==================================================================
BUG: KASAN: use-after-free in mcp2221_raw_event+0x1004/0x1010 drivers/hid/hid-mcp2221.c:944
Read of size 1 at addr ffffaf8035ffffff by task ksoftirqd/0/15

CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 6.17.0-rc1-syzkaller-g8f5ae30d69d7 #0 PREEMPT 
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8007949a>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff8000329a>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff80060b76>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff80060b76>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8000ee40>] print_address_description mm/kasan/report.c:378 [inline]
[<ffffffff8000ee40>] print_report+0x28e/0x5a2 mm/kasan/report.c:482
[<ffffffff80b1ed32>] kasan_report+0xf0/0x214 mm/kasan/report.c:595
[<ffffffff80b20d7c>] __asan_report_load1_noabort+0x12/0x1a mm/kasan/report_generic.c:378
[<ffffffff84997afe>] mcp2221_raw_event+0x1004/0x1010 drivers/hid/hid-mcp2221.c:944
[<ffffffff848f4f9a>] __hid_input_report.constprop.0+0x2c8/0x3fa drivers/hid/hid-core.c:2130
[<ffffffff848f50fe>] hid_input_report+0x32/0x44 drivers/hid/hid-core.c:2157
[<ffffffff84a8d67e>] hid_irq_in+0x2f6/0x732 drivers/hid/usbhid/hid-core.c:286
[<ffffffff838466d4>] __usb_hcd_giveback_urb+0x362/0x6f4 drivers/usb/core/hcd.c:1663
[<ffffffff83846dca>] usb_hcd_giveback_urb+0x364/0x3fe drivers/usb/core/hcd.c:1747
[<ffffffff83d9c1d4>] dummy_timer+0x134a/0x3458 drivers/usb/gadget/udc/dummy_hcd.c:1995
[<ffffffff803f6742>] __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
[<ffffffff803f6742>] __hrtimer_run_queues+0x1bc/0xf9e kernel/time/hrtimer.c:1825
[<ffffffff803f7668>] hrtimer_run_softirq+0x144/0x2f6 kernel/time/hrtimer.c:1842
[<ffffffff8016778e>] handle_softirqs+0x4b2/0x132e kernel/softirq.c:579
[<ffffffff801686d8>] run_ksoftirqd kernel/softirq.c:968 [inline]
[<ffffffff801686d8>] run_ksoftirqd+0xce/0x144 kernel/softirq.c:960
[<ffffffff801fe948>] smpboot_thread_fn+0x420/0xc80 kernel/smpboot.c:160
[<ffffffff801e843c>] kthread+0x39c/0x7d4 kernel/kthread.c:463
[<ffffffff800699c4>] ret_from_fork_kernel+0x2a/0xbb4 arch/riscv/kernel/process.c:214
[<ffffffff863ed6b6>] ret_from_fork_kernel_asm+0x16/0x18 arch/riscv/kernel/entry.S:327

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb5fff
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_ZERO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 9005, tgid 9004 (syz.1.1189), ts 5659457900300, free_ts 5663174517400
 __set_page_owner+0x94/0x4a8 mm/page_owner.c:329
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xdc/0x1ba mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x7fa/0x359a mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x22e/0x2120 mm/page_alloc.c:5148
 alloc_pages_mpol+0x1fa/0x5bc mm/mempolicy.c:2416
 alloc_frozen_pages_noprof+0x174/0x2f0 mm/mempolicy.c:2487
 alloc_pages_noprof+0x20/0x48 mm/mempolicy.c:2507
 get_free_pages_noprof+0x18/0x136 mm/page_alloc.c:5207
 alloc_one_pg_vec_page net/packet/af_packet.c:4420 [inline]
 alloc_pg_vec net/packet/af_packet.c:4450 [inline]
 packet_set_ring+0xc5c/0x1a04 net/packet/af_packet.c:4535
 packet_setsockopt+0x1794/0x3638 net/packet/af_packet.c:3891
 do_sock_setsockopt+0x208/0x400 net/socket.c:2344
 __sys_setsockopt+0x142/0x1e6 net/socket.c:2369
 __do_sys_setsockopt net/socket.c:2375 [inline]
 __se_sys_setsockopt net/socket.c:2372 [inline]
 __riscv_sys_setsockopt+0xa6/0x114 net/socket.c:2372
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:112
 do_trap_ecall_u+0x396/0x530 arch/riscv/kernel/traps.c:343
 handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
page last free pid 9005 tgid 9004 stack trace:
 __reset_page_owner+0x78/0x1ba mm/page_owner.c:308
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0x836/0x145e mm/page_alloc.c:2895
 ___free_pages+0x146/0x1c8 mm/page_alloc.c:5229
 __free_pages mm/page_alloc.c:5260 [inline]
 free_pages.part.0+0x274/0x4d4 mm/page_alloc.c:5277
 free_pages+0xe/0x18 mm/page_alloc.c:5274
 free_pg_vec+0x122/0x154 net/packet/af_packet.c:4406
 packet_set_ring+0x67a/0x1a04 net/packet/af_packet.c:4625
 packet_release+0x5ea/0xd40 net/packet/af_packet.c:3205
 __sock_release+0xa4/0x246 net/socket.c:649
 sock_close+0x1e/0x2a net/socket.c:1439
 __fput+0x382/0xa8c fs/file_table.c:468
 ____fput+0x1c/0x26 fs/file_table.c:496
 task_work_run+0x16a/0x25e kernel/task_work.c:227
 get_signal+0xd82/0x22fc kernel/signal.c:2807
 arch_do_signal_or_restart+0x6c0/0x25d6 arch/riscv/kernel/signal.c:431
 exit_to_user_mode_loop+0x90/0x134 kernel/entry/common.c:40

Memory state around the buggy address:
 ffffaf8035fffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffffaf8035ffff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffffaf8035ffff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                ^
 ffffaf8036000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffaf8036000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================