==================================================================
BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0xf94/0x1030 drivers/hid/hid-mcp2221.c:852
Read of size 1 at addr ffff88813e7e7fff by task syz.3.1902/11721

CPU: 1 UID: 0 PID: 11721 Comm: syz.3.1902 Not tainted 6.15.0-rc4-syzkaller-00104-g588d032e9e56 #0 PREEMPT(voluntary) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xc3/0x670 mm/kasan/report.c:521
 kasan_report+0xe0/0x110 mm/kasan/report.c:634
 mcp2221_raw_event+0xf94/0x1030 drivers/hid/hid-mcp2221.c:852
 __hid_input_report.constprop.0+0x311/0x450 drivers/hid/hid-core.c:2117
 hid_irq_in+0x35e/0x870 drivers/hid/usbhid/hid-core.c:286
 __usb_hcd_giveback_urb+0x38a/0x6e0 drivers/usb/core/hcd.c:1650
 usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1734
 dummy_timer+0x180e/0x3a20 drivers/usb/gadget/udc/dummy_hcd.c:1994
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x1ff/0xad0 kernel/time/hrtimer.c:1825
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1842
 handle_softirqs+0x205/0x8d0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:87 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0x111/0x1a0 mm/kasan/generic.c:189
Code: 44 89 c2 e8 61 ec ff ff 83 f0 01 5b 5d 41 5c c3 cc cc cc cc 48 85 d2 74 4f 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 41 80 38 00 <74> f2 eb b2 41 bc 08 00 00 00 45 29 dc 49 8d 14 2c eb 0c 48 83 c0
RSP: 0018:ffffc90012de7a90 EFLAGS: 00000246
RAX: ffffed1020651840 RBX: ffffed1020651841 RCX: ffffffff816f6a69
RDX: ffffed1020651841 RSI: 0000000000000004 RDI: ffff88810328c200
RBP: ffffed1020651840 R08: 0000000000000001 R09: ffffed1020651840
R10: ffff88810328c203 R11: 0000000000000000 R12: ffffc90012de7b80
R13: ffff888111db1d40 R14: dffffc0000000000 R15: ffff888111db3414
 instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
 atomic_inc include/linux/atomic/atomic-instrumented.h:435 [inline]
 futex_hb_waiters_inc kernel/futex/futex.h:325 [inline]
 futex_q_lock+0x29/0x70 kernel/futex/core.c:520
 futex_wait_setup+0xb3/0x290 kernel/futex/waitwake.c:621
 __futex_wait+0x266/0x3c0 kernel/futex/waitwake.c:663
 futex_wait+0xe8/0x380 kernel/futex/waitwake.c:696
 do_futex+0x229/0x350 kernel/futex/syscalls.c:102
 __do_sys_futex kernel/futex/syscalls.c:179 [inline]
 __se_sys_futex kernel/futex/syscalls.c:160 [inline]
 __x64_sys_futex+0x1e0/0x4c0 kernel/futex/syscalls.c:160
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd682f8e969
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd6815f70e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00007fd6831b5fa8 RCX: 00007fd682f8e969
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fd6831b5fa8
RBP: 00007fd6831b5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd6831b5fac
R13: 0000000000000000 R14: 00007ffc9014bbe0 R15: 00007ffc9014bcc8
 </TASK>

Allocated by task 7562:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:319 [inline]
 __kasan_slab_alloc+0x6e/0x70 mm/kasan/common.c:345
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4161 [inline]
 slab_alloc_node mm/slub.c:4210 [inline]
 kmem_cache_alloc_noprof+0x14f/0x3b0 mm/slub.c:4217
 alloc_empty_file+0x55/0x1e0 fs/file_table.c:234
 path_openat+0xe0/0x2d40 fs/namei.c:4025
 do_filp_open+0x20b/0x470 fs/namei.c:4066
 do_sys_openat2+0x11b/0x1d0 fs/open.c:1429
 do_sys_open fs/open.c:1444 [inline]
 __do_sys_openat fs/open.c:1460 [inline]
 __se_sys_openat fs/open.c:1455 [inline]
 __x64_sys_openat+0x174/0x210 fs/open.c:1455
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 5222:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x37/0x50 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2398 [inline]
 slab_free_after_rcu_debug+0xd2/0x2b0 mm/slub.c:4706
 rcu_do_batch kernel/rcu/tree.c:2568 [inline]
 rcu_core+0x799/0x14e0 kernel/rcu/tree.c:2824
 handle_softirqs+0x205/0x8d0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

