BUG: corrupted list in em28xx_init

BUG: corrupted list in em28xx_init_extension
Status: upstream: reported C repro on 2020/01/23 13:17
Reported-by: syzbot+a6969ef522a36d3344c9@syzkaller.appspotmail.com
First crash: 513d, last: 6d10h

Cause bisection: failed (bisect log)

duplicates (3):
Title	Repro	Count	Last	Reported	Patched	Status
BUG: corrupted list in corrupted (3)	C	1	365d	361d	0/22	closed as dup on 2020/06/24 12:45
WARNING in em28xx_init_extension	C	4	588d	631d	0/22	closed as dup on 2020/03/09 15:24
KASAN: use-after-free Read in em28xx_init_extension	C	4	294d	635d	0/22	closed as dup on 2020/03/09 15:23

Sample crash report:

em28xx 1-1:0.237: Audio interface 237 found (Vendor Class)
em28xx 1-1:0.237: unknown em28xx chip ID (0)
em28xx 1-1:0.237: Config register raw data: 0xfffffffb
em28xx 1-1:0.237: AC97 chip type couldn't be determined
em28xx 1-1:0.237: No AC97 audio processor
list_add corruption. prev->next should be next (ffffffff8d2483a0), but was 0000000000000000. (prev=ffff888018420250).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:26!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 3801 Comm: kworker/1:2 Not tainted 5.13.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:__list_add_valid.cold+0x3a/0x3c lib/list_debug.c:26
Code: 0b 48 89 f2 4c 89 e1 48 89 ee 48 c7 c7 80 eb c2 89 e8 40 a5 f2 ff 0f 0b 48 89 f1 48 c7 c7 00 eb c2 89 4c 89 e6 e8 2c a5 f2 ff <0f> 0b 48 89 ee 48 c7 c7 a0 ec c2 89 e8 1b a5 f2 ff 0f 0b 4c 89 ea
RSP: 0018:ffffc90003bfef90 EFLAGS: 00010282
RAX: 0000000000000075 RBX: ffff88801e73d000 RCX: 0000000000000000
RDX: ffff888022621c40 RSI: ffffffff815ce2a5 RDI: fffff5200077fde4
RBP: ffff888018210250 R08: 0000000000000075 R09: 0000000000000000
R10: ffffffff815c810e R11: 0000000000000000 R12: ffffffff8d2483a0
R13: ffff888018210000 R14: ffff88801821013c R15: ffff88802943f000
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc963509000 CR3: 000000001856a000 CR4: 0000000000350ee0
Call Trace:
 __list_add include/linux/list.h:67 [inline]
 list_add_tail include/linux/list.h:100 [inline]
 em28xx_init_extension+0x44/0x1f0 drivers/media/usb/em28xx/em28xx-core.c:1123
 em28xx_init_dev.constprop.0+0xa8b/0x172f drivers/media/usb/em28xx/em28xx-cards.c:3630
 em28xx_usb_probe.cold+0xc23/0x2599 drivers/media/usb/em28xx/em28xx-cards.c:3979
 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
 really_probe+0x291/0xf60 drivers/base/dd.c:576
 driver_probe_device+0x298/0x410 drivers/base/dd.c:763
 __device_attach_driver+0x203/0x2c0 drivers/base/dd.c:870
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431
 __device_attach+0x228/0x4b0 drivers/base/dd.c:938
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
 device_add+0xbe0/0x2100 drivers/base/core.c:3324
 usb_set_configuration+0x113f/0x1910 drivers/usb/core/message.c:2164
 usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
 usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293
 really_probe+0x291/0xf60 drivers/base/dd.c:576
 driver_probe_device+0x298/0x410 drivers/base/dd.c:763
 __device_attach_driver+0x203/0x2c0 drivers/base/dd.c:870
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431
 __device_attach+0x228/0x4b0 drivers/base/dd.c:938
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
 device_add+0xbe0/0x2100 drivers/base/core.c:3324
 usb_new_device.cold+0x721/0x1058 drivers/usb/core/hub.c:2556
 hub_port_connect drivers/usb/core/hub.c:5276 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5416 [inline]
 port_event drivers/usb/core/hub.c:5562 [inline]
 hub_event+0x2357/0x4330 drivers/usb/core/hub.c:5644
 process_one_work+0x98d/0x1600 kernel/workqueue.c:2276
 process_scheduled_works kernel/workqueue.c:2338 [inline]
 worker_thread+0x82b/0x1120 kernel/workqueue.c:2424
 kthread+0x3b1/0x4a0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Modules linked in:
---[ end trace 65e4e107b1ec47bf ]---
RIP: 0010:__list_add_valid.cold+0x3a/0x3c lib/list_debug.c:26
Code: 0b 48 89 f2 4c 89 e1 48 89 ee 48 c7 c7 80 eb c2 89 e8 40 a5 f2 ff 0f 0b 48 89 f1 48 c7 c7 00 eb c2 89 4c 89 e6 e8 2c a5 f2 ff <0f> 0b 48 89 ee 48 c7 c7 a0 ec c2 89 e8 1b a5 f2 ff 0f 0b 4c 89 ea
RSP: 0018:ffffc90003bfef90 EFLAGS: 00010282
RAX: 0000000000000075 RBX: ffff88801e73d000 RCX: 0000000000000000
RDX: ffff888022621c40 RSI: ffffffff815ce2a5 RDI: fffff5200077fde4
RBP: ffff888018210250 R08: 0000000000000075 R09: 0000000000000000
R10: ffffffff815c810e R11: 0000000000000000 R12: ffffffff8d2483a0
R13: ffff888018210000 R14: ffff88801821013c R15: ffff88802943f000
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc963513000 CR3: 000000001856a000 CR4: 0000000000350ee0

