==================================================================
BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0x106a/0x1240
Read of size 1 at addr ffff888032917fff by task syz.1.447/8702

CPU: 0 UID: 0 PID: 8702 Comm: syz.1.447 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <IRQ>
 dump_stack_lvl+0x189/0x250
 print_report+0xca/0x240
 kasan_report+0x118/0x150
 mcp2221_raw_event+0x106a/0x1240
 hid_input_report+0x40a/0x520
 hid_irq_in+0x47e/0x6d0
 __usb_hcd_giveback_urb+0x376/0x540
 dummy_timer+0x862/0x4550
 __hrtimer_run_queues+0x52c/0xc60
 hrtimer_run_softirq+0x187/0x2b0
 handle_softirqs+0x286/0x870
 __irq_exit_rcu+0xca/0x1f0
 irq_exit_rcu+0x9/0x30
 sysvec_apic_timer_interrupt+0xa6/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:_raw_spin_unlock_irqrestore+0xa8/0x110
Code: 74 05 e8 eb f9 4a f6 48 c7 44 24 20 00 00 00 00 9c 8f 44 24 20 f6 44 24 21 02 75 4f f7 c3 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> 53 9f 13 f6 65 8b 05 0c 22 24 07 85 c0 74 40 48 c7 04 24 0e 36
RSP: 0018:ffffc9000430f5e0 EFLAGS: 00000206
RAX: ce568b9808dfa100 RBX: 0000000000000a02 RCX: ce568b9808dfa100
RDX: 0000000000000006 RSI: ffffffff8d9b8241 RDI: 0000000000000001
RBP: ffffc9000430f670 R08: ffffffff8fa39037 R09: 1ffffffff1f47206
R10: dffffc0000000000 R11: fffffbfff1f47207 R12: dffffc0000000000
R13: ffff888028469840 R14: ffff888028469800 R15: 1ffff92000861ebc
 __wake_up_common_lock+0x190/0x1f0
 __unix_dgram_recvmsg+0x486/0xd60
 sock_recvmsg_nosec+0x186/0x1c0
 ____sys_recvmsg+0x3aa/0x460
 ___sys_recvmsg+0x1b5/0x510
 do_recvmmsg+0x307/0x770
 __x64_sys_recvmmsg+0x190/0x240
 do_syscall_64+0xfa/0x3b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcb9a58ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcb9b4be038 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007fcb9a7c6090 RCX: 00007fcb9a58ebe9
RDX: 0000000000010106 RSI: 00002000000000c0 RDI: 0000000000000003
RBP: 00007fcb9a611e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fcb9a7c6128 R14: 00007fcb9a7c6090 R15: 00007fffabe94638
 </TASK>

Allocated by task 7986:
 kasan_save_track+0x3e/0x80
 __kasan_slab_alloc+0x6c/0x80
 kmem_cache_alloc_noprof+0x1c1/0x3c0
 __kernfs_new_node+0xd7/0x7e0
 kernfs_new_node+0x102/0x210
 __kernfs_create_file+0x4b/0x2e0
 sysfs_add_file_mode_ns+0x238/0x300
 sysfs_merge_group+0x177/0x310
 dpm_sysfs_add+0xd2/0x270
 device_add+0x4d8/0xb50
 netdev_register_kobject+0x178/0x310
 register_netdevice+0x126c/0x1ae0
 register_netdev+0x40/0x60
 vti6_init_net+0x238/0x370
 ops_init+0x35c/0x5c0
 setup_net+0x10c/0x320
 copy_net_ns+0x31b/0x4d0
 create_new_namespaces+0x3f3/0x720
 unshare_nsproxy_namespaces+0x11c/0x170
 ksys_unshare+0x4c8/0x8c0
 __x64_sys_unshare+0x38/0x50
 do_syscall_64+0xfa/0x3b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888032917f00
 which belongs to the cache kernfs_node_cache of size 176
The buggy address is located 79 bytes to the right of
 allocated 176-byte region [ffff888032917f00, ffff888032917fb0)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x32917
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff888100014dc0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000110011 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 7986, tgid 7986 (syz-executor), ts 146495161474, free_ts 146398379777
 post_alloc_hook+0x240/0x2a0
 get_page_from_freelist+0x21e4/0x22c0
 __alloc_frozen_pages_noprof+0x181/0x370
 alloc_pages_mpol+0x232/0x4a0
 allocate_slab+0x8a/0x370
 ___slab_alloc+0xbeb/0x1410
 kmem_cache_alloc_noprof+0x283/0x3c0
 __kernfs_new_node+0xd7/0x7e0
 kernfs_new_node+0x102/0x210
 __kernfs_create_file+0x4b/0x2e0
 sysfs_add_file_mode_ns+0x238/0x300
 internal_create_group+0x66d/0x1110
 sysfs_create_groups+0x59/0x120
 device_add_attrs+0x1c4/0x5a0
 device_add+0x496/0xb50
 netdev_register_kobject+0x178/0x310
page last free pid 7600 tgid 7600 stack trace:
 free_unref_folios+0xdbd/0x1520
 folios_put_refs+0x559/0x640
 truncate_inode_pages_range+0x346/0xda0
 blkdev_flush_mapping+0x108/0x270
 bdev_release+0x417/0x650
 blkdev_release+0x15/0x20
 __fput+0x44c/0xa70
 task_work_run+0x1d4/0x260
 exit_to_user_mode_loop+0xec/0x110
 do_syscall_64+0x2bd/0x3b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888032917e80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
 ffff888032917f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888032917f80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
                                                                ^
 ffff888032918000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888032918080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
