==================================================================
BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0xfcd/0x1190 drivers/hid/hid-mcp2221.c:854
Read of size 1 at addr ffff88804f7dffff by task kworker/1:0/24

CPU: 1 UID: 0 PID: 24 Comm: kworker/1:0 Not tainted 6.16.0-rc4-syzkaller-00108-g17bbde2e1716 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: usb_hub_wq hub_event
Call Trace:
 <IRQ>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xd2/0x2b0 mm/kasan/report.c:521
 kasan_report+0x118/0x150 mm/kasan/report.c:634
 mcp2221_raw_event+0xfcd/0x1190 drivers/hid/hid-mcp2221.c:854
 __hid_input_report drivers/hid/hid-core.c:2117 [inline]
 hid_input_report+0x40a/0x520 drivers/hid/hid-core.c:2144
 hid_irq_in+0x47e/0x6d0 drivers/hid/usbhid/hid-core.c:286
 __usb_hcd_giveback_urb+0x41a/0x690 drivers/usb/core/hcd.c:1650
 dummy_timer+0x862/0x4550 drivers/usb/gadget/udc/dummy_hcd.c:1995
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x52c/0xc60 kernel/time/hrtimer.c:1825
 hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1842
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xa8/0x110 kernel/locking/spinlock.c:194
Code: 74 05 e8 5b 55 5e f6 48 c7 44 24 20 00 00 00 00 9c 8f 44 24 20 f6 44 24 21 02 75 4f f7 c3 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> e3 3e 27 f6 65 8b 05 9c 7a 33 07 85 c0 74 40 48 c7 04 24 0e 36
RSP: 0018:ffffc900001e6300 EFLAGS: 00000206
RAX: 05274f0a6bf20200 RBX: 0000000000000216 RCX: 05274f0a6bf20200
RDX: 0000000000000007 RSI: ffffffff8d982285 RDI: 0000000000000001
RBP: ffffc900001e6398 R08: ffffffff8fa10af7 R09: 1ffffffff1f4215e
R10: dffffc0000000000 R11: fffffbfff1f4215f R12: dffffc0000000000
R13: 1ffff110170e75be R14: ffff88801d284610 R15: 1ffff9200003cc60
 class_raw_spinlock_irqsave_destructor include/linux/spinlock.h:557 [inline]
 try_to_wake_up+0x7b6/0x1290 kernel/sched/core.c:4226
 devtmpfs_submit_req drivers/base/devtmpfs.c:121 [inline]
 devtmpfs_create_node+0x1cd/0x240 drivers/base/devtmpfs.c:153
 device_add+0x9db/0xb50 drivers/base/core.c:3666
 cdev_device_add+0x1d6/0x390 fs/char_dev.c:556
 i2cdev_attach_adapter+0x2ed/0x4e0 drivers/i2c/i2c-dev.c:691
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 blocking_notifier_call_chain+0x6a/0x90 kernel/notifier.c:380
 bus_notify+0x143/0x180 drivers/base/bus.c:1001
 device_add+0x54d/0xb50 drivers/base/core.c:3672
 i2c_register_adapter+0x4e3/0x10d0 drivers/i2c/i2c-core-base.c:1570
 devm_i2c_add_adapter+0x1b/0x80 drivers/i2c/i2c-core-base.c:1842
 mcp2221_probe+0x404/0x880 drivers/hid/hid-mcp2221.c:1195
 __hid_device_probe drivers/hid/hid-core.c:2724 [inline]
 hid_device_probe+0x3a0/0x710 drivers/hid/hid-core.c:2761
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26d/0x9a0 drivers/base/dd.c:657
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1029
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3692
 hid_add_device+0x398/0x540 drivers/hid/hid-core.c:2907
 usbhid_probe+0xe13/0x12a0 drivers/hid/usbhid/hid-core.c:1435
 usb_probe_interface+0x644/0xbc0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26d/0x9a0 drivers/base/dd.c:657
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1029
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3692
 usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
 usb_probe_device+0x1c4/0x390 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26d/0x9a0 drivers/base/dd.c:657
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1029
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3692
 usb_new_device+0xa39/0x16c0 drivers/usb/core/hub.c:2663
