==================================================================
BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0x103c/0x10a0 drivers/hid/hid-mcp2221.c:948
Read of size 1 at addr ffff88811bf7ffff by task kworker/0:2/2277

CPU: 0 UID: 0 PID: 2277 Comm: kworker/0:2 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Workqueue: events legacy_dvb_usb_read_remote_control
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x156/0x4c9 mm/kasan/report.c:482
 kasan_report+0xdf/0x1e0 mm/kasan/report.c:595
 mcp2221_raw_event+0x103c/0x10a0 drivers/hid/hid-mcp2221.c:948
 __hid_input_report.constprop.0+0x314/0x460 drivers/hid/hid-core.c:2139
 hid_irq_in+0x52e/0x6b0 drivers/hid/usbhid/hid-core.c:286
 __usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657
 usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741
 dummy_timer+0xd85/0x3670 drivers/usb/gadget/udc/dummy_hcd.c:1995
 __run_hrtimer kernel/time/hrtimer.c:1785 [inline]
 __hrtimer_run_queues+0x50e/0xa70 kernel/time/hrtimer.c:1849
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1866
 handle_softirqs+0x1de/0x9d0 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1056
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:console_flush_one_record+0xac3/0xe50 kernel/printk/printk.c:3270
Code: 00 e8 51 5d 28 00 9c 5d 81 e5 00 02 00 00 31 ff 48 89 ee e8 7f 65 20 00 48 85 ed 0f 85 d7 01 00 00 e8 91 6a 20 00 fb 4c 89 e8 <48> c1 e8 03 42 80 3c 38 00 0f 85 64 03 00 00 48 8b 0c 24 48 8b 6b
RSP: 0018:ffffc900058ff830 EFLAGS: 00000293
RAX: ffffffff89c75f58 RBX: ffffffff89c75f00 RCX: ffffffff81914f61
RDX: ffff888114e95700 RSI: ffffffff81914f6f RDI: ffff888114e95700
RBP: 0000000000000000 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000190d4
R13: ffffffff89c75f58 R14: ffffc900058ff8b0 R15: dffffc0000000000
 console_flush_all kernel/printk/printk.c:3343 [inline]
 __console_flush_and_unlock kernel/printk/printk.c:3373 [inline]
 console_unlock+0x103/0x260 kernel/printk/printk.c:3413
 vprintk_emit+0x407/0x6b0 kernel/printk/printk.c:2479
 _printk+0xcf/0x110 kernel/printk/printk.c:2504
 legacy_dvb_usb_read_remote_control.cold+0x11/0x16 drivers/media/usb/dvb-usb/dvb-usb-remote.c:124
 process_one_work+0x9d7/0x1920 kernel/workqueue.c:3275
 process_scheduled_works kernel/workqueue.c:3358 [inline]
 worker_thread+0x5da/0xe40 kernel/workqueue.c:3439
 kthread+0x370/0x450 kernel/kthread.c:467
 ret_from_fork+0x6c3/0xcb0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 5204:
 kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
 kasan_save_track+0x14/0x30 mm/kasan/common.c:78
 unpoison_slab_object mm/kasan/common.c:340 [inline]
 __kasan_slab_alloc+0x6e/0x70 mm/kasan/common.c:366
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4501 [inline]
 slab_alloc_node mm/slub.c:4830 [inline]
 kmem_cache_alloc_noprof+0x2e7/0x6a0 mm/slub.c:4837
 alloc_empty_file+0x55/0x1c0 fs/file_table.c:237
 path_openat+0xe8/0x31a0 fs/namei.c:4816
 do_file_open+0x20e/0x430 fs/namei.c:4859
 do_sys_openat2+0x10d/0x1e0 fs/open.c:1366
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_openat fs/open.c:1388 [inline]
 __se_sys_openat fs/open.c:1383 [inline]
 __x64_sys_openat+0x12d/0x210 fs/open.c:1383
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0x7b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 14:
 kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
 kasan_save_track+0x14/0x30 mm/kasan/common.c:78
 kasan_save_free_info+0x3b/0x70 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x43/0x70 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2687 [inline]
 slab_free_after_rcu_debug+0x95/0xf0 mm/slub.c:6189
 rcu_do_batch kernel/rcu/tree.c:2617 [inline]
 rcu_core+0x5a2/0x10d0 kernel/rcu/tree.c:2869
 handle_softirqs+0x1de/0x9d0 kernel/softirq.c:622
 run_ksoftirqd kernel/softirq.c:1063 [inline]
 run_ksoftirqd+0x38/0x60 kernel/softirq.c:1055
 smpboot_thread_fn+0x3d3/0xaa0 kernel/smpboot.c:160
 kthread+0x370/0x450 kernel/kthread.c:467
