==================================================================
BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0x103c/0x10a0 drivers/hid/hid-mcp2221.c:950
Read of size 1 at addr ffff888124f1ffff by task syz.2.6941/2151
CPU: 0 UID: 0 PID: 2151 Comm: syz.2.6941 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x156/0x4c9 mm/kasan/report.c:482
kasan_report+0xdf/0x1e0 mm/kasan/report.c:595
mcp2221_raw_event+0x103c/0x10a0 drivers/hid/hid-mcp2221.c:950
__hid_input_report.constprop.0+0x314/0x460 drivers/hid/hid-core.c:2140
hid_irq_in+0x52e/0x6b0 drivers/hid/usbhid/hid-core.c:286
__usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657
usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741
dummy_timer+0xda1/0x36c0 drivers/usb/gadget/udc/dummy_hcd.c:2005
__run_hrtimer kernel/time/hrtimer.c:1785 [inline]
__hrtimer_run_queues+0x50e/0xa70 kernel/time/hrtimer.c:1849
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1866
handle_softirqs+0x1de/0x9d0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1056
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:179 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x31/0x80 kernel/locking/spinlock.c:194
Code: f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 96 5c 22 fa 48 89 df e8 7e ac 22 fa f7 c5 00 02 00 00 75 23 9c 58 f6 c4 02 75 37 01 00 00 00 e8 b5 23 16 fa 65 8b 05 5e ef 88 05 85 c0 74 16 5b
RSP: 0018:ffffc9000821fdd8 EFLAGS: 00000246
RAX: 0000000000000006 RBX: ffff888140d64008 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff89024ebf RDI: ffffffff87afd320
RBP: 0000000000000283 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000001162838 R12: 0000000000000283
R13: ffff888140d64008 R14: ffff888140d6414c R15: 0000000000000000
spin_unlock_irqrestore include/linux/spinlock.h:407 [inline]
raw_ioctl_ep0_stall drivers/usb/gadget/legacy/raw_gadget.c:836 [inline]
raw_ioctl+0x1309/0x2b80 drivers/usb/gadget/legacy/raw_gadget.c:1340
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x106/0x7b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4b924ec4ab
Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
RSP: 002b:00007f4b90f3cf00 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f4b924ec4ab
RDX: 0000000000000000 RSI: 0000000000005501 RDI: 0000000000000004
RBP: 00007f4b90f3dfd0 R08: 0000000000000001 R09: 00000000ffffffff
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000200000000000 R14: 0000000000000001 R15: 0000000000000868
Allocated by task 31948:
kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
kasan_save_track+0x14/0x30 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__do_kmalloc_node mm/slub.c:5260 [inline]
__kmalloc_node_track_caller_noprof+0x306/0x800 mm/slub.c:5368
kmemdup_noprof+0x29/0x60 mm/util.c:138
kmemdup_noprof include/linux/fortify-string.h:763 [inline]
__addrconf_sysctl_register+0xbb/0x360 net/ipv6/addrconf.c:7309
addrconf_sysctl_register net/ipv6/addrconf.c:7375 [inline]
addrconf_sysctl_register+0x163/0x200 net/ipv6/addrconf.c:7364
ipv6_add_dev+0xaf1/0x14b0 net/ipv6/addrconf.c:459
addrconf_notify+0x563/0x19d0 net/ipv6/addrconf.c:3654
notifier_call_chain+0x99/0x420 kernel/notifier.c:85
call_netdevice_notifiers_info+0xbe/0x110 net/core/dev.c:2249
call_netdevice_notifiers_extack net/core/dev.c:2287 [inline]
call_netdevice_notifiers net/core/dev.c:2301 [inline]
register_netdevice+0x176d/0x2020 net/core/dev.c:11479
register_netdev+0x34/0x50 net/core/dev.c:11557
sit_init_net+0x2c0/0x5c0 net/ipv6/sit.c:1859
ops_init+0x1e2/0x5f0 net/core/net_namespace.c:137
setup_net+0x118/0x3a0 net/core/net_namespace.c:446
copy_net_ns+0x440/0x780 net/core/net_namespace.c:581
create_new_namespaces+0x3ea/0xc00 kernel/nsproxy.c:130
unshare_nsproxy_namespaces+0xc3/0x1f0 kernel/nsproxy.c:226
ksys_unshare+0x473/0xad0 kernel/fork.c:3173
__do_sys_unshare kernel/fork.c:3244 [inline]
__se_sys_unshare kernel/fork.c:3242 [inline]
__x64_sys_unshare+0x31/0x40 kernel/fork.c:3242
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x106/0x7b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888124f1e000
which belongs to the cache kmalloc-cg-4k of size 4096
