WARNING in media_create_pad

WARNING in media_create_pad_link
Status: upstream: reported C repro on 2020/05/14 20:18
Reported-by: syzbot+dd320d114deb3f5bb79b@syzkaller.appspotmail.com
First crash: 436d, last: 16d

Cause bisection: introduced by (bisect log) :
commit f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10
Author: Andrey Konovalov <andreyknvl@google.com>
Date: Mon Feb 24 16:13:03 2020 +0000

usb: gadget: add raw-gadget interface

Crash: KASAN: use-after-free Read in __media_entity_remove_links (log)
Repro: C syz .config

Fix bisection: fixed by (bisect log) :
commit adb6e6ac20eedcf1dce19dc75b224e63c0828ea1
Author: Bastien Nocera <hadess@hadess.net>
Date: Tue Aug 18 11:04:43 2020 +0000

USB: Also match device drivers using the ->match vfunc

Sample crash report:

usb 1-1: New USB device found, idVendor=0bd3, idProduct=0555, bcdDevice=69.6a
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
usb 1-1: language id specifier not provided by device, defaulting to English
usb 1-1: Found UVC 0.00 device <unnamed> (0bd3:0555)
uvcvideo 1-1:0.0: Entity type for entity 裼驯⇱龾极젭涋咓ష┒� was not initialized!
------------[ cut here ]------------
WARNING: CPU: 1 PID: 27 at drivers/media/mc/mc-entity.c:670 media_create_pad_link+0x503/0x660 drivers/media/mc/mc-entity.c:670
Modules linked in:
CPU: 1 PID: 27 Comm: kworker/1:1 Tainted: G        W         5.13.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:media_create_pad_link+0x503/0x660 drivers/media/mc/mc-entity.c:670
Code: bc ea ff ff ff eb da e8 5b 86 a5 fb 0f 0b 41 bc ea ff ff ff eb cb e8 4c 86 a5 fb 0f 0b 41 bc ea ff ff ff eb bc e8 3d 86 a5 fb <0f> 0b 41 bc ea ff ff ff eb ad e8 2e 86 a5 fb 0f 0b 41 bc ea ff ff
RSP: 0018:ffffc90001036ef0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888031edf080 RCX: 0000000000000000
RDX: ffff88801195a340 RSI: ffffffff85cf3893 RDI: 0000000000000003
RBP: ffff88802f957080 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff85cf34bb R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000557e783b1a88 CR3: 0000000031a52000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 uvc_mc_create_links drivers/media/usb/uvc/uvc_entity.c:50 [inline]
 uvc_mc_register_entities+0x5cd/0x910 drivers/media/usb/uvc/uvc_entity.c:151
 uv

