==================================================================
BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0x103c/0x10a0 drivers/hid/hid-mcp2221.c:957
Read of size 1 at addr ffff888141e77fff by task kworker/1:1/28
CPU: 1 UID: 0 PID: 28 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x13d/0x4b0 mm/kasan/report.c:482
kasan_report+0xdf/0x1d0 mm/kasan/report.c:595
mcp2221_raw_event+0x103c/0x10a0 drivers/hid/hid-mcp2221.c:957
__hid_input_report.constprop.0+0x314/0x460 drivers/hid/hid-core.c:2147
hid_irq_in+0x52e/0x6b0 drivers/hid/usbhid/hid-core.c:286
__usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657
usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741
dummy_timer+0xda1/0x36c0 drivers/usb/gadget/udc/dummy_hcd.c:2005
__run_hrtimer kernel/time/hrtimer.c:1930 [inline]
__hrtimer_run_queues+0x470/0xa00 kernel/time/hrtimer.c:1994
hrtimer_run_softirq+0x17d/0x2c0 kernel/time/hrtimer.c:2011
handle_softirqs+0x1dd/0x9e0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x160/0x210 kernel/softirq.c:735
irq_exit_rcu+0x9/0x30 kernel/softirq.c:752
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline]
sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1061
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:__read_once_word_nocheck+0x3/0x10 include/asm-generic/rwonce.h:68
Code: ff ff 48 c7 c7 58 b2 86 87 e8 99 9f a8 00 e9 1e fa ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 48 8b 07 cc cc cc cc 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc900001e62a8 EFLAGS: 00000202
RAX: 0000000000000001 RBX: 0000000000000001 RCX: ffffffff8b8571f0
RDX: ffffc900001e7701 RSI: ffffc900001e7798 RDI: ffffc900001e7798
RBP: ffffc900001e7798 R08: 0000000000000001 R09: 0000000000000007
R10: 0000000000000200 R11: 000000000002c457 R12: ffffc900001e6370
R13: ffffc900001e6320 R14: ffffc900001e77c8 R15: ffffc900001e6354
deref_stack_reg arch/x86/kernel/unwind_orc.c:422 [inline]
unwind_next_frame+0x1561/0x2090 arch/x86/kernel/unwind_orc.c:677
arch_stack_walk+0x94/0xf0 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x8e/0xc0 kernel/stacktrace.c:122
kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
kasan_save_track+0x14/0x30 mm/kasan/common.c:78
unpoison_slab_object mm/kasan/common.c:340 [inline]
__kasan_slab_alloc+0x6e/0x70 mm/kasan/common.c:366
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4569 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
kmem_cache_alloc_noprof+0x2e7/0x6a0 mm/slub.c:4905
__kernfs_new_node+0xd2/0x9f0 fs/kernfs/dir.c:664
kernfs_new_node+0x11b/0x1a0 fs/kernfs/dir.c:748
kernfs_create_link+0xcc/0x240 fs/kernfs/symlink.c:39
sysfs_do_create_link_sd+0x90/0x140 fs/sysfs/symlink.c:44
sysfs_do_create_link fs/sysfs/symlink.c:80 [inline]
sysfs_create_link+0x61/0xc0 fs/sysfs/symlink.c:92
bus_add_device+0x1e8/0x6b0 drivers/base/bus.c:576
device_add+0x9cf/0x1950 drivers/base/core.c:3648
i2c_register_adapter+0x39e/0x1210 drivers/i2c/i2c-core-base.c:1573
i2c_add_adapter drivers/i2c/i2c-core-base.c:1673 [inline]
i2c_add_adapter+0x10a/0x1a0 drivers/i2c/i2c-core-base.c:1653
devm_i2c_add_adapter+0x1b/0x90 drivers/i2c/i2c-core-base.c:1845
mcp2221_probe.cold+0x5fe/0xf06 drivers/hid/hid-mcp2221.c:1299
__hid_device_probe drivers/hid/hid-core.c:2783 [inline]
hid_device_probe+0x50e/0x800 drivers/hid/hid-core.c:2820
call_driver_probe drivers/base/dd.c:631 [inline]
really_probe+0x241/0xa60 drivers/base/dd.c:709
__driver_probe_device+0x22e/0x480 drivers/base/dd.c:871
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:901
__device_attach_driver+0x1df/0x340 drivers/base/dd.c:1029
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