The buggy address is located 5111 bytes to the right of
allocated 3080-byte region [ffff888124f1e000, ffff888124f1ec08)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x124f18
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888124f19011
flags: 0x200000000000040(head|node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000040 ffff88810005d500 dead000000000100 dead000000000122
raw: 0000000000000000 0000200000040004 00000000f5000000 ffff888124f19011
head: 0200000000000040 ffff88810005d500 dead000000000100 dead000000000122
head: 0000000000000000 0000200000040004 00000000f5000000 ffff888124f19011
head: 0200000000000003 ffffea000493c601 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5228, tgid 5228 (udevd), ts 1787990549722, free_ts 1610713736925
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889
prep_new_page mm/page_alloc.c:1897 [inline]
get_page_from_freelist+0xf10/0x39f0 mm/page_alloc.c:3962
__alloc_frozen_pages_noprof+0x273/0x2860 mm/page_alloc.c:5250
alloc_slab_page mm/slub.c:3292 [inline]
allocate_slab mm/slub.c:3481 [inline]
new_slab+0xa6/0x6c0 mm/slub.c:3539
refill_objects+0x26b/0x400 mm/slub.c:7175
refill_sheaf mm/slub.c:2812 [inline]
__pcs_replace_empty_main+0x1ab/0x660 mm/slub.c:4615
alloc_from_pcs mm/slub.c:4717 [inline]
slab_alloc_node mm/slub.c:4851 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kvmalloc_node_noprof+0x72c/0x950 mm/slub.c:6752
seq_buf_alloc fs/seq_file.c:39 [inline]
seq_read_iter+0x819/0x1270 fs/seq_file.c:211
kernfs_fop_read_iter+0x46c/0x610 fs/kernfs/file.c:297
new_sync_read fs/read_write.c:493 [inline]
vfs_read+0x825/0xb30 fs/read_write.c:574
ksys_read+0x12a/0x250 fs/read_write.c:717
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x106/0x7b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 1122 tgid 1122 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1433 [inline]
__free_pages_ok+0x733/0xea0 mm/page_alloc.c:1614
hcd_buffer_free+0x1c3/0x260 drivers/usb/core/buffer.c:163
usb_free_coherent+0x69/0x80 drivers/usb/core/usb.c:1033
usb_free_stream_buffers.isra.0+0x157/0x2b0 drivers/media/usb/dvb-usb/usb-urb.c:100
usb_urb_exit+0x210/0x2d0 drivers/media/usb/dvb-usb/usb-urb.c:253
dvb_usb_adapter_stream_exit+0x82/0xf0 drivers/media/usb/dvb-usb/dvb-usb-urb.c:120
dvb_usb_adapter_exit drivers/media/usb/dvb-usb/dvb-usb-init.c:129 [inline]
dvb_usb_exit drivers/media/usb/dvb-usb/dvb-usb-init.c:143 [inline]
dvb_usb_device_exit+0x25f/0x520 drivers/media/usb/dvb-usb/dvb-usb-init.c:338
usb_unbind_interface+0x1dd/0x9e0 drivers/usb/core/driver.c:458
device_remove drivers/base/dd.c:633 [inline]
device_remove+0x12a/0x180 drivers/base/dd.c:625
__device_release_driver drivers/base/dd.c:1344 [inline]
device_release_driver_internal+0x44e/0x620 drivers/base/dd.c:1367
bus_remove_device+0x2bc/0x560 drivers/base/bus.c:657
device_del+0x376/0x9b0 drivers/base/core.c:3880
usb_disable_device+0x367/0x810 drivers/usb/core/message.c:1478
usb_disconnect+0x2e2/0x9a0 drivers/usb/core/hub.c:2345
hub_port_connect drivers/usb/core/hub.c:5407 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x1d0c/0x4af0 drivers/usb/core/hub.c:5953
process_one_work+0xa23/0x19a0 kernel/workqueue.c:3276
Memory state around the buggy address:
ffff888124f1fe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888124f1ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888124f1ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888124f20000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888124f20080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: f5 cmc
1: 53 push %rbx
2: 48 8b 74 24 10 mov 0x10(%rsp),%rsi
7: 48 89 fb mov %rdi,%rbx
a: 48 83 c7 18 add $0x18,%rdi
e: e8 96 5c 22 fa call 0xfa225ca9
13: 48 89 df mov %rbx,%rdi
16: e8 7e ac 22 fa call 0xfa22ac99
1b: f7 c5 00 02 00 00 test $0x200,%ebp
21: 75 23 jne 0x46
23: 9c pushf
24: 58 pop %rax
25: f6 c4 02 test $0x2,%ah
28: 75 37 jne 0x61
* 2a: bf 01 00 00 00 mov $0x1,%edi <-- trapping instruction
2f: e8 b5 23 16 fa call 0xfa1623e9
34: 65 8b 05 5e ef 88 05 mov %gs:0x588ef5e(%rip),%eax # 0x588ef99
3b: 85 c0 test %eax,%eax
3d: 74 16 je 0x55
3f: 5b pop %rbx