================================================================== BUG: KASAN: use-after-free in mcp2221_raw_event+0xf98/0x1030 drivers/hid/hid-mcp2221.c:852 Read of size 1 at addr ffff888140aabfff by task syz.7.6384/546 CPU: 1 UID: 0 PID: 546 Comm: syz.7.6384 Not tainted 6.13.0-rc7-syzkaller-g47a836da9ca9 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xc3/0x620 mm/kasan/report.c:489 kasan_report+0xd9/0x110 mm/kasan/report.c:602 mcp2221_raw_event+0xf98/0x1030 drivers/hid/hid-mcp2221.c:852 __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111 hid_irq_in+0x35e/0x870 drivers/hid/usbhid/hid-core.c:285 __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734 dummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993 __run_hrtimer kernel/time/hrtimer.c:1739 [inline] __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820 handle_softirqs+0x206/0x8d0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0x43/0xb0 arch/x86/kernel/apic/apic.c:1049 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0033:0x7fc455555983 Code: 00 00 00 0f 1f 40 00 41 89 fb 44 8d 56 04 4c 8d 0d 92 c6 31 00 89 f0 4c 8d 05 89 a6 31 00 89 c2 81 e2 ff 1f 00 00 49 8b 0c d1 <48> 39 f1 74 28 48 85 c9 74 29 45 38 1c 10 75 23 83 c0 01 44 39 d0 RSP: 002b:00007ffd827df698 EFLAGS: 00000202 RAX: 0000000086edb8ae RBX: 00007fc4563b5720 RCX: ffffffff86edb8ae RDX: 00000000000018ae RSI: ffffffff86edb8ae RDI: 00000000000000ff RBP: ffffffff86edb8ae R08: 00007fc455870000 R09: 00007fc455872000 R10: 0000000086edb8b2 R11: 00000000000000ff R12: 00000000000000ff R13: 000000000000002c R14: ffffffff86edb9ac R15: 0000000000000477 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888140aabf00 pfn:0x140aab flags: 0x200000000000000(node=0|zone=2) raw: 0200000000000000 dead000000000100 dead000000000122 0000000000000000 raw: ffff888140aabf00 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2cc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN), pid 23045, tgid 23045 (kworker/1:7), ts 3209217264782, free_ts 3209851667859 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1558 prep_new_page mm/page_alloc.c:1566 [inline] get_page_from_freelist+0xe76/0x2b90 mm/page_alloc.c:3476 __alloc_pages_noprof+0x21c/0x22a0 mm/page_alloc.c:4753 alloc_pages_mpol_noprof+0xeb/0x400 mm/mempolicy.c:2269 vm_area_alloc_pages mm/vmalloc.c:3591 [inline] __vmalloc_area_node mm/vmalloc.c:3669 [inline] __vmalloc_node_range_noprof+0x724/0x1530 mm/vmalloc.c:3846 __vmalloc_node_noprof mm/vmalloc.c:3911 [inline] vmalloc_noprof+0x6b/0x90 mm/vmalloc.c:3944 dvb_dmx_init+0x196/0xba0 drivers/media/dvb-core/dvb_demux.c:1247 dvb_usbv2_adapter_dvb_init drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:474 [inline] dvb_usbv2_adapter_init drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:801 [inline] dvb_usbv2_init drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:866 [inline] dvb_usbv2_probe+0x1128/0x4090 drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:981 usb_probe_interface+0x300/0x9c0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 page last free pid 23045 tgid 23045 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1127 [inline] free_unref_page+0x661/0xe40 mm/page_alloc.c:2659 vfree+0x174/0x950 mm/vmalloc.c:3383 dvb_usbv2_adapter_dvb_exit drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:521 [inline] dvb_usbv2_adapter_exit drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:827 [inline] dvb_usbv2_exit.isra.0+0x183/0x9f0 drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:843 dvb_usbv2_probe+0x20b0/0x4090 drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:993 usb_probe_interface+0x300/0x9c0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3665 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:291 Memory state around the buggy address: ffff888140aabe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888140aabf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888140aabf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888140aac000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888140aac080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================