BUG: corrupted list in em28xx_init

BUG: corrupted list in em28xx_init_extension
Status: upstream: reported C repro on 2020/01/23 13:17
Reported-by: syzbot+a6969ef522a36d3344c9@syzkaller.appspotmail.com
Fix commit: media: em28xx: add missing em28xx_close_extension
Patched on: [ci-upstream-linux-next-kasan-gce-root], missing on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-kcsan-gce ci2-upstream-usb]
First crash: 606d, last: 61d

Cause bisection: failed (bisect log)

duplicates (3):
Title	Repro	Count	Last	Reported	Patched	Status
BUG: corrupted list in corrupted (3)	C	1	457d	453d	0/22	closed as dup on 2020/06/24 12:45
WARNING in em28xx_init_extension	C	4	680d	723d	0/22	closed as dup on 2020/03/09 15:24
KASAN: use-after-free Read in em28xx_init_extension	C	6	22d	727d	0/22	closed as dup on 2020/03/09 15:23

similar bugs (1):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: use-after-free Read in em28xx_init_extension	C			6	22d	727d	0/22	closed as dup on 2020/03/09 15:23

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2021/07/29 17:38	19m	paskripkin@gmail.com	patch	upstream	OK
2021/07/21 12:26	38m	paskripkin@gmail.com	patch	upstream	OK
2021/07/06 13:55	19m	mudongliangabcd@gmail.com		upstream	error

Sample crash report:

em28xx 1-1:0.108: Audio interface 108 found (Vendor Class)
em28xx 1-1:0.108: unknown em28xx chip ID (0)
em28xx 1-1:0.108: Config register raw data: 0xfffffffb
em28xx 1-1:0.108: AC97 chip type couldn't be determined
em28xx 1-1:0.108: No AC97 audio processor
list_add corruption. prev->next should be next (ffffffff8d430ee0), but was ffffffff85ca68b8. (prev=ffff88801cdc4250).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.14.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:__list_add_valid+0xb6/0xc0 lib/list_debug.c:26
Code: 48 c7 c7 a0 79 93 8a 4c 89 e6 4c 89 f1 31 c0 e8 28 b3 5b fd 0f 0b 48 c7 c7 60 7a 93 8a 4c 89 f6 4c 89 e1 31 c0 e8 12 b3 5b fd <0f> 0b 0f 1f 84 00 00 00 00 00 41 57 41 56 41 54 53 49 89 fe 49 bc
RSP: 0018:ffffc90000ca66e8 EFLAGS: 00010246
RAX: 0000000000000075 RBX: ffffffff8d430ee8 RCX: de978ae683561100
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: dffffc0000000000 R08: ffffffff81663b82 R09: ffffed1017389798
R10: ffffed1017389798 R11: 0000000000000000 R12: ffff88801cdc4250
R13: dffffc0000000000 R14: ffffffff8d430ee0 R15: ffff8880149bc250
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdd3e5a6740 CR3: 000000002c61d000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __list_add include/linux/list.h:67 [inline]
 list_add_tail include/linux/list.h:100 [inline]
 em28xx_init_extension+0x52/0x1d0 drivers/media/usb/em28xx/em28xx-core.c:1123
 em28xx_init_dev+0x8e9/0x2b40 drivers/media/usb/em28xx/em28xx-cards.c:3630
 em28xx_usb_probe+0x15b1/0x2fc0 drivers/media/usb/em28xx/em28xx-cards.c:3979
 usb_probe_interface+0x633/0xb40 drivers/usb/core/driver.c:396
 call_driver_probe+0x96/0x250 drivers/base/dd.c:517
 really_probe+0x223/0x9c0 drivers/base/dd.c:595
 __driver_probe_device+0x1f8/0x3e0 drivers/base/dd.c:747
 driver_probe_device+0x50/0x240 drivers/base/dd.c:777
 __device_attach_driver+0x1e1/0x3b0 drivers/base/dd.c:894
 bus_for_each_drv+0x16a/0x1f0 drivers/base/bus.c:427
 __device_attach+0x301/0x560 drivers/base/dd.c:965
 bus_probe_device+0xb8/0x1f0 drivers/base/bus.c:487
 device_add+0x1295/0x1790 drivers/base/core.c:3352
 usb_set_configuration+0x1a86/0x2100 drivers/usb/core/message.c:2170
 usb_generic_driver_probe+0x83/0x140 drivers/usb/core/generic.c:238
 usb_probe_device+0x13a/0x260 drivers/usb/core/driver.c:293
 call_driver_probe+0x96/0x250 drivers/base/dd.c:517
 really_probe+0x223/0x9c0 drivers/base/dd.c:595
 __driver_probe_device+0x1f8/0x3e0 drivers/base/dd.c:747
 driver_probe_device+0x50/0x240 drivers/base/dd.c:777
 __device_attach_driver+0x1e1/0x3b0 drivers/base/dd.c:894
 bus_for_each_drv+0x16a/0x1f0 drivers/base/bus.c:427
 __device_attach+0x301/0x560 drivers/base/dd.c:965
 bus_probe_device+0xb8/0x1f0 drivers/base/bus.c:487
 device_add+0x1295/0x1790 drivers/base/core.c:3352
 usb_new_device+0x108a/0x1940 drivers/usb/core/hub.c:2559
 hub_port_connect+0x1055/0x27a0 drivers/usb/core/hub.c:5300
 hub_port_connect_change+0x5d0/0xbf0 drivers/usb/core/hub.c:5440
 port_event+0xaee/0x1140 drivers/usb/core/hub.c:5586
 hub_event+0x48d/0xd80 drivers/usb/core/hub.c:5668
 process_one_work+0x833/0x10c0 kernel/workqueue.c:2276
 process_scheduled_works kernel/workqueue.c:2338 [inline]
 worker_thread+0xe28/0x1320 kernel/workqueue.c:2424
 kthread+0x453/0x480 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Modules linked in:
---[ end trace 2992d227907d3a06 ]---
RIP: 0010:__list_add_valid+0xb6/0xc0 lib/list_debug.c:26
Code: 48 c7 c7 a0 79 93 8a 4c 89 e6 4c 89 f1 31 c0 e8 28 b3 5b fd 0f 0b 48 c7 c7 60 7a 93 8a 4c 89 f6 4c 89 e1 31 c0 e8 12 b3 5b fd <0f> 0b 0f 1f 84 00 00 00 00 00 41 57 41 56 41 54 53 49 89 fe 49 bc
RSP: 0018:ffffc90000ca66e8 EFLAGS: 00010246
RAX: 0000000000000075 RBX: ffffffff8d430ee8 RCX: de978ae683561100
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: dffffc0000000000 R08: ffffffff81663b82 R09: ffffed1017389798
R10: ffffed1017389798 R11: 0000000000000000 R12: ffff88801cdc4250
R13: dffffc0000000000 R14: ffffffff8d430ee0 R15: ffff8880149bc250
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9f43406710 CR3: 000000002c61d000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Fix bisection attempts:
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro
ci-upstream-kasan-gce	2021/06/01 19:44	upstream	c2131f7e73c9	92ead296	.config	log	report	syz	C
ci-upstream-kasan-gce	2021/05/02 13:18	upstream	17ae69aba89d	92ead296	.config	log	report	syz	C
ci-upstream-kasan-gce	2021/04/02 12:56	upstream	1678e493d530	92ead296	.config	log	report	syz	C

