cm109 8-1:0.8: cm109_urb_irq_callback: urb status -71
------------[ cut here ]------------
URB ffff88802618d500 submitted while active
WARNING: CPU: 1 PID: 8662 at drivers/usb/core/urb.c:379 usb_submit_urb+0x14d5/0x1730 drivers/usb/core/urb.c:379
Modules linked in:
CPU: 1 UID: 0 PID: 8662 Comm: syz.4.615 Not tainted 6.15.0-rc5-syzkaller-00032-g0d8d44db295c #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:usb_submit_urb+0x14d5/0x1730 drivers/usb/core/urb.c:379
Code: fd eb cb bb fe ff ff ff e9 c6 f3 ff ff e8 73 36 97 fa c6 05 96 1a 4a 09 01 90 48 c7 c7 c0 16 51 8c 48 89 de e8 6c 17 57 fa 90 <0f> 0b 90 90 e9 b6 fe ff ff bb f8 ff ff ff e9 96 f3 ff ff 48 89 ef
RSP: 0018:ffffc90000590a90 EFLAGS: 00010082
RAX: 0000000000000000 RBX: ffff88802618d500 RCX: ffffffff817a8f78
RDX: ffff8880228d0000 RSI: ffffffff817a8f85 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000046
R13: ffff8880654b1858 R14: 000000000000000f R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff8880978ec000(0063) knlGS:00000000f50c6b40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000080bd5000 CR3: 00000000697d3000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 cm109_submit_ctl drivers/input/misc/cm109.c:380 [inline]
 cm109_urb_irq_callback+0x2e7/0xb70 drivers/input/misc/cm109.c:431
 __usb_hcd_giveback_urb+0x38a/0x6e0 drivers/usb/core/hcd.c:1650
 usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1734
 dummy_timer+0x180e/0x3a20 drivers/usb/gadget/udc/dummy_hcd.c:1994
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x1ff/0xad0 kernel/time/hrtimer.c:1825
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1842
 handle_softirqs+0x216/0x8e0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:check_kcov_mode kernel/kcov.c:185 [inline]
RIP: 0010:write_comp_data+0x3c/0x90 kernel/kcov.c:246
Code: 8b 05 c8 99 e8 11 a9 00 01 ff 00 74 1d f6 c4 01 74 67 a9 00 00 0f 00 75 60 a9 00 00 f0 00 75 59 8b 82 3c 16 00 00 85 c0 74 4f <8b> 82 18 16 00 00 83 f8 03 75 44 48 8b 82 20 16 00 00 8b 92 1c 16
RSP: 0018:ffffc900047f7610 EFLAGS: 00000246
RAX: 0000000080000001 RBX: ffffc900047f77b0 RCX: ffffffff81f0aa58
RDX: ffff8880228d0000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 00000000000005ff R14: ffff888024f4a680 R15: dffffc0000000000
 xa_entry include/linux/xarray.h:1220 [inline]
 xas_next_entry+0x2a8/0x3c0 include/linux/xarray.h:1725
 next_uptodate_folio+0x29/0x4a0 mm/filemap.c:3553
 filemap_map_pages+0x63a/0x1680 mm/filemap.c:3746
 do_fault_around mm/memory.c:5476 [inline]
 do_read_fault mm/memory.c:5509 [inline]
 do_fault mm/memory.c:5652 [inline]
 do_pte_missing+0xf1a/0x3fb0 mm/memory.c:4160
 handle_pte_fault mm/memory.c:5997 [inline]
 __handle_mm_fault+0x103d/0x2a40 mm/memory.c:6140
 handle_mm_fault+0x3fe/0xad0 mm/memory.c:6309
 faultin_page mm/gup.c:1193 [inline]
 __get_user_pages+0x771/0x36f0 mm/gup.c:1491
 populate_vma_page_range+0x278/0x3a0 mm/gup.c:1929
 __mm_populate+0x1d8/0x380 mm/gup.c:2032
 mm_populate include/linux/mm.h:3487 [inline]
 vm_mmap_pgoff+0x362/0x450 mm/util.c:584
 ksys_mmap_pgoff+0x7d/0x5c0 mm/mmap.c:607
 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
 __do_fast_syscall_32+0x73/0x120 arch/x86/entry/syscall_32.c:306
 do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf7fa7579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f50c655c EFLAGS: 00000296 ORIG_RAX: 00000000000000c0
RAX: ffffffffffffffda RBX: 0000000080000000 RCX: 0000000000b36000
RDX: 0000000006ebbeef RSI: 0000000000008031 RDI: 00000000ffffffff
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
----------------
Code disassembly (best guess):
   0:	8b 05 c8 99 e8 11    	mov    0x11e899c8(%rip),%eax        # 0x11e899ce
   6:	a9 00 01 ff 00       	test   $0xff0100,%eax
   b:	74 1d                	je     0x2a
   d:	f6 c4 01             	test   $0x1,%ah
  10:	74 67                	je     0x79
  12:	a9 00 00 0f 00       	test   $0xf0000,%eax
  17:	75 60                	jne    0x79
  19:	a9 00 00 f0 00       	test   $0xf00000,%eax
  1e:	75 59                	jne    0x79
  20:	8b 82 3c 16 00 00    	mov    0x163c(%rdx),%eax
  26:	85 c0                	test   %eax,%eax
  28:	74 4f                	je     0x79
* 2a:	8b 82 18 16 00 00    	mov    0x1618(%rdx),%eax <-- trapping instruction
  30:	83 f8 03             	cmp    $0x3,%eax
  33:	75 44                	jne    0x79
  35:	48 8b 82 20 16 00 00 	mov    0x1620(%rdx),%rax
  3c:	8b                   	.byte 0x8b
  3d:	92                   	xchg   %eax,%edx
  3e:	1c 16                	sbb    $0x16,%al