 hub_port_connect drivers/usb/core/hub.c:5535 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5675 [inline]
 port_event drivers/usb/core/hub.c:5835 [inline]
 hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5917
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 4050:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:319 [inline]
 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4148 [inline]
 slab_alloc_node mm/slub.c:4197 [inline]
 kmem_cache_alloc_node_noprof+0x1bb/0x3c0 mm/slub.c:4249
 kmalloc_reserve+0xbd/0x290 net/core/skbuff.c:579
 __alloc_skb+0x142/0x2d0 net/core/skbuff.c:670
 alloc_skb include/linux/skbuff.h:1336 [inline]
 nlmsg_new include/net/netlink.h:1041 [inline]
 inet6_rt_notify+0x165/0x430 net/ipv6/route.c:6334
 fib6_del_route net/ipv6/ip6_fib.c:2058 [inline]
 fib6_del+0x1094/0x1550 net/ipv6/ip6_fib.c:2093
 fib6_clean_node+0x29f/0x590 net/ipv6/ip6_fib.c:2255
 fib6_walk_continue+0x67b/0x910 net/ipv6/ip6_fib.c:2177
 fib6_walk+0x149/0x290 net/ipv6/ip6_fib.c:2225
 fib6_clean_tree net/ipv6/ip6_fib.c:2305 [inline]
 __fib6_clean_all+0x234/0x380 net/ipv6/ip6_fib.c:2321
 rt6_sync_down_dev net/ipv6/route.c:5004 [inline]
 rt6_disable_ip+0x120/0x720 net/ipv6/route.c:5009
 addrconf_ifdown+0x15d/0x1880 net/ipv6/addrconf.c:3857
 addrconf_notify+0x1bc/0x1010 net/ipv6/addrconf.c:-1
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]
 call_netdevice_notifiers net/core/dev.c:2282 [inline]
 dev_close_many+0x29c/0x410 net/core/dev.c:1785
 unregister_netdevice_many_notify+0x834/0x2320 net/core/dev.c:12047
 ops_exit_rtnl_list net/core/net_namespace.c:188 [inline]
 ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:249
 cleanup_net+0x4c5/0x800 net/core/net_namespace.c:686
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 4050:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2381 [inline]
 slab_free mm/slub.c:4643 [inline]
 kmem_cache_free+0x18f/0x400 mm/slub.c:4745
 skb_release_data+0x62d/0x7c0 net/core/skbuff.c:1087
 skb_release_all net/core/skbuff.c:1152 [inline]
 __kfree_skb net/core/skbuff.c:1166 [inline]
 consume_skb+0x9e/0xf0 net/core/skbuff.c:1398
 netlink_broadcast_filtered+0x103c/0x1140 net/netlink/af_netlink.c:1524
 nlmsg_multicast_filtered include/net/netlink.h:1151 [inline]
 nlmsg_multicast include/net/netlink.h:1170 [inline]
 nlmsg_notify+0xf0/0x1a0 net/netlink/af_netlink.c:2577
 fib6_del_route net/ipv6/ip6_fib.c:2058 [inline]
 fib6_del+0x1094/0x1550 net/ipv6/ip6_fib.c:2093
 fib6_clean_node+0x29f/0x590 net/ipv6/ip6_fib.c:2255
 fib6_walk_continue+0x67b/0x910 net/ipv6/ip6_fib.c:2177
 fib6_walk+0x149/0x290 net/ipv6/ip6_fib.c:2225
 fib6_clean_tree net/ipv6/ip6_fib.c:2305 [inline]
 __fib6_clean_all+0x234/0x380 net/ipv6/ip6_fib.c:2321
 rt6_sync_down_dev net/ipv6/route.c:5004 [inline]
 rt6_disable_ip+0x120/0x720 net/ipv6/route.c:5009
 addrconf_ifdown+0x15d/0x1880 net/ipv6/addrconf.c:3857
 addrconf_notify+0x1bc/0x1010 net/ipv6/addrconf.c:-1
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]
 call_netdevice_notifiers net/core/dev.c:2282 [inline]
 dev_close_many+0x29c/0x410 net/core/dev.c:1785
 unregister_netdevice_many_notify+0x834/0x2320 net/core/dev.c:12047
 ops_exit_rtnl_list net/core/net_namespace.c:188 [inline]
 ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:249
 cleanup_net+0x4c5/0x800 net/core/net_namespace.c:686
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff88804f7dfa80
 which belongs to the cache skbuff_small_head of size 704
The buggy address is located 703 bytes to the right of
