BUG: unable to handle kernel paging request in usb_start_wait

All of lore.kernel.org
 help / color / mirror / Atom feed

* BUG: unable to handle kernel paging request in usb_start_wait_urb
@ 2023-04-09 12:17 Dae R. Jeong
  0 siblings, 0 replies; only message in thread
From: Dae R. Jeong @ 2023-04-09 12:17 UTC (permalink / raw)
  To: gregkh, rafael.j.wysocki, heikki.krogerus, mchehab,
	mailhol.vincent, linux-usb, linux-kernel

Hi,

We observed an issue "BUG: unable to handle kernel paging request in
usb_start_wait_urb" during fuzzing.

We acknowledge that this issue is a bit old, and we are sorry for
reporting this late. And unfortunately, we have not found a reproducer
for the crash yet. We will inform you if we have any update on this
crash.  Detailed crash information is attached below.

Best regards,
Dae R. Jeong

-----
- Kernel version:
6.2-rc1

- Crash report:
BUG: unable to handle page fault for address: ffff8800302e746d
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0 
Oops: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 8679 Comm: kworker/1:3 Not tainted 6.2.0-rc7-32171-g7f09e8f6ebfb #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: pm hcd_resume_work
RIP: 0010:freelist_dereference mm/slub.c:388 [inline]
RIP: 0010:get_freepointer mm/slub.c:395 [inline]
RIP: 0010:get_freepointer_safe mm/slub.c:422 [inline]
RIP: 0010:__slab_alloc_node mm/slub.c:3347 [inline]
RIP: 0010:slab_alloc_node mm/slub.c:3442 [inline]
RIP: 0010:__kmem_cache_alloc_node+0x1b6/0x430 mm/slub.c:3491
Code: 48 89 df e8 6c 25 e7 ff 49 c1 ed 3a 44 3b 6d c0 0f 85 08 01 00 00 41 8b 5e 28 4c 8b 6d b8 4c 89 ef e8 0e 25 e7 ff 49 8d 3c 1c <49> 8b 1c 1c e8 41 25 e7 ff 49 8d 47 08 48 89 45 a0 49 8b 06 48 89
RSP: 0018:ffff888107ef3740 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000008 RCX: 0000000000000000
RDX: 0000000000000004 RSI: ffff888008441328 RDI: ffff8800302e746d
RBP: ffff888107ef37b0 R08: ffffffff83c943cc R09: ffffffff83c93f61
R10: 0000000000000002 R11: ffff888108e22180 R12: ffff8800302e7465
R13: ffff888008441328 R14: ffff888008441300 R15: 0000000000025081
FS:  0000000000000000(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8800302e746d CR3: 0000000010104000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __do_kmalloc_node mm/slab_common.c:967 [inline]
 __kmalloc+0xa6/0x290 mm/slab_common.c:981
 kmalloc include/linux/slab.h:584 [inline]
 kzalloc include/linux/slab.h:720 [inline]
 rh_call_control drivers/usb/core/hcd.c:514 [inline]
 rh_urb_enqueue drivers/usb/core/hcd.c:848 [inline]
 usb_hcd_submit_urb+0x60c/0x10e0 drivers/usb/core/hcd.c:1552
 usb_submit_urb+0xc3d/0xcf0 drivers/usb/core/urb.c:596
 usb_start_wait_urb+0x8e/0x190 drivers/usb/core/message.c:58
 usb_internal_control_msg drivers/usb/core/message.c:102 [inline]
 usb_control_msg+0x19d/0x250 drivers/usb/core/message.c:153
 get_port_status drivers/usb/core/hub.c:584 [inline]
 hub_ext_port_status+0xbd/0x3c0 drivers/usb/core/hub.c:601
 usb_hub_port_status drivers/usb/core/hub.c:623 [inline]
 hub_activate+0x50a/0x1150 drivers/usb/core/hub.c:1133
 hub_resume+0x49/0x210 drivers/usb/core/hub.c:3947
