==================================================================
BUG: KASAN: use-after-free in mcp2221_raw_event+0xfc1/0x1180 drivers/hid/hid-mcp2221.c:830
Read of size 1 at addr ffff88806c2ebfff by task syz.6.4364/25263

CPU: 1 PID: 25263 Comm: syz.6.4364 Not tainted 6.6.94-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <IRQ>
 dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xac/0x230 mm/kasan/report.c:475
 kasan_report+0x117/0x150 mm/kasan/report.c:588
 mcp2221_raw_event+0xfc1/0x1180 drivers/hid/hid-mcp2221.c:830
 hid_input_report+0x400/0x520 drivers/hid/hid-core.c:2086
 hid_irq_in+0x479/0x6d0 drivers/hid/usbhid/hid-core.c:284
 __usb_hcd_giveback_urb+0x35f/0x520 drivers/usb/core/hcd.c:1650
 dummy_timer+0x8a3/0x31b0 drivers/usb/gadget/udc/dummy_hcd.c:1993
 __run_hrtimer kernel/time/hrtimer.c:1755 [inline]
 __hrtimer_run_queues+0x51e/0xc40 kernel/time/hrtimer.c:1819
 hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1836
 handle_softirqs+0x280/0x820 kernel/softirq.c:578
 __do_softirq kernel/softirq.c:612 [inline]
 invoke_softirq kernel/softirq.c:452 [inline]
 __irq_exit_rcu+0xc7/0x190 kernel/softirq.c:661
 irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:__syscall_enter_from_user_work kernel/entry/common.c:97 [inline]
RIP: 0010:syscall_enter_from_user_mode+0x2e/0x80 kernel/entry/common.c:118
Code: 41 56 53 48 89 f3 49 89 fe 48 8b 7c 24 10 e8 e9 fa ff ff 66 90 66 90 e8 10 bb 25 f7 e8 cb ba 25 f7 fb 65 48 8b 05 02 7c 9d 75 <48> 8b 70 08 40 f6 c6 3f 74 0b 4c 89 f7 5b 41 5e e9 ed 3a 0c f7 48
RSP: 0018:ffffc90005617f08 EFLAGS: 00000286
RAX: ffff88802c30bc00 RBX: 00000000000000e6 RCX: f1bc7e4ebfd3d600
RDX: dffffc0000000000 RSI: ffffffff8aaab2c0 RDI: ffffffff8afc6900
RBP: ffffc90005617f48 R08: ffffffff8e49ab2f R09: 1ffffffff1c93565
R10: dffffc0000000000 R11: fffffbfff1c93566 R12: 0000000000000000
R13: 0000000000000000 R14: ffffc90005617f58 R15: 0000000000000000
 do_syscall_64+0x28/0xb0 arch/x86/entry/common.c:77
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f43983c11e5
Code: 24 0c 89 3c 24 48 89 4c 24 18 e8 f6 54 ff ff 4c 8b 54 24 18 48 8b 54 24 10 41 89 c0 8b 74 24 0c 8b 3c 24 b8 e6 00 00 00 0f 05 <44> 89 c7 48 89 04 24 e8 4f 55 ff ff 48 8b 04 24 48 83 c4 28 f7 d8
RSP: 002b:00007f43991a1f60 EFLAGS: 00000293 ORIG_RAX: 00000000000000e6
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f43983c11e5
RDX: 00007f43991a1fa0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000200000000040
R13: 0000000000000000 R14: 00007f43985b5fa0 R15: 00007ffd4e9c9668
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0001b0bac0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6c2eb
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffff7f(buddy)
raw: 00fff00000000000 ffffea0001ef9dc8 ffffea0001f79008 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102cc2(GFP_HIGHUSER|__GFP_NOWARN), pid 25259, tgid 25258 (syz.9.4363), ts 1743123719599, free_ts 1743158417760
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1cd/0x210 mm/page_alloc.c:1554
 prep_new_page mm/page_alloc.c:1561 [inline]
