x6e0 drivers/usb/core/hcd.c:1650
 usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1734
 dummy_timer+0x180e/0x3a20 drivers/usb/gadget/udc/dummy_hcd.c:1995
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x202/0xad0 kernel/time/hrtimer.c:1825
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1842
 handle_softirqs+0x205/0x8d0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:is_idle_task include/linux/sched.h:1933 [inline]
RIP: 0010:__might_resched+0x3e4/0x5e0 kernel/sched/core.c:8765
Code: 00 e8 90 b2 d5 05 31 f6 bf 09 00 00 00 e8 34 70 f2 ff e9 3a fd ff ff 9c 58 f6 c4 02 0f 84 f3 fc ff ff 65 4c 8b 35 14 81 1d 0b <48> b8 00 00 00 00 00 fc ff df 49 8d 7e 2c 48 89 fa 48 c1 ea 03 0f
RSP: 0018:ffffc9000198fd10 EFLAGS: 00000202
RAX: 0000000000000246 RBX: 1ffff92000331fa4 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff88ae30c6 RDI: ffff888139373dfc
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8768c7e0
R13: 00000000000000a2 R14: ffff888139373a00 R15: ffff888139373a00
 __might_fault+0x83/0x190 mm/memory.c:6989
 _inline_copy_from_user include/linux/uaccess.h:162 [inline]
 _copy_from_user+0x29/0xd0 lib/usercopy.c:18
 copy_from_user include/linux/uaccess.h:212 [inline]
 get_timespec64+0x8b/0x240 kernel/time/time.c:877
 __do_sys_clock_nanosleep kernel/time/posix-timers.c:1388 [inline]
 __se_sys_clock_nanosleep kernel/time/posix-timers.c:1376 [inline]
 __x64_sys_clock_nanosleep+0x1ce/0x4a0 kernel/time/posix-timers.c:1376
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd01bfe11e5
Code: 24 0c 89 3c 24 48 89 4c 24 18 e8 f6 54 ff ff 4c 8b 54 24 18 48 8b 54 24 10 41 89 c0 8b 74 24 0c 8b 3c 24 b8 e6 00 00 00 0f 05 <44> 89 c7 48 89 04 24 e8 4f 55 ff ff 48 8b 04 24 48 83 c4 28 f7 d8
RSP: 002b:00007fff67888b00 EFLAGS: 00000293 ORIG_RAX: 00000000000000e6
RAX: ffffffffffffffda RBX: 00007fd01c1d5fa0 RCX: 00007fd01bfe11e5
RDX: 00007fff67888b40 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007fd01c1d7ba0 R08: 0000000000000000 R09: 00007fd01c1a8000
R10: 0000000000000000 R11: 0000000000000293 R12: 000000000016f7e8
R13: 00007fd01c1d6080 R14: ffffffffffffffff R15: 00007fff67888c80
 </TASK>
==================================================================
----------------
Code disassembly (best guess):
   0:	00 e8                	add    %ch,%al
   2:	90                   	nop
   3:	b2 d5                	mov    $0xd5,%dl
   5:	05 31 f6 bf 09       	add    $0x9bff631,%eax
   a:	00 00                	add    %al,(%rax)
   c:	00 e8                	add    %ch,%al
   e:	34 70                	xor    $0x70,%al
  10:	f2 ff                	repnz (bad)
  12:	e9 3a fd ff ff       	jmp    0xfffffd51
  17:	9c                   	pushf
  18:	58                   	pop    %rax
  19:	f6 c4 02             	test   $0x2,%ah
  1c:	0f 84 f3 fc ff ff    	je     0xfffffd15
  22:	65 4c 8b 35 14 81 1d 	mov    %gs:0xb1d8114(%rip),%r14        # 0xb1d813e
  29:	0b
* 2a:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax <-- trapping instruction
  31:	fc ff df
  34:	49 8d 7e 2c          	lea    0x2c(%r14),%rdi
  38:	48 89 fa             	mov    %rdi,%rdx
  3b:	48 c1 ea 03          	shr    $0x3,%rdx
  3f:	0f                   	.byte 0xf