WARNING in go7007_usb_onboard_write_interrupt/usb_submit

WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
Status: upstream: reported C repro on 2021/02/