Hi, We observed an issue "BUG: unable to handle kernel paging request in usb_start_wait_urb" during fuzzing. We acknowledge that this issue is a bit old, and we are sorry for reporting this late. And unfortunately, we have not found a reproducer for the crash yet. We will inform you if we have any update on this crash. Detailed crash information is attached below. Best regards, Dae R. Jeong ----- - Kernel version: 6.2-rc1 - Crash report: BUG: unable to handle page fault for address: ffff8800302e746d #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP CPU: 1 PID: 8679 Comm: kworker/1:3 Not tainted 6.2.0-rc7-32171-g7f09e8f6ebfb #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: pm hcd_resume_work RIP: 0010:freelist_dereference mm/slub.c:388 [inline] RIP: 0010:get_freepointer mm/slub.c:395 [inline] RIP: 0010:get_freepointer_safe mm/slub.c:422 [inline] RIP: 0010:__slab_alloc_node mm/slub.c:3347 [inline] RIP: 0010:slab_alloc_node mm/slub.c:3442 [inline] RIP: 0010:__kmem_cache_alloc_node+0x1b6/0x430 mm/slub.c:3491 Code: 48 89 df e8 6c 25 e7 ff 49 c1 ed 3a 44 3b 6d c0 0f 85 08 01 00 00 41 8b 5e 28 4c 8b 6d b8 4c 89 ef e8 0e 25 e7 ff 49 8d 3c 1c <49> 8b 1c 1c e8 41 25 e7 ff 49 8d 47 08 48 89 45 a0 49 8b 06 48 89 RSP: 0018:ffff888107ef3740 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000008 RCX: 0000000000000000 RDX: 0000000000000004 RSI: ffff888008441328 RDI: ffff8800302e746d RBP: ffff888107ef37b0 R08: ffffffff83c943cc R09: ffffffff83c93f61 R10: 0000000000000002 R11: ffff888108e22180 R12: ffff8800302e7465 R13: ffff888008441328 R14: ffff888008441300 R15: 0000000000025081 FS: 0000000000000000(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8800302e746d CR3: 0000000010104000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __do_kmalloc_node mm/slab_common.c:967 [inline] __kmalloc+0xa6/0x290 mm/slab_common.c:981 kmalloc include/linux/slab.h:584 [inline] kzalloc include/linux/slab.h:720 [inline] rh_call_control drivers/usb/core/hcd.c:514 [inline] rh_urb_enqueue drivers/usb/core/hcd.c:848 [inline] usb_hcd_submit_urb+0x60c/0x10e0 drivers/usb/core/hcd.c:1552 usb_submit_urb+0xc3d/0xcf0 drivers/usb/core/urb.c:596 usb_start_wait_urb+0x8e/0x190 drivers/usb/core/message.c:58 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x19d/0x250 drivers/usb/core/message.c:153 get_port_status drivers/usb/core/hub.c:584 [inline] hub_ext_port_status+0xbd/0x3c0 drivers/usb/core/hub.c:601 usb_hub_port_status drivers/usb/core/hub.c:623 [inline] hub_activate+0x50a/0x1150 drivers/usb/core/hub.c:1133 hub_resume+0x49/0x210 drivers/usb/core/hub.c:3947 usb_resume_interface drivers/usb/core/driver.c:1359 [inline] usb_resume_both+0x41e/0x640 drivers/usb/core/driver.c:1519 usb_runtime_resume+0x21/0x30 drivers/usb/core/driver.c:1977 __rpm_callback+0x185/0x2f0 drivers/base/power/runtime.c:392 rpm_callback drivers/base/power/runtime.c:446 [inline] rpm_resume+0xa80/0xf60 drivers/base/power/runtime.c:912 __pm_runtime_resume+0xe9/0x110 drivers/base/power/runtime.c:1170 pm_runtime_get_sync include/linux/pm_runtime.h:429 [inline] usb_autoresume_device+0x25/0x60 drivers/usb/core/driver.c:1707 usb_remote_wakeup+0x4a/0xa0 drivers/usb/core/hub.c:3785 hcd_resume_work+0x2d/0x40 drivers/usb/core/hcd.c:2393 process_one_work+0x281/0x6a0 kernel/workqueue.c:2289 worker_thread+0x3a5/0x6c0 kernel/workqueue.c:2436 kthread+0x13f/0x170 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 </TASK> Modules linked in: CR2: ffff8800302e746d ---[ end trace 0000000000000000 ]--- RIP: 0010:freelist_dereference mm/slub.c:388 [inline] RIP: 0010:get_freepointer mm/slub.c:395 [inline] RIP: 0010:get_freepointer_safe mm/slub.c:422 [inline] RIP: 0010:__slab_alloc_node mm/slub.c:3347 [inline] RIP: 0010:slab_alloc_node mm/slub.c:3442 [inline] RIP: 0010:__kmem_cache_alloc_node+0x1b6/0x430 mm/slub.c:3491 Code: 48 89 df e8 6c 25 e7 ff 49 c1 ed 3a 44 3b 6d c0 0f 85 08 01 00 00 41 8b 5e 28 4c 8b 6d b8 4c 89 ef e8 0e 25 e7 ff 49 8d 3c 1c <49> 8b 1c 1c e8 41 25 e7 ff 49 8d 47 08 48 89 45 a0 49 8b 06 48 89 RSP: 0018:ffff888107ef3740 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000008 RCX: 0000000000000000 RDX: 0000000000000004 RSI: ffff888008441328 RDI: ffff8800302e746d RBP: ffff888107ef37b0 R08: ffffffff83c943cc R09: ffffffff83c93f61 R10: 0000000000000002 R11: ffff888108e22180 R12: ffff8800302e7465 R13: ffff888008441328 R14: ffff888008441300 R15: 0000000000025081 FS: 0000000000000000(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8800302e746d CR3: 0000000010104000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 48 89 df mov %rbx,%rdi 3: e8 6c 25 e7 ff callq 0xffe72574 8: 49 c1 ed 3a shr $0x3a,%r13 c: 44 3b 6d c0 cmp -0x40(%rbp),%r13d 10: 0f 85 08 01 00 00 jne 0x11e 16: 41 8b 5e 28 mov 0x28(%r14),%ebx 1a: 4c 8b 6d b8 mov -0x48(%rbp),%r13 1e: 4c 89 ef mov %r13,%rdi 21: e8 0e 25 e7 ff callq 0xffe72534 26: 49 8d 3c 1c lea (%r12,%rbx,1),%rdi * 2a: 49 8b 1c 1c mov (%r12,%rbx,1),%rbx <-- trapping instruction 2e: e8 41 25 e7 ff callq 0xffe72574 33: 49 8d 47 08 lea 0x8(%r15),%rax 37: 48 89 45 a0 mov %rax,-0x60(%rbp) 3b: 49 8b 06 mov (%r14),%rax 3e: 48 rex.W 3f: 89 .byte 0x89