 allocated 704-byte region [ffff88804f7dfa80, ffff88804f7dfd40)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f7dc
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801e298b40 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000130013 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801e298b40 dead000000000122 0000000000000000
head: 0000000000000000 0000000000130013 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea00013df701 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4050, tgid 4050 (kworker/u8:7), ts 323118639112, free_ts 316444010699
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
 alloc_slab_page mm/slub.c:2451 [inline]
 allocate_slab+0x8a/0x3b0 mm/slub.c:2619
 new_slab mm/slub.c:2673 [inline]
 ___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
 __slab_alloc mm/slub.c:3949 [inline]
 __slab_alloc_node mm/slub.c:4024 [inline]
 slab_alloc_node mm/slub.c:4185 [inline]
 kmem_cache_alloc_node_noprof+0x280/0x3c0 mm/slub.c:4249
 kmalloc_reserve+0xbd/0x290 net/core/skbuff.c:579
 __alloc_skb+0x142/0x2d0 net/core/skbuff.c:670
 alloc_skb include/linux/skbuff.h:1336 [inline]
 nlmsg_new include/net/netlink.h:1041 [inline]
 __neigh_notify+0x15c/0x310 net/core/neighbour.c:3450
 neigh_cleanup_and_release+0xb0/0x290 net/core/neighbour.c:119
 neigh_flush_dev+0x823/0x950 net/core/neighbour.c:409
 __neigh_ifdown+0x39/0x400 net/core/neighbour.c:425
 neigh_ifdown+0x1f/0x30 net/core/neighbour.c:443
 rt6_disable_ip+0x6b3/0x720 net/ipv6/route.c:5011
 addrconf_ifdown+0x15d/0x1880 net/ipv6/addrconf.c:3857
page last free pid 6425 tgid 6425 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 __free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
 pagetable_free include/linux/mm.h:2879 [inline]
 pagetable_dtor_free include/linux/mm.h:2977 [inline]
 __tlb_remove_table+0x2d2/0x3b0 include/asm-generic/tlb.h:220
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x85/0x100 mm/mmu_gather.c:290
 rcu_do_batch kernel/rcu/tree.c:2576 [inline]
 rcu_core+0xca8/0x1710 kernel/rcu/tree.c:2832
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 do_softirq+0xec/0x180 kernel/softirq.c:480
 __local_bh_enable_ip+0x17d/0x1c0 kernel/softirq.c:407
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline]
 nsim_dev_trap_report_work+0x7c7/0xb80 drivers/net/netdevsim/dev.c:851
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff88804f7dfe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88804f7dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88804f7dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                                ^
 ffff88804f7e0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88804f7e0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	74 05                	je     0x7
   2:	e8 5b 55 5e f6       	call   0xf65e5562
   7:	48 c7 44 24 20 00 00 	movq   $0x0,0x20(%rsp)
   e:	00 00
  10:	9c                   	pushf
  11:	8f 44 24 20          	pop    0x20(%rsp)
  15:	f6 44 24 21 02       	testb  $0x2,0x21(%rsp)
  1a:	75 4f                	jne    0x6b
  1c:	f7 c3 00 02 00 00    	test   $0x200,%ebx
  22:	74 01                	je     0x25
  24:	fb                   	sti
  25:	bf 01 00 00 00       	mov    $0x1,%edi
* 2a:	e8 e3 3e 27 f6       	call   0xf6273f12 <-- trapping instruction
  2f:	65 8b 05 9c 7a 33 07 	mov    %gs:0x7337a9c(%rip),%eax        # 0x7337ad2
  36:	85 c0                	test   %eax,%eax
  38:	74 40                	je     0x7a
  3a:	48                   	rex.W
  3b:	c7                   	.byte 0xc7
  3c:	04 24                	add    $0x24,%al
  3e:	0e                   	(bad)
  3f:	36                   	ss