 get_page_from_freelist+0x195c/0x19f0 mm/page_alloc.c:3191
 __alloc_pages+0x1e3/0x460 mm/page_alloc.c:4457
 vm_area_alloc_pages mm/vmalloc.c:3081 [inline]
 __vmalloc_area_node mm/vmalloc.c:3150 [inline]
 __vmalloc_node_range+0x96b/0x1320 mm/vmalloc.c:3331
 __vmalloc_node mm/vmalloc.c:3396 [inline]
 vmalloc+0x79/0x90 mm/vmalloc.c:3429
 __snd_dma_alloc_pages sound/core/memalloc.c:39 [inline]
 snd_dma_alloc_dir_pages+0x15c/0x230 sound/core/memalloc.c:73
 do_alloc_pages+0x11a/0x260 sound/core/pcm_memory.c:74
 snd_pcm_lib_malloc_pages+0x301/0x690 sound/core/pcm_memory.c:459
 snd_pcm_hw_params+0x788/0x1c50 sound/core/pcm_native.c:770
 snd_pcm_oss_change_params_locked+0x2144/0x3d30 sound/core/oss/pcm_oss.c:976
 snd_pcm_oss_make_ready_locked sound/core/oss/pcm_oss.c:1197 [inline]
 snd_pcm_oss_sync+0x363/0xc20 sound/core/oss/pcm_oss.c:1679
 snd_pcm_oss_release+0x102/0x240 sound/core/oss/pcm_oss.c:2589
 __fput+0x234/0x970 fs/file_table.c:384
 __do_sys_close fs/open.c:1571 [inline]
 __se_sys_close+0x15f/0x220 fs/open.c:1556
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1154 [inline]
 free_unref_page_prepare+0x7ce/0x8e0 mm/page_alloc.c:2336
 free_unref_page+0x32/0x2e0 mm/page_alloc.c:2429
 vfree+0x1a6/0x320 mm/vmalloc.c:2860
 do_free_pages sound/core/pcm_memory.c:93 [inline]
 snd_pcm_lib_free_pages+0x1e8/0x2a0 sound/core/pcm_memory.c:499
 do_hw_free sound/core/pcm_native.c:887 [inline]
 snd_pcm_release_substream+0x2a2/0x460 sound/core/pcm_native.c:2722
 snd_pcm_oss_release_file sound/core/oss/pcm_oss.c:2412 [inline]
 snd_pcm_oss_release+0x147/0x240 sound/core/oss/pcm_oss.c:2591
 __fput+0x234/0x970 fs/file_table.c:384
 __do_sys_close fs/open.c:1571 [inline]
 __se_sys_close+0x15f/0x220 fs/open.c:1556
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Memory state around the buggy address:
 ffff88806c2ebe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88806c2ebf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88806c2ebf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                ^
 ffff88806c2ec000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88806c2ec080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	41 56                	push   %r14
   2:	53                   	push   %rbx
   3:	48 89 f3             	mov    %rsi,%rbx
   6:	49 89 fe             	mov    %rdi,%r14
   9:	48 8b 7c 24 10       	mov    0x10(%rsp),%rdi
   e:	e8 e9 fa ff ff       	call   0xfffffafc
  13:	66 90                	xchg   %ax,%ax
  15:	66 90                	xchg   %ax,%ax
  17:	e8 10 bb 25 f7       	call   0xf725bb2c
  1c:	e8 cb ba 25 f7       	call   0xf725baec
  21:	fb                   	sti
  22:	65 48 8b 05 02 7c 9d 	mov    %gs:0x759d7c02(%rip),%rax        # 0x759d7c2c
  29:	75
* 2a:	48 8b 70 08          	mov    0x8(%rax),%rsi <-- trapping instruction
  2e:	40 f6 c6 3f          	test   $0x3f,%sil
  32:	74 0b                	je     0x3f
  34:	4c 89 f7             	mov    %r14,%rdi
  37:	5b                   	pop    %rbx
  38:	41 5e                	pop    %r14
  3a:	e9 ed 3a 0c f7       	jmp    0xf70c3b2c
  3f:	48                   	rex.W