__device_attach+0x1e4/0x4d0 drivers/base/dd.c:1101
device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x64/0x160 drivers/base/bus.c:613
device_add+0x1210/0x1950 drivers/base/core.c:3706
hid_add_device+0x2bf/0x440 drivers/hid/hid-core.c:2964
usbhid_probe+0xc3c/0x1230 drivers/hid/usbhid/hid-core.c:1448
usb_probe_interface+0x303/0x8f0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:631 [inline]
really_probe+0x241/0xa60 drivers/base/dd.c:709
__driver_probe_device+0x22e/0x480 drivers/base/dd.c:871
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:901
__device_attach_driver+0x1df/0x340 drivers/base/dd.c:1029
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
__device_attach+0x1e4/0x4d0 drivers/base/dd.c:1101
device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x64/0x160 drivers/base/bus.c:613
device_add+0x1210/0x1950 drivers/base/core.c:3706
usb_set_configuration+0xd97/0x1c60 drivers/usb/core/message.c:2268
usb_generic_driver_probe+0xa1/0xe0 drivers/usb/core/generic.c:250
usb_probe_device+0xef/0x400 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:631 [inline]
really_probe+0x241/0xa60 drivers/base/dd.c:709
__driver_probe_device+0x22e/0x480 drivers/base/dd.c:871
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:901
__device_attach_driver+0x1df/0x340 drivers/base/dd.c:1029
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
__device_attach+0x1e4/0x4d0 drivers/base/dd.c:1101
device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x64/0x160 drivers/base/bus.c:613
device_add+0x1210/0x1950 drivers/base/core.c:3706
usb_new_device.cold+0x685/0x115c drivers/usb/core/hub.c:2695
hub_port_connect drivers/usb/core/hub.c:5567 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x314d/0x4af0 drivers/usb/core/hub.c:5953
process_one_work+0xa0e/0x1980 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x5ef/0xe50 kernel/workqueue.c:3466
kthread+0x370/0x450 kernel/kthread.c:436
ret_from_fork+0x69a/0xc80 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Allocated by task 2860:
kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
kasan_save_track+0x14/0x30 mm/kasan/common.c:78
unpoison_slab_object mm/kasan/common.c:340 [inline]
__kasan_slab_alloc+0x6e/0x70 mm/kasan/common.c:366
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4569 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
kmem_cache_alloc_noprof+0x2e7/0x6a0 mm/slub.c:4905
alloc_filename fs/namei.c:142 [inline]
do_getname+0x35/0x390 fs/namei.c:182
class_filename_flags_constructor include/linux/fs.h:2555 [inline]
do_readlinkat+0xa9/0x370 fs/stat.c:569
__do_sys_readlink fs/stat.c:605 [inline]
__se_sys_readlink fs/stat.c:602 [inline]
__x64_sys_readlink+0x78/0xc0 fs/stat.c:602
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x10b/0x7f0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 2860:
kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
kasan_save_track+0x14/0x30 mm/kasan/common.c:78
kasan_save_free_info+0x3b/0x70 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x43/0x70 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2689 [inline]
slab_free mm/slub.c:6246 [inline]
kmem_cache_free+0x108/0x660 mm/slub.c:6373
free_filename fs/namei.c:147 [inline]
putname+0xb1/0x110 fs/namei.c:306
class_filename_destructor include/linux/fs.h:2553 [inline]
class_filename_flags_destructor include/linux/fs.h:2555 [inline]
do_readlinkat+0x1f1/0x370 fs/stat.c:569
