==================================================================
BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0xf94/0x1030 drivers/hid/hid-mcp2221.c:944
Read of size 1 at addr ffff88813285ffff by task syz.2.4429/25668

CPU: 0 UID: 0 PID: 25668 Comm: syz.2.4429 Not tainted syzkaller #0 PREEMPT(voluntary) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xcd/0x630 mm/kasan/report.c:482
 kasan_report+0xe0/0x110 mm/kasan/report.c:595
 mcp2221_raw_event+0xf94/0x1030 drivers/hid/hid-mcp2221.c:944
 __hid_input_report.constprop.0+0x311/0x450 drivers/hid/hid-core.c:2130
 hid_irq_in+0x35e/0x870 drivers/hid/usbhid/hid-core.c:286
 __usb_hcd_giveback_urb+0x388/0x610 drivers/usb/core/hcd.c:1661
 usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745
 dummy_timer+0x1814/0x3a30 drivers/usb/gadget/udc/dummy_hcd.c:1995
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x1ff/0xad0 kernel/time/hrtimer.c:1825
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1842
 handle_softirqs+0x208/0x8d0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:finish_task_switch.isra.0+0x1e9/0x9e0 kernel/sched/core.c:5225
Code: 0f 85 5f 07 00 00 8b 0d 79 a3 4e 09 85 c9 0f 85 b9 02 00 00 48 89 df e8 35 40 f1 05 e8 00 f3 36 00 fb 65 48 8b 1d 7f 8f 43 0b <48> 8d bb 50 15 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1
RSP: 0018:ffffc9000a4cfd40 EFLAGS: 00000206
RAX: 0000000000000b7b RBX: ffff88812f011d00 RCX: ffffffff8185d28f
RDX: 0000000000000000 RSI: ffffffff88d26d94 RDI: ffffffff878963e0
RBP: ffffc9000a4cfd80 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff8a9d75d7 R11: 0000000000000000 R12: ffff88812f013a00
R13: 0000000000000000 R14: ffff8881f58388d8 R15: ffff8881f5839418
 context_switch kernel/sched/core.c:5360 [inline]
 __schedule+0x1304/0x3b90 kernel/sched/core.c:6961
 __schedule_loop kernel/sched/core.c:7043 [inline]
 schedule+0xe7/0x3a0 kernel/sched/core.c:7058
 exit_to_user_mode_loop+0x5f/0xe0 kernel/entry/common.c:31
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
 do_syscall_64+0x3e9/0x4b0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4ac8b7eba9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe22988bc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 00007f4ac8dc5fa8 RCX: 00007f4ac8b7eba9
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f4ac8dc5fa8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000b22988ebf
R10: 00007f4ac8dc5fa0 R11: 0000000000000246 R12: 00007f4ac8dc5fac
R13: 00007f4ac8dc5fa0 R14: 0000000000001d8c R15: 0000000000000004
 </TASK>

Allocated by task 19938:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:330 [inline]
 __kasan_slab_alloc+0x6e/0x70 mm/kasan/common.c:356
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4180 [inline]
 slab_alloc_node mm/slub.c:4229 [inline]
 kmem_cache_alloc_noprof+0x14f/0x3b0 mm/slub.c:4236
 sk_prot_alloc+0x60/0x2a0 net/core/sock.c:2233
 sk_alloc+0x36/0xc20 net/core/sock.c:2295
 inet_create net/ipv4/af_inet.c:326 [inline]
 inet_create+0x3a1/0x1040 net/ipv4/af_inet.c:252
 __sock_create+0x338/0x8d0 net/socket.c:1589
 sock_create net/socket.c:1647 [inline]
 __sys_socket_create net/socket.c:1684 [inline]
 __sys_socket+0x14d/0x260 net/socket.c:1731
 __do_sys_socket net/socket.c:1745 [inline]
 __se_sys_socket net/socket.c:1743 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1743
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 14:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x3e/0x50 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2417 [inline]
 slab_free_after_rcu_debug+0xc9/0x2a0 mm/slub.c:4730
 rcu_do_batch kernel/rcu/tree.c:2605 [inline]
 rcu_core+0x799/0x1530 kernel/rcu/tree.c:2861
 handle_softirqs+0x208/0x8d0 kernel/softirq.c:579
 run_ksoftirqd kernel/softirq.c:968 [inline]
 run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960
 smpboot_thread_fn+0x3f4/0xae0 kernel/smpboot.c:160
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x5b6/0x6c0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Last potentially related work creation:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_record_aux_stack+0x8c/0xa0 mm/kasan/generic.c:548
 slab_free_hook mm/slub.c:2378 [inline]
 slab_free mm/slub.c:4680 [inline]
 kmem_cache_free+0x13b/0x470 mm/slub.c:4782
 sk_prot_free net/core/sock.c:2276 [inline]
