WARNING in amradio_send_cmd/usb_submit

WARNING in amradio_send_cmd/usb_submit_urb
Status: upstream: reported C repro on 2019/07/22 12:38
Reported-by: syzbot+485b10e300244dc0046c@syzkaller.appspotmail.com
First crash: 88d, last: 12d

Sample crash report:

usb 1-1: string descriptor 0 read error: -22
usb 1-1: New USB device found, idVendor=07ca, idProduct=b800, bcdDevice=d3.2a
usb 1-1: New USB device strings: Mfr=5, Product=3, SerialNumber=255
------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 1 PID: 21 at drivers/usb/core/urb.c:477 usb_submit_urb+0x1188/0x13b0 /drivers/usb/core/urb.c:477
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 5.2.0-rc6+ #15
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack /lib/dump_stack.c:77 [inline]
 dump_stack+0xca/0x13e /lib/dump_stack.c:113
 panic+0x292/0x6c9 /kernel/panic.c:219
 __warn.cold+0x20/0x4b /kernel/panic.c:576
 report_bug+0x262/0x2a0 /lib/bug.c:186
 fixup_bug /arch/x86/kernel/traps.c:179 [inline]
 fixup_bug /arch/x86/kernel/traps.c:174 [inline]
 do_error_trap+0x12b/0x1e0 /arch/x86/kernel/traps.c:272
 do_invalid_op+0x32/0x40 /arch/x86/kernel/traps.c:291
 invalid_op+0x14/0x20 /arch/x86/entry/entry_64.S:986
RIP: 0010:usb_submit_urb+0x1188/0x13b0 /drivers/usb/core/urb.c:477
Code: 4d 85 ed 74 2c e8 f8 d3 f4 fd 4c 89 f7 e8 a0 51 1c ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 00 0e f7 85 e8 83 98 ca fd <0f> 0b e9 20 f4 ff ff e8 cc d3 f4 fd 4c 89 f2 48 b8 00 00 00 00 00
RSP: 0018:ffff8881d9eff090 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8127ef3d RDI: ffffed103b3dfe04
RBP: ffff8881cfd4a540 R08: ffff8881d9e36000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: ffff8881d3629f48 R14: ffff8881cfdc80a0 R15: ffff8881d41fa300
 usb_start_wait_urb+0x108/0x2b0 /drivers/usb/core/message.c:57
 usb_bulk_msg+0x228/0x550 /drivers/usb/core/message.c:253
 amradio_send_cmd+0x2e4/0x800 /drivers/media/radio/radio-mr800.c:150
 amradio_set_mute /drivers/media/radio/radio-mr800.c:182 [inline]
 usb_amradio_init /drivers/media/radio/radio-mr800.c:414 [inline]
 usb_amradio_probe+0x409/0x6b2 /drivers/media/radio/radio-mr800.c:555
 usb_probe_interface+0x305/0x7a0 /drivers/usb/core/driver.c:361
 really_probe+0x281/0x660 /drivers/base/dd.c:509
 driver_probe_device+0x104/0x210 /drivers/base/dd.c:670
 __device_attach_driver+0x1c2/0x220 /drivers/base/dd.c:777
 bus_for_each_drv+0x15c/0x1e0 /drivers/base/bus.c:454
 __device_attach+0x217/0x360 /drivers/base/dd.c:843
 bus_probe_device+0x1e4/0x290 /drivers/base/bus.c:514
 device_add+0xae6/0x16f0 /drivers/base/core.c:2111
 usb_set_configuration+0xdf6/0x1670 /drivers/usb/core/message.c:2023
 generic_probe+0x9d/0xd5 /drivers/usb/core/generic.c:210
 usb_probe_device+0x99/0x100 /drivers/usb/core/driver.c:266
 really_probe+0x281/0x660 /drivers/base/dd.c:509
 driver_probe_device+0x104/0x210 /drivers/base/dd.c:670
 __device_attach_driver+0x1c2/0x220 /drivers/base/dd.c:777
 bus_for_each_drv+0x15c/0x1e0 /drivers/base/bus.c:454
 __device_attach+0x217/0x360 /drivers/base/dd.c:843
 bus_probe_device+0x1e4/0x290 /drivers/base/bus.c:514
 device_add+0xae6/0x16f0 /drivers/base/core.c:2111
 usb_new_device.cold+0x6a4/0xe61 /drivers/usb/core/hub.c:2536
 hub_port_connect /drivers/usb/core/hub.c:5098 [inline]
 hub_port_connect_change /drivers/usb/core/hub.c:5213 [inline]
 port_event /drivers/usb/core/hub.c:5359 [inline]
 hub_event+0x1abd/0x3550 /drivers/usb/core/hub.c:5441
 process_one_work+0x905/0x1570 /kernel/workqueue.c:2269
 worker_thread+0x96/0xe20 /kernel/workqueue.c:2415
 kthread+0x30b/0x410 /kernel/kthread.c:255
 ret_from_fork+0x24/0x30 /arch/x86/entry/entry_64.S:352
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (8):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Maintainers
ci2-upstream-usb	2019/07/19 21:26	https://github.com/google/kasan.git usb-fuzzer	6a3599ce	1656845f	.config	log	report	syz	C	gregkh@linuxfoundation.org, gustavo@embeddedor.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci2-upstream-usb	2019/09/02 22:40	https://github.com/google/kasan.git usb-fuzzer	eea39f24	14544a56	.config	log	report	syz	C	gregkh@linuxfoundation.org, gustavo@embeddedor.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci2-upstream-usb	2019/08/10 02:05	https://github.com/google/kasan.git usb-fuzzer	e96407b4	acb51638	.config	log	report	syz	C	gregkh@linuxfoundation.org, gustavo@embeddedor.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci2-upstream-usb	2019/10/03 16:42	https://github.com/google/kasan.git usb-fuzzer	58d5f26a	fc17ba49	.config	log	report			gregkh@linuxfoundation.org, gustavo@embeddedor.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci2-upstream-usb	2019/09/01 22:19	https://github.com/google/kasan.git usb-fuzzer	eea39f24	bad3cce2	.config	log	report			gregkh@linuxfoundation.org, gustavo@embeddedor.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci2-upstream-usb	2019/08/24 08:37	https://github.com/google/kasan.git usb-fuzzer	eea39f24	78ded196	.config	log	report			gregkh@linuxfoundation.org, gustavo@embeddedor.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci2-upstream-usb	2019/07/20 16:04	https://github.com/google/kasan.git usb-fuzzer	6a3599ce	1656845f	.config	log	report			gregkh@linuxfoundation.org, gustavo@embeddedor.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci2-upstream-usb	2019/07/19 20:57	https://github.com/google/kasan.git usb-fuzzer	6a3599ce	1656845f	.config	log	report			gregkh@linuxfoundation.org, gustavo@embeddedor.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org