__do_sys_readlink fs/stat.c:605 [inline]
__se_sys_readlink fs/stat.c:602 [inline]
__x64_sys_readlink+0x78/0xc0 fs/stat.c:602
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x10b/0x7f0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888141e77f00
which belongs to the cache names_cache of size 192
The buggy address is located 63 bytes to the right of
allocated 192-byte region [ffff888141e77f00, ffff888141e77fc0)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x141e77
flags: 0x200000000000000(node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000000 ffff8881012eb140 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5235, tgid 5235 (udevd), ts 1121340668075, free_ts 1121272097964
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x153/0x170 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0xf34/0x3a90 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x273/0x28a0 mm/page_alloc.c:5226
alloc_slab_page mm/slub.c:3278 [inline]
allocate_slab mm/slub.c:3467 [inline]
new_slab+0xa6/0x6b0 mm/slub.c:3525
refill_objects+0x277/0x420 mm/slub.c:7251
refill_sheaf mm/slub.c:2816 [inline]
__pcs_replace_empty_main+0x375/0x650 mm/slub.c:4651
alloc_from_pcs mm/slub.c:4749 [inline]
slab_alloc_node mm/slub.c:4883 [inline]
kmem_cache_alloc_noprof+0x520/0x6a0 mm/slub.c:4905
alloc_filename fs/namei.c:142 [inline]
do_getname+0x35/0x390 fs/namei.c:182
getname include/linux/fs.h:2526 [inline]
class_filename_constructor include/linux/fs.h:2553 [inline]
do_sys_openat2+0xc5/0x1e0 fs/open.c:1363
do_sys_open fs/open.c:1370 [inline]
__do_sys_openat fs/open.c:1386 [inline]
__se_sys_openat fs/open.c:1381 [inline]
__x64_sys_openat+0x12d/0x210 fs/open.c:1381
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x10b/0x7f0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5235 tgid 5235 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1402 [inline]
__free_frozen_pages+0x692/0xf10 mm/page_alloc.c:2943
selinux_genfs_get_sid security/selinux/hooks.c:1364 [inline]
inode_doinit_with_dentry+0x99d/0x1320 security/selinux/hooks.c:1563
selinux_d_instantiate+0x26/0x40 security/selinux/hooks.c:6662
security_d_instantiate+0x62/0xc0 security/security.c:3704
d_splice_alias_ops+0xd7/0x1320 fs/dcache.c:3074
kernfs_iop_lookup+0x23f/0x2d0 fs/kernfs/dir.c:1289
lookup_open.isra.0+0x631/0x11b0 fs/namei.c:4484
open_last_lookups fs/namei.c:4611 [inline]
path_openat+0xa98/0x31a0 fs/namei.c:4855
do_file_open+0x20e/0x430 fs/namei.c:4887
do_sys_openat2+0x10d/0x1e0 fs/open.c:1364
do_sys_open fs/open.c:1370 [inline]
__do_sys_openat fs/open.c:1386 [inline]
__se_sys_openat fs/open.c:1381 [inline]
__x64_sys_openat+0x12d/0x210 fs/open.c:1381
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x10b/0x7f0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888141e77e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888141e77f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888141e77f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ffff888141e78000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888141e78080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 48 c7 c7 58 b2 86 87 mov $0xffffffff8786b258,%rdi
7: e8 99 9f a8 00 call 0xa89fa5
c: e9 1e fa ff ff jmp 0xfffffa2f
11: 0f 1f 40 00 nopl 0x0(%rax)
15: 90 nop
16: 90 nop
17: 90 nop
18: 90 nop
19: 90 nop
1a: 90 nop
1b: 90 nop
1c: 90 nop
1d: 90 nop
1e: 90 nop
1f: 90 nop
20: 90 nop
21: 90 nop
22: 90 nop
23: 90 nop
24: 90 nop
25: 48 8b 07 mov (%rdi),%rax
* 28: c3 ret <-- trapping instruction
29: cc int3
2a: cc int3
2b: cc int3
2c: cc int3
2d: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
34: 00
35: 90 nop
36: 90 nop
37: 90 nop
38: 90 nop
39: 90 nop
3a: 90 nop
3b: 90 nop
3c: 90 nop
3d: 90 nop