Last potentially related work creation:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_record_aux_stack+0x9b/0xb0 mm/kasan/generic.c:548
 slab_free_hook mm/slub.c:2359 [inline]
 slab_free mm/slub.c:4656 [inline]
 kmem_cache_free+0x141/0x470 mm/slub.c:4758
 file_free fs/file_table.c:76 [inline]
 __fput+0x68d/0xb70 fs/file_table.c:478
 fput_close_sync+0x118/0x260 fs/file_table.c:570
 __do_sys_close fs/open.c:1581 [inline]
 __se_sys_close fs/open.c:1566 [inline]
 __x64_sys_close+0x8b/0x120 fs/open.c:1566
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88813e7e7dc0
 which belongs to the cache filp of size 360
The buggy address is located 215 bytes to the right of
 allocated 360-byte region [ffff88813e7e7dc0, ffff88813e7e7f28)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13e7e6
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88811abad301
anon flags: 0x200000000000040(head|node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000040 ffff888100ae63c0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000120012 00000000f5000000 ffff88811abad301
head: 0200000000000040 ffff888100ae63c0 0000000000000000 dead000000000001
head: 0000000000000000 0000000000120012 00000000f5000000 ffff88811abad301
head: 0200000000000001 ffffea0004f9f981 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2945, tgid 2945 (syz-executor), ts 717117632229, free_ts 717110352426
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1718
 prep_new_page mm/page_alloc.c:1726 [inline]
 get_page_from_freelist+0xfec/0x2d90 mm/page_alloc.c:3688
 __alloc_frozen_pages_noprof+0x25c/0x2160 mm/page_alloc.c:4970
 alloc_pages_mpol+0xe4/0x410 mm/mempolicy.c:2301
 alloc_slab_page mm/slub.c:2468 [inline]
 allocate_slab mm/slub.c:2632 [inline]
 new_slab+0x244/0x340 mm/slub.c:2686
 ___slab_alloc+0xda5/0x1940 mm/slub.c:3872
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3962
 __slab_alloc_node mm/slub.c:4037 [inline]
 slab_alloc_node mm/slub.c:4198 [inline]
 kmem_cache_alloc_noprof+0x1f9/0x3b0 mm/slub.c:4217
 alloc_empty_file+0x55/0x1e0 fs/file_table.c:234
 alloc_file fs/file_table.c:351 [inline]
 alloc_file_pseudo+0x13a/0x230 fs/file_table.c:380
 sock_alloc_file+0x50/0x210 net/socket.c:470
 sock_map_fd net/socket.c:500 [inline]
 __sys_socket+0x1c0/0x260 net/socket.c:1692
 __do_sys_socket net/socket.c:1697 [inline]
 __se_sys_socket net/socket.c:1695 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1695
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 10008 tgid 9999 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1262 [inline]
 __free_frozen_pages+0x66c/0xe70 mm/page_alloc.c:2725
 mm_free_pgd kernel/fork.c:793 [inline]
 __mmdrop+0xd5/0x470 kernel/fork.c:939
 mmdrop include/linux/sched/mm.h:55 [inline]
 __mmput kernel/fork.c:1390 [inline]
 mmput+0x378/0x430 kernel/fork.c:1401
 exit_mm kernel/exit.c:589 [inline]
 do_exit+0x9d1/0x2c30 kernel/exit.c:940
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
 get_signal+0x2673/0x26d0 kernel/signal.c:3034
 arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x147/0x260 kernel/entry/common.c:218
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff88813e7e7e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88813e7e7f00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
>ffff88813e7e7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                                ^
 ffff88813e7e8000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88813e7e8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	44 89 c2             	mov    %r8d,%edx
   3:	e8 61 ec ff ff       	call   0xffffec69
   8:	83 f0 01             	xor    $0x1,%eax
   b:	5b                   	pop    %rbx
   c:	5d                   	pop    %rbp
   d:	41 5c                	pop    %r12
   f:	c3                   	ret
  10:	cc                   	int3
  11:	cc                   	int3
  12:	cc                   	int3
  13:	cc                   	int3
  14:	48 85 d2             	test   %rdx,%rdx
  17:	74 4f                	je     0x68
  19:	48 01 ea             	add    %rbp,%rdx
  1c:	eb 09                	jmp    0x27
  1e:	48 83 c0 01          	add    $0x1,%rax
  22:	48 39 d0             	cmp    %rdx,%rax
  25:	74 41                	je     0x68
  27:	80 38 00             	cmpb   $0x0,(%rax)
* 2a:	74 f2                	je     0x1e <-- trapping instruction
  2c:	eb b2                	jmp    0xffffffe0
  2e:	41 bc 08 00 00 00    	mov    $0x8,%r12d
  34:	45 29 dc             	sub    %r11d,%r12d
  37:	49 8d 14 2c          	lea    (%r12,%rbp,1),%rdx
  3b:	eb 0c                	jmp    0x49
  3d:	48                   	rex.W
  3e:	83                   	.byte 0x83
  3f:	c0                   	.byte 0xc0