 usb_resume_interface drivers/usb/core/driver.c:1359 [inline]
 usb_resume_both+0x41e/0x640 drivers/usb/core/driver.c:1519
 usb_runtime_resume+0x21/0x30 drivers/usb/core/driver.c:1977
 __rpm_callback+0x185/0x2f0 drivers/base/power/runtime.c:392
 rpm_callback drivers/base/power/runtime.c:446 [inline]
 rpm_resume+0xa80/0xf60 drivers/base/power/runtime.c:912
 __pm_runtime_resume+0xe9/0x110 drivers/base/power/runtime.c:1170
 pm_runtime_get_sync include/linux/pm_runtime.h:429 [inline]
 usb_autoresume_device+0x25/0x60 drivers/usb/core/driver.c:1707
 usb_remote_wakeup+0x4a/0xa0 drivers/usb/core/hub.c:3785
 hcd_resume_work+0x2d/0x40 drivers/usb/core/hcd.c:2393
 process_one_work+0x281/0x6a0 kernel/workqueue.c:2289
 worker_thread+0x3a5/0x6c0 kernel/workqueue.c:2436
 kthread+0x13f/0x170 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>
Modules linked in:
CR2: ffff8800302e746d
---[ end trace 0000000000000000 ]---
RIP: 0010:freelist_dereference mm/slub.c:388 [inline]
RIP: 0010:get_freepointer mm/slub.c:395 [inline]
RIP: 0010:get_freepointer_safe mm/slub.c:422 [inline]
RIP: 0010:__slab_alloc_node mm/slub.c:3347 [inline]
RIP: 0010:slab_alloc_node mm/slub.c:3442 [inline]
RIP: 0010:__kmem_cache_alloc_node+0x1b6/0x430 mm/slub.c:3491
Code: 48 89 df e8 6c 25 e7 ff 49 c1 ed 3a 44 3b 6d c0 0f 85 08 01 00 00 41 8b 5e 28 4c 8b 6d b8 4c 89 ef e8 0e 25 e7 ff 49 8d 3c 1c <49> 8b 1c 1c e8 41 25 e7 ff 49 8d 47 08 48 89 45 a0 49 8b 06 48 89
RSP: 0018:ffff888107ef3740 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000008 RCX: 0000000000000000
RDX: 0000000000000004 RSI: ffff888008441328 RDI: ffff8800302e746d
RBP: ffff888107ef37b0 R08: ffffffff83c943cc R09: ffffffff83c93f61
R10: 0000000000000002 R11: ffff888108e22180 R12: ffff8800302e7465
R13: ffff888008441328 R14: ffff888008441300 R15: 0000000000025081
FS:  0000000000000000(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8800302e746d CR3: 0000000010104000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 89 df             	mov    %rbx,%rdi
   3:	e8 6c 25 e7 ff       	callq  0xffe72574
   8:	49 c1 ed 3a          	shr    $0x3a,%r13
   c:	44 3b 6d c0          	cmp    -0x40(%rbp),%r13d
  10:	0f 85 08 01 00 00    	jne    0x11e
  16:	41 8b 5e 28          	mov    0x28(%r14),%ebx
  1a:	4c 8b 6d b8          	mov    -0x48(%rbp),%r13
  1e:	4c 89 ef             	mov    %r13,%rdi
  21:	e8 0e 25 e7 ff       	callq  0xffe72534
  26:	49 8d 3c 1c          	lea    (%r12,%rbx,1),%rdi
* 2a:	49 8b 1c 1c          	mov    (%r12,%rbx,1),%rbx <-- trapping instruction
  2e:	e8 41 25 e7 ff       	callq  0xffe72574
  33:	49 8d 47 08          	lea    0x8(%r15),%rax
  37:	48 89 45 a0          	mov    %rax,-0x60(%rbp)
  3b:	49 8b 06             	mov    (%r14),%rax
  3e:	48                   	rex.W
  3f:	89                   	.byte 0x89

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2023-04-09 12:17 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-04-09 12:17 BUG: unable to handle kernel paging request in usb_start_wait_urb Dae R. Jeong

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.