Crashes (39):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kasan-gce-selinux-root	2021/07/08 07:00	upstream	3dbdb38e2869	95793bce	.config	log	report	syz	C		WARNING in media_create_pad_link
ci-upstream-kasan-gce	2021/06/20 17:36	upstream	913ec3c22ef4	aba2b2fb	.config	log	report	syz	C		WARNING in media_create_pad_link
ci-upstream-kasan-gce-smack-root	2021/05/29 07:46	upstream	5ff2756afde0	858ea628	.config	log	report	syz	C		WARNING in media_create_pad_link
ci-upstream-kasan-gce-root	2021/05/26 11:56	upstream	ad9f25d33860	54f0bcf1	.config	log	report	syz	C		WARNING in media_create_pad_link
ci-upstream-linux-next-kasan-gce-root	2021/06/20 00:46	linux-next	a1f92694393a	aba2b2fb	.config	log	report	syz	C		WARNING in media_create_pad_link
ci-upstream-kasan-gce-root	2020/05/29 22:00	upstream	75caf310d16c	3905eaae	.config	log	report	syz	C
ci-upstream-kasan-gce	2020/05/28 22:06	upstream	b0c3ba31be3e	0d951763	.config	log	report	syz	C
ci-upstream-kasan-gce-selinux-root	2020/05/21 21:34	upstream	b85051e755b0	1f30020f	.config	log	report	syz	C
ci-upstream-kasan-gce-root	2020/05/21 19:55	upstream	b85051e755b0	1f30020f	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2020/05/21 16:00	upstream	b85051e755b0	1f30020f	.config	log	report	syz	C
ci2-upstream-usb	2020/12/08 06:16	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	08a02f954b0d	51a9082e	.config	log	report	syz	C
ci-upstream-linux-next-kasan-gce-root	2020/05/28 22:01	linux-next	ff387fc20c69	0d951763	.config	log	report	syz	C
ci2-upstream-usb	2020/05/28 21:37	https://github.com/google/kasan.git usb-fuzzer	d19c64b3d097	c7192a2f	.config	log	report	syz	C
ci2-upstream-usb	2020/05/14 03:16	https://github.com/google/kasan.git usb-fuzzer	059e7e0ff26c	a885920d	.config	log	report	syz	C
ci-upstream-kasan-gce-386	2020/05/28 22:10	upstream	b0c3ba31be3e	0d951763	.config	log	report	syz
ci-upstream-kasan-gce-root	2021/04/12 23:31	upstream	d434405aaab7	bfeda1b1	.config	log	report			info	WARNING in media_create_pad_link
ci-upstream-kasan-gce-smack-root	2021/04/02 18:15	upstream	1678e493d530	6a81331a	.config	log	report			info	WARNING in media_create_pad_link
ci-upstream-kasan-gce	2021/04/02 13:53	upstream	1678e493d530	6a81331a	.config	log	report			info	WARNING in media_create_pad_link
ci-upstream-kasan-gce	2021/04/02 11:00	upstream	ffd9fb546d49	6a81331a	.config	log	report			info	WARNING in media_create_pad_link
ci-upstream-kasan-gce-386	2021/05/13 23:57	upstream	c06a2ba62fc4	80f9b418	.config	log	report			info	WARNING in media_create_pad_link
ci-upstream-kasan-gce-386	2021/05/10 05:38	upstream	6efb943b8616	bc5434be	.config	log	report			info	WARNING in media_create_pad_link
ci-upstream-kasan-gce-386	2021/05/07 05:05	upstream	d2b6f8a17919	06585184	.config	log	report			info	WARNING in media_create_pad_link
ci-upstream-kasan-gce-386	2021/04/02 16:11	upstream	1678e493d530	6a81331a	.config	log	report			info	WARNING in media_create_pad_link
ci2-upstream-usb	2021/05/09 18:02	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	31a8503589c4	bc5434be	.config	log	report			info	WARNING in media_create_pad_link
ci2-upstream-usb	2021/04/20 00:07	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	4b853c236c7b	4285c989	.config	log	report			info	WARNING in media_create_pad_link
ci2-upstream-usb	2021/04/15 16:07	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	4b853c236c7b	fcdb12ba	.config	log	report			info	WARNING in media_create_pad_link
ci2-upstream-usb	2021/04/11 10:51	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	3db53374405f	6a81331a	.config	log	report			info	WARNING in media_create_pad_link
ci2-upstream-usb	2021/04/10 09:47	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	496960274153	6a81331a	.config	log	report			info	WARNING in media_create_pad_link
ci-upstream-linux-next-kasan-gce-root	2021/04/02 11:44	linux-next	454c576c3f5e	6a81331a	.config	log	report			info	WARNING in media_create_pad_link
ci2-upstream-usb	2021/04/02 11:37	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	e5242861ec6a	6a81331a	.config	log	report			info	WARNING in media_create_pad_link
ci2-upstream-usb	2021/03/24 06:21	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	049d3db625a6	e613994b	.config	log	report			info	WARNING in media_create_pad_link
ci2-upstream-usb	2021/02/05 18:07	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	23e32a595e11	23a562df	.config	log	report			info	WARNING in media_create_pad_link
ci2-upstream-usb	2021/02/01 01:47	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	3c648d3deb0f	fc9fd31e	.config	log	report			info	WARNING in media_create_pad_link
ci-upstream-kasan-gce-root	2020/08/14 15:59	upstream	a1d21081a60d	424dd8e7	.config	log	report
ci-upstream-kasan-gce-selinux-root	2020/07/03 14:33	upstream	cd77006e01b3	bed10395	.config	log	report
ci2-upstream-usb	2020/12/13 22:10	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	a256e24021bf	8f160dd5	.config	log	report			info
ci2-upstream-usb	2020/06/28 12:22	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	b3a5ce874c26	a2cdad9d	.config	log	report
ci2-upstream-usb	2020/06/16 14:49	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	b3a9e3b9622a	4ea9d964	.config	log	report
ci2-upstream-usb	2020/06/12 17:08	https://github.com/google/kasan.git usb-fuzzer	b791d1bdf921	3036d6fd	.config	log	report