WARNING in media_create_pad

WARNING in media_create_pad_link
Status: upstream: reported C repro on 2020/05/14 20:18
Reported-by: syzbot+dd320d114deb3f5bb79b@syzkaller.appspotmail.com
First crash: 16d, last: 1d03h

Cause bisection: introduced by (bisect log):

commit f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10
Author: Andrey Konovalov <andreyknvl@google.com>
Date: Mon Feb 24 16:13:03 2020 +0000

usb: gadget: add raw-gadget interface

Crash: KASAN: use-after-free Read in __media_entity_remove_links (log)
Repro: C syz .config

Sample crash report:

usb 1-1: config 0 has 1 interface, different from the descriptor's value: 65
usb 1-1: New USB device found, idVendor=0bd3, idProduct=0555, bcdDevice=69.6a
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
usb 1-1: string descriptor 0 read error: -71
uvcvideo: Found UVC 0.00 device <unnamed> (0bd3:0555)
uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized!
------------[ cut here ]------------
WARNING: CPU: 0 PID: 5 at drivers/media/mc/mc-entity.c:666 media_create_pad_link+0x4e2/0x650 drivers/media/mc/mc-entity.c:666
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.7.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x188/0x20d lib/dump_stack.c:118
 panic+0x2e3/0x75c kernel/panic.c:221
 __warn.cold+0x2f/0x35 kernel/panic.c:582
 report_bug+0x27b/0x2f0 lib/bug.c:195
 fixup_bug arch/x86/kernel/traps.c:175 [inline]
 fixup_bug arch/x86/kernel/traps.c:170 [inline]
 do_error_trap+0x12b/0x220 arch/x86/kernel/traps.c:267
 do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:media_create_pad_link+0x4e2/0x650 drivers/media/mc/mc-entity.c:666
Code: 04 b3 31 fc 44 89 e0 48 83 c4 20 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 ed b2 31 fc 0f 0b 41 bc ea ff ff ff eb da e8 de b2 31 fc <0f> 0b 41 bc ea ff ff ff eb cb e8 cf b2 31 fc 0f 0b 41 bc ea ff ff
RSP: 0018:ffffc90000cbef70 EFLAGS: 00010293
RAX: ffff8880a9598140 RBX: ffff8880a97d3070 RCX: ffffffff8541888e
RDX: 0000000000000000 RSI: ffffffff85418cf2 RDI: 0000000000000002
RBP: ffff8880a2678870 R08: ffff8880a9598140 R09: ffffed1013c0ca98
R10: ffff88809e0654bb R11: ffffed1013c0ca97 R12: 0000000000000001
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
 uvc_mc_create_links drivers/media/usb/uvc/uvc_entity.c:50 [inline]
 uvc_mc_register_entities+0x468/0x77a drivers/media/usb/uvc/uvc_entity.c:114
 uvc_register_chains drivers/media/usb/uvc/uvc_driver.c:2103 [inline]
 uvc_probe.cold+0x23c9/0x2a44 drivers/media/usb/uvc/uvc_driver.c:2229
 usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:374
 really_probe+0x281/0x6d0 drivers/base/dd.c:520
 driver_probe_device+0x104/0x210 drivers/base/dd.c:697
 __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:804
 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
 __device_attach+0x21a/0x360 drivers/base/dd.c:870
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
 device_add+0x132d/0x1c10 drivers/base/core.c:2557
 usb_set_configuration+0xec5/0x1740 drivers/usb/core/message.c:2032
 usb_generic_driver_probe+0x9d/0xe0 drivers/usb/core/generic.c:241
 usb_probe_device+0xc6/0x1f0 drivers/usb/core/driver.c:272
 really_probe+0x281/0x6d0 drivers/base/dd.c:520
 driver_probe_device+0x104/0x210 drivers/base/dd.c:697
 __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:804
 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
 __device_attach+0x21a/0x360 drivers/base/dd.c:870
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
 device_add+0x132d/0x1c10 drivers/base/core.c:2557
 usb_new_device.cold+0x701/0xfcf drivers/usb/core/hub.c:2554
 hub_port_connect drivers/usb/core/hub.c:5208 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]
 port_event drivers/usb/core/hub.c:5494 [inline]
 hub_event+0x1eca/0x38f0 drivers/usb/core/hub.c:5576
 process_one_work+0x965/0x16a0 kernel/workqueue.c:2268
 worker_thread+0x96/0xe20 kernel/workqueue.c:2414
 kthread+0x388/0x470 kernel/kthread.c:268
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (9):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Maintainers
ci-upstream-kasan-gce-root	2020/05/29 22:00	upstream	75caf310	3905eaae	.config	log	report	syz	C	laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org, sakari.ailus@linux.intel.com
ci-upstream-kasan-gce	2020/05/28 22:06	upstream	b0c3ba31	0d951763	.config	log	report	syz	C	laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org, sakari.ailus@linux.intel.com
ci-upstream-kasan-gce-selinux-root	2020/05/21 21:34	upstream	b85051e7	1f30020f	.config	log	report	syz	C	laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org, sakari.ailus@linux.intel.com
ci-upstream-kasan-gce-root	2020/05/21 19:55	upstream	b85051e7	1f30020f	.config	log	report	syz	C	laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org, sakari.ailus@linux.intel.com
ci-upstream-kasan-gce-smack-root	2020/05/21 16:00	upstream	b85051e7	1f30020f	.config	log	report	syz	C	laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org, sakari.ailus@linux.intel.com
ci-upstream-linux-next-kasan-gce-root	2020/05/28 22:01	linux-next	ff387fc2	0d951763	.config	log	report	syz	C	laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org, sakari.ailus@linux.intel.com
ci2-upstream-usb	2020/05/28 21:37	https://github.com/google/kasan.git usb-fuzzer	d19c64b3	c7192a2f	.config	log	report	syz	C	laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org, sakari.ailus@linux.intel.com
ci2-upstream-usb	2020/05/14 03:16	https://github.com/google/kasan.git usb-fuzzer	059e7e0f	a885920d	.config	log	report	syz	C	laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org, sakari.ailus@linux.intel.com
ci-upstream-kasan-gce-386	2020/05/28 22:10	upstream	b0c3ba31	0d951763	.config	log	report	syz		laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org, sakari.ailus@linux.intel.com