Crashes (18):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Title
ci-upstream-kasan-gce-smack-root	2021/07/20 21:25	upstream	8cae8cd89f05	1b201b48	.config	log	report	syz	C	BUG: corrupted list in em28xx_init_extension
ci-upstream-kasan-gce-root	2021/07/11 10:11	upstream	3dbdb38e2869	8f5a7b8c	.config	log	report	syz	C	BUG: corrupted list in em28xx_init_extension
ci-upstream-kasan-gce-smack-root	2021/06/22 00:32	upstream	13311e74253f	aba2b2fb	.config	log	report	syz	C	BUG: corrupted list in em28xx_init_extension
ci-upstream-kasan-gce-root	2021/06/13 15:00	upstream	8ecfa36cd4db	1ba81399	.config	log	report	syz	C	BUG: corrupted list in em28xx_init_extension
ci-upstream-kasan-gce	2021/03/02 18:38	upstream	7a7fd0de4a98	92ead296	.config	log	report	syz	C	BUG: corrupted list in em28xx_init_extension
ci-upstream-kasan-gce	2021/02/08 01:30	upstream	b75dba7f472c	2ce644fc	.config	log	report	syz	C	BUG: corrupted list in em28xx_init_extension
ci-upstream-linux-next-kasan-gce-root	2021/07/15 18:27	linux-next	c1a6d08348fc	b9a2f64e	.config	log	report	syz	C	BUG: corrupted list in em28xx_init_extension
ci2-upstream-usb	2021/01/10 00:11	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	841081d89d5a	2c1f2513	.config	log	report	syz	C
ci2-upstream-usb	2020/12/22 10:27	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	3644e2d2dda7	04201c06	.config	log	report	syz	C
ci2-upstream-usb	2020/07/06 03:13	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	768a07412843	22f87567	.config	log	report	syz	C
ci2-upstream-usb	2020/06/09 06:39	https://github.com/google/kasan.git usb-fuzzer	2089c6ed5a17	0d60b78a	.config	log	report	syz	C
ci2-upstream-usb	2020/05/29 01:51	https://github.com/google/kasan.git usb-fuzzer	d19c64b3d097	d19ed305	.config	log	report	syz	C
ci2-upstream-usb	2020/05/14 04:52	https://github.com/google/kasan.git usb-fuzzer	059e7e0ff26c	a885920d	.config	log	report	syz	C
ci2-upstream-usb	2020/03/06 18:04	https://github.com/google/kasan.git usb-fuzzer	d6ff8147a51c	7fb694ef	.config	log	report	syz	C
ci2-upstream-usb	2020/03/06 14:14	https://github.com/google/kasan.git usb-fuzzer	d6ff8147a51c	7fb694ef	.config	log	report	syz	C
ci2-upstream-usb	2020/02/29 23:47	https://github.com/google/kasan.git usb-fuzzer	d6ff8147a51c	c88c7b75	.config	log	report	syz	C
ci2-upstream-usb	2020/01/23 03:16	https://github.com/google/kasan.git usb-fuzzer	4cc301ee04d9	3334d684	.config	log	report	syz	C
ci2-upstream-usb	2020/01/25 01:03	https://github.com/google/kasan.git usb-fuzzer	cd234325a5f1	2e95ab33	.config	log	report