Fix bisection attempts:
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro
ci-upstream-kasan-gce	2021/06/01 19:44	upstream	c2131f7e	92ead296	.config	log	report	syz	C
ci-upstream-kasan-gce	2021/05/02 13:18	upstream	17ae69ab	92ead296	.config	log	report	syz	C
ci-upstream-kasan-gce	2021/04/02 12:56	upstream	1678e493	92ead296	.config	log	report	syz	C

Crashes (14):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Title
ci-upstream-kasan-gce-root	2021/06/13 15:00	upstream	8ecfa36c	1ba81399	.config	log	report	syz	C	BUG: corrupted list in em28xx_init_extension
ci-upstream-kasan-gce	2021/03/02 18:38	upstream	7a7fd0de	92ead296	.config	log	report	syz	C	BUG: corrupted list in em28xx_init_extension
ci-upstream-kasan-gce	2021/02/08 01:30	upstream	b75dba7f	2ce644fc	.config	log	report	syz	C	BUG: corrupted list in em28xx_init_extension
ci2-upstream-usb	2021/01/10 00:11	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	841081d8	2c1f2513	.config	log	report	syz	C
ci2-upstream-usb	2020/12/22 10:27	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	3644e2d2	04201c06	.config	log	report	syz	C
ci2-upstream-usb	2020/07/06 03:13	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	768a0741	22f87567	.config	log	report	syz	C
ci2-upstream-usb	2020/06/09 06:39	https://github.com/google/kasan.git usb-fuzzer	2089c6ed	0d60b78a	.config	log	report	syz	C
ci2-upstream-usb	2020/05/29 01:51	https://github.com/google/kasan.git usb-fuzzer	d19c64b3	d19ed305	.config	log	report	syz	C
ci2-upstream-usb	2020/05/14 04:52	https://github.com/google/kasan.git usb-fuzzer	059e7e0f	a885920d	.config	log	report	syz	C
ci2-upstream-usb	2020/03/06 18:04	https://github.com/google/kasan.git usb-fuzzer	d6ff8147	7fb694ef	.config	log	report	syz	C
ci2-upstream-usb	2020/03/06 14:14	https://github.com/google/kasan.git usb-fuzzer	d6ff8147	7fb694ef	.config	log	report	syz	C
ci2-upstream-usb	2020/02/29 23:47	https://github.com/google/kasan.git usb-fuzzer	d6ff8147	c88c7b75	.config	log	report	syz	C
ci2-upstream-usb	2020/01/23 03:16	https://github.com/google/kasan.git usb-fuzzer	4cc301ee	3334d684	.config	log	report	syz	C
ci2-upstream-usb	2020/01/25 01:03	https://github.com/google/kasan.git usb-fuzzer	cd234325	2e95ab33	.config	log	report