==================================================================
BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0x101c/0x1090 drivers/hid/hid-mcp2221.c:964
Read of size 1 at addr ffff888106ff3fff by task klogd/2844
CPU: 1 UID: 0 PID: 2844 Comm: klogd Not tainted syzkaller #0 PREEMPT(lazy)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x13d/0x4b0 mm/kasan/report.c:482
kasan_report+0xdf/0x1d0 mm/kasan/report.c:595
mcp2221_raw_event+0x101c/0x1090 drivers/hid/hid-mcp2221.c:964
__hid_input_report.constprop.0+0x319/0x470 drivers/hid/hid-core.c:2161
hid_irq_in+0x55d/0x710 drivers/hid/usbhid/hid-core.c:286
__usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657
usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741
dummy_timer+0xda1/0x36c0 drivers/usb/gadget/udc/dummy_hcd.c:2005
__run_hrtimer kernel/time/hrtimer.c:1930 [inline]
__hrtimer_run_queues+0x470/0xa00 kernel/time/hrtimer.c:1994
hrtimer_run_softirq+0x17d/0x2c0 kernel/time/hrtimer.c:2011
handle_softirqs+0x1dd/0x9e0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x160/0x210 kernel/softirq.c:735
irq_exit_rcu+0x9/0x30 kernel/softirq.c:752
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline]
sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1061
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:finish_task_switch.isra.0+0x21a/0xa20 kernel/sched/core.c:5245
Code: 08 3c 03 0f 8e 26 06 00 00 c7 83 00 0d 00 00 00 00 00 00 48 8d 7b 48 e8 94 6e ec 05 e8 ef e7 36 00 fb 49 8d bc 24 e8 15 00 00 <48> b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6 04 02 84
RSP: 0018:ffffc9000159fab0 EFLAGS: 00000206
RAX: 00000000004e3f05 RBX: ffff8881f5739680 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff890ca24b RDI: ffff888113ac15e8
RBP: ffffc9000159faf0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff888113ac0000
R13: ffff888108720000 R14: 0000000000000000 R15: ffff8881f573a380
context_switch kernel/sched/core.c:5391 [inline]
__schedule+0x1140/0x47e0 kernel/sched/core.c:7189
__schedule_loop kernel/sched/core.c:7268 [inline]
schedule+0xdd/0x390 kernel/sched/core.c:7283
syslog_print+0x218/0x620 kernel/printk/printk.c:1611
do_syslog+0x5bd/0x6d0 kernel/printk/printk.c:1763
__do_sys_syslog kernel/printk/printk.c:1855 [inline]
__se_sys_syslog kernel/printk/printk.c:1853 [inline]
__x64_sys_syslog+0x74/0xb0 kernel/printk/printk.c:1853
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x10b/0x7f0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0b3fe2ca37
Code: 73 01 c3 48 8b 0d c1 f3 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 67 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 f3 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffe8d14f368 EFLAGS: 00000206 ORIG_RAX: 0000000000000067
RAX: ffffffffffffffda RBX: 00007f0b3ffcc490 RCX: 00007f0b3fe2ca37
RDX: 00000000000003ff RSI: 00007f0b3ffcc490 RDI: 0000000000000002
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000004000 R11: 0000000000000206 R12: 00007f0b3ffcc490
R13: 00007f0b3ffa9dfe R14: 00007f0b3ffcc53a R15: 00007f0b3ffcc53a
Allocated by task 1:
kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
kasan_save_track+0x14/0x30 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:415
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
bus_add_driver+0x92/0x5b0 drivers/base/bus.c:740
driver_register+0x1e2/0x360 drivers/base/driver.c:249
usb_register_driver drivers/usb/core/driver.c:1078 [inline]
usb_register_driver+0x21c/0x3e0 drivers/usb/core/driver.c:1060
do_one_initcall+0x121/0x750 init/main.c:1392
do_initcall_level init/main.c:1454 [inline]
do_initcalls init/main.c:1470 [inline]
do_basic_setup init/main.c:1490 [inline]
kernel_init_freeable+0x6ea/0x7b0 init/main.c:1703
kernel_init+0x1f/0x1e0 init/main.c:1593
ret_from_fork+0x69a/0xc80 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff888106ff3e00
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 303 bytes to the right of
allocated 208-byte region [ffff888106ff3e00, ffff888106ff3ed0)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106ff2
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x200000000000040(head|node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000040 ffff888100041b40 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 0200000000000040 ffff888100041b40 dead000000000100 dead000000000122
head: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 0200000000000001 ffffffffffffff81 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 7898676466, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853
prep_new_page mm/page_alloc.c:1861 [inline]
get_page_from_freelist+0x20a5/0x3850 mm/page_alloc.c:3941
__alloc_frozen_pages_noprof+0x273/0x28a0 mm/page_alloc.c:5221
alloc_slab_page mm/slub.c:3278 [inline]
allocate_slab mm/slub.c:3467 [inline]
new_slab+0xa6/0x6b0 mm/slub.c:3525
refill_objects+0x277/0x420 mm/slub.c:7272
refill_sheaf mm/slub.c:2816 [inline]
__pcs_replace_empty_main+0x375/0x650 mm/slub.c:4652
alloc_from_pcs mm/slub.c:4750 [inline]
slab_alloc_node mm/slub.c:4884 [inline]
__kmalloc_cache_noprof+0x52c/0x6b0 mm/slub.c:5415
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
bus_add_driver+0x92/0x5b0 drivers/base/bus.c:740
driver_register+0x1e2/0x360 drivers/base/driver.c:249
usb_register_driver drivers/usb/core/driver.c:1078 [inline]
usb_register_driver+0x21c/0x3e0 drivers/usb/core/driver.c:1060
__usb_serial_register_drivers+0x219/0xe60 drivers/usb/serial/usb-serial.c:1502
do_one_initcall+0x121/0x750 init/main.c:1392
do_initcall_level init/main.c:1454 [inline]
do_initcalls init/main.c:1470 [inline]
do_basic_setup init/main.c:1490 [inline]
kernel_init_freeable+0x6ea/0x7b0 init/main.c:1703
kernel_init+0x1f/0x1e0 init/main.c:1593
ret_from_fork+0x69a/0xc80 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
page_owner free stack trace missing
Memory state around the buggy address:
ffff888106ff3e80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
ffff888106ff3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888106ff3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888106ff4000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888106ff4080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 08 3c 03 or %bh,(%rbx,%rax,1)
3: 0f 8e 26 06 00 00 jle 0x62f
9: c7 83 00 0d 00 00 00 movl $0x0,0xd00(%rbx)
10: 00 00 00
13: 48 8d 7b 48 lea 0x48(%rbx),%rdi
17: e8 94 6e ec 05 call 0x5ec6eb0
1c: e8 ef e7 36 00 call 0x36e810
21: fb sti
22: 49 8d bc 24 e8 15 00 lea 0x15e8(%r12),%rdi
29: 00
* 2a: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax <-- trapping instruction
31: fc ff df
34: 48 89 fa mov %rdi,%rdx
37: 48 c1 ea 03 shr $0x3,%rdx
3b: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax
3f: 84 .byte 0x84