BUG: corrupted list in em28xx_init

BUG: corrupted list in em28xx_init_extension
Status: upstream: reported C repro on 2020/01/23 13:17
Reported-by: syzbot+a6969ef522a36d3344c9@syzkaller.appspotmail.com
First crash: 25d, last: 23d

Sample crash report:

em28xx 1-1:0.200: Audio interface 200 found (Vendor Class)
em28xx 1-1:0.200: unknown em28xx chip ID (0)
em28xx 1-1:0.200: Config register raw data: 0xfffffffb
em28xx 1-1:0.200: AC97 chip type couldn't be determined
em28xx 1-1:0.200: No AC97 audio processor
list_add corruption. prev->next should be next (ffffffff87a1a960), but was ffffffff85a00184. (prev=ffff8881cd5e0240).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:26!
invalid opcode: 0000 [#1] SMP KASAN
CPU: 1 PID: 94 Comm: kworker/1:2 Not tainted 5.5.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:__list_add_valid.cold+0x3a/0x3c lib/list_debug.c:26
Code: 0b 48 89 f2 4c 89 e1 48 89 ee 48 c7 c7 a0 fc fb 85 e8 04 17 40 ff 0f 0b 48 89 f1 48 c7 c7 20 fc fb 85 4c 89 e6 e8 f0 16 40 ff <0f> 0b 48 89 ee 48 c7 c7 c0 fd fb 85 e8 df 16 40 ff 0f 0b 4c 89 ea
RSP: 0018:ffff8881d5d570c8 EFLAGS: 00010282
RAX: 0000000000000075 RBX: ffff8881cd764120 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8129598d RDI: ffffed103abaae0b
RBP: ffff8881cd764240 R08: 0000000000000075 R09: ffffed103b666210
R10: ffffed103b66620f R11: ffff8881db33107f R12: ffffffff87a1a960
R13: ffff8881cd764000 R14: ffff8881cd76412c R15: ffff8881cd5a2000
FS:  0000000000000000(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7f37b26000 CR3: 00000001c5fe1000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __list_add include/linux/list.h:60 [inline]
 list_add_tail include/linux/list.h:93 [inline]
 em28xx_init_extension+0x44/0x1f0 drivers/media/usb/em28xx/em28xx-core.c:1125
 em28xx_init_dev.isra.0+0xa7b/0x15d8 drivers/media/usb/em28xx/em28xx-cards.c:3540
 em28xx_usb_probe.cold+0xcac/0x2515 drivers/media/usb/em28xx/em28xx-cards.c:3889
 usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:361
 really_probe+0x290/0xad0 drivers/base/dd.c:548
 driver_probe_device+0x223/0x350 drivers/base/dd.c:721
 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828
 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
 __device_attach+0x217/0x390 drivers/base/dd.c:894
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
 device_add+0x1459/0x1bf0 drivers/base/core.c:2487
 usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023
 generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
 usb_probe_device+0xaf/0x140 drivers/usb/core/driver.c:266
 really_probe+0x290/0xad0 drivers/base/dd.c:548
 driver_probe_device+0x223/0x350 drivers/base/dd.c:721
 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828
 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
 __device_attach+0x217/0x390 drivers/base/dd.c:894
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
 device_add+0x1459/0x1bf0 drivers/base/core.c:2487
 usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2537
 hub_port_connect drivers/usb/core/hub.c:5184 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5324 [inline]
 port_event drivers/usb/core/hub.c:5470 [inline]
 hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5552
 process_one_work+0x945/0x15c0 kernel/workqueue.c:2264
 process_scheduled_works kernel/workqueue.c:2326 [inline]
 worker_thread+0x7ab/0xe20 kernel/workqueue.c:2412
 kthread+0x318/0x420 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Modules linked in:
---[ end trace 8bae0db31a929c42 ]---
RIP: 0010:__list_add_valid.cold+0x3a/0x3c lib/list_debug.c:26
Code: 0b 48 89 f2 4c 89 e1 48 89 ee 48 c7 c7 a0 fc fb 85 e8 04 17 40 ff 0f 0b 48 89 f1 48 c7 c7 20 fc fb 85 4c 89 e6 e8 f0 16 40 ff <0f> 0b 48 89 ee 48 c7 c7 c0 fd fb 85 e8 df 16 40 ff 0f 0b 4c 89 ea
RSP: 0018:ffff8881d5d570c8 EFLAGS: 00010282
RAX: 0000000000000075 RBX: ffff8881cd764120 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8129598d RDI: ffffed103abaae0b
RBP: ffff8881cd764240 R08: 0000000000000075 R09: ffffed103b666210
R10: ffffed103b66620f R11: ffff8881db33107f R12: ffffffff87a1a960
R13: ffff8881cd764000 R14: ffff8881cd76412c R15: ffff8881cd5a2000
FS:  0000000000000000(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7f37b26000 CR3: 00000001c5fe1000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (2):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Maintainers
ci2-upstream-usb	2020/01/23 03:16	https://github.com/google/kasan.git usb-fuzzer	4cc301ee	3334d684	.config	log	report	syz	C	linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/25 01:03	https://github.com/google/kasan.git usb-fuzzer	cd234325	2e95ab33	.config	log	report			linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org