 __sk_destruct+0x5d2/0x9a0 net/core/sock.c:2373
 sk_destruct+0xc2/0xf0 net/core/sock.c:2401
 __sk_free+0xf4/0x3e0 net/core/sock.c:2412
 sk_free+0x6a/0x90 net/core/sock.c:2423
 sock_put include/net/sock.h:1960 [inline]
 tcp_close+0xd3/0x120 net/ipv4/tcp.c:3278
 inet_release+0xea/0x200 net/ipv4/af_inet.c:435
 __sock_release+0xb0/0x270 net/socket.c:649
 sock_close+0x1c/0x30 net/socket.c:1439
 __fput+0x402/0xb70 fs/file_table.c:468
 fput_close_sync+0x118/0x210 fs/file_table.c:573
 __do_sys_close fs/open.c:1587 [inline]
 __se_sys_close fs/open.c:1572 [inline]
 __x64_sys_close+0x8b/0x120 fs/open.c:1572
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88813285f080
 which belongs to the cache TCP of size 3072
The buggy address is located 895 bytes to the right of
 allocated 3072-byte region [ffff88813285f080, ffff88813285fc80)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x132858
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888133871901
flags: 0x200000000000040(head|node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000040 ffff8881072e4280 dead000000000122 0000000000000000
raw: 0000000000000000 00000000000a000a 00000000f5000000 ffff888133871901
head: 0200000000000040 ffff8881072e4280 dead000000000122 0000000000000000
head: 0000000000000000 00000000000a000a 00000000f5000000 ffff888133871901
head: 0200000000000003 ffffea0004ca1601 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 17903, tgid 17903 (syz-executor), ts 2167099854975, free_ts 2166962293934
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0xf98/0x2ce0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x259/0x21e0 mm/page_alloc.c:5148
 alloc_pages_mpol+0xe4/0x410 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:2487 [inline]
 allocate_slab mm/slub.c:2655 [inline]
 new_slab+0x247/0x330 mm/slub.c:2709
 ___slab_alloc+0xc78/0x1680 mm/slub.c:3891
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3981
 __slab_alloc_node mm/slub.c:4056 [inline]
 slab_alloc_node mm/slub.c:4217 [inline]
 kmem_cache_alloc_noprof+0x1f9/0x3b0 mm/slub.c:4236
 sk_prot_alloc+0x60/0x2a0 net/core/sock.c:2233
 sk_alloc+0x36/0xc20 net/core/sock.c:2295
 inet_create net/ipv4/af_inet.c:326 [inline]
 inet_create+0x3a1/0x1040 net/ipv4/af_inet.c:252
 __sock_create+0x338/0x8d0 net/socket.c:1589
 sock_create net/socket.c:1647 [inline]
 __sys_socket_create net/socket.c:1684 [inline]
 __sys_socket+0x14d/0x260 net/socket.c:1731
 __do_sys_socket net/socket.c:1745 [inline]
 __se_sys_socket net/socket.c:1743 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1743
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5224 tgid 5224 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0x78a/0xfd0 mm/page_alloc.c:2895
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x4e/0x70 mm/kasan/common.c:340
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4180 [inline]
 slab_alloc_node mm/slub.c:4229 [inline]
 kmem_cache_alloc_noprof+0x14f/0x3b0 mm/slub.c:4236
 getname_flags.part.0+0x4c/0x550 fs/namei.c:146
 getname_flags+0x93/0xf0 include/linux/audit.h:322
 do_readlinkat+0xb4/0x3a0 fs/stat.c:575
 __do_sys_readlink fs/stat.c:613 [inline]
 __se_sys_readlink fs/stat.c:610 [inline]
 __x64_sys_readlink+0x78/0xc0 fs/stat.c:610
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88813285fe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88813285ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88813285ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                                ^
 ffff888132860000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888132860080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	0f 85 5f 07 00 00    	jne    0x765
   6:	8b 0d 79 a3 4e 09    	mov    0x94ea379(%rip),%ecx        # 0x94ea385
   c:	85 c9                	test   %ecx,%ecx
   e:	0f 85 b9 02 00 00    	jne    0x2cd
  14:	48 89 df             	mov    %rbx,%rdi
  17:	e8 35 40 f1 05       	call   0x5f14051
  1c:	e8 00 f3 36 00       	call   0x36f321
  21:	fb                   	sti
  22:	65 48 8b 1d 7f 8f 43 	mov    %gs:0xb438f7f(%rip),%rbx        # 0xb438fa9
  29:	0b
* 2a:	48 8d bb 50 15 00 00 	lea    0x1550(%rbx),%rdi <-- trapping instruction
  31:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  38:	fc ff df
  3b:	48 89 fa             	mov    %rdi,%rdx
  3e:	48                   	rex.W
  3f:	c1                   	.byte 0xc1