 ret_from_fork+0x6c3/0xcb0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Last potentially related work creation:
 kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
 kasan_record_aux_stack+0x8c/0xa0 mm/kasan/generic.c:556
 slab_free_hook mm/slub.c:2648 [inline]
 slab_free mm/slub.c:6124 [inline]
 kmem_cache_free+0x415/0x640 mm/slub.c:6254
 file_free fs/file_table.c:79 [inline]
 __fput_deferred+0x3e6/0x490 fs/file_table.c:524
 fput_close+0x118/0x250 fs/file_table.c:586
 path_openat+0xfec/0x31a0 fs/namei.c:4839
 do_file_open+0x20e/0x430 fs/namei.c:4859
 do_sys_openat2+0x10d/0x1e0 fs/open.c:1366
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_openat fs/open.c:1388 [inline]
 __se_sys_openat fs/open.c:1383 [inline]
 __x64_sys_openat+0x12d/0x210 fs/open.c:1383
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0x7b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88811bf7fdc0
 which belongs to the cache filp of size 360
The buggy address is located 215 bytes to the right of
 allocated 360-byte region [ffff88811bf7fdc0, ffff88811bf7ff28)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11bf7e
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888108740301
flags: 0x200000000000040(head|node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000040 ffff8881012dc3c0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800120012 00000000f5000000 ffff888108740301
head: 0200000000000040 ffff8881012dc3c0 dead000000000100 dead000000000122
head: 0000000000000000 0000000800120012 00000000f5000000 ffff888108740301
head: 0200000000000001 ffffea00046fdf81 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2862, tgid 2862 (udevd), ts 21673924975, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0xf10/0x39f0 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x273/0x2860 mm/page_alloc.c:5250
 alloc_slab_page mm/slub.c:3255 [inline]
 allocate_slab mm/slub.c:3444 [inline]
 new_slab+0xa6/0x6e0 mm/slub.c:3502
 refill_objects+0x26b/0x400 mm/slub.c:7134
 refill_sheaf mm/slub.c:2804 [inline]
 alloc_full_sheaf mm/slub.c:2825 [inline]
 __pcs_replace_empty_main+0x19f/0x600 mm/slub.c:4588
 alloc_from_pcs mm/slub.c:4681 [inline]
 slab_alloc_node mm/slub.c:4815 [inline]
 kmem_cache_alloc_noprof+0x520/0x6a0 mm/slub.c:4837
 alloc_empty_file+0x55/0x1c0 fs/file_table.c:237
 path_openat+0xe8/0x31a0 fs/namei.c:4816
 do_file_open+0x20e/0x430 fs/namei.c:4859
 do_sys_openat2+0x10d/0x1e0 fs/open.c:1366
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_openat fs/open.c:1388 [inline]
 __se_sys_openat fs/open.c:1383 [inline]
 __x64_sys_openat+0x12d/0x210 fs/open.c:1383
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0x7b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88811bf7fe80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88811bf7ff00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
>ffff88811bf7ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                                ^
 ffff88811bf80000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88811bf80080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	00 e8                	add    %ch,%al
   2:	51                   	push   %rcx
   3:	5d                   	pop    %rbp
   4:	28 00                	sub    %al,(%rax)
   6:	9c                   	pushf
   7:	5d                   	pop    %rbp
   8:	81 e5 00 02 00 00    	and    $0x200,%ebp
   e:	31 ff                	xor    %edi,%edi
  10:	48 89 ee             	mov    %rbp,%rsi
  13:	e8 7f 65 20 00       	call   0x206597
  18:	48 85 ed             	test   %rbp,%rbp
  1b:	0f 85 d7 01 00 00    	jne    0x1f8
  21:	e8 91 6a 20 00       	call   0x206ab7
  26:	fb                   	sti
  27:	4c 89 e8             	mov    %r13,%rax
* 2a:	48 c1 e8 03          	shr    $0x3,%rax <-- trapping instruction
  2e:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1)
  33:	0f 85 64 03 00 00    	jne    0x39d
  39:	48 8b 0c 24          	mov    (%rsp),%rcx
  3d:	48                   	rex.W
  3e:	8b                   	.byte 0x8b
  3f:	6b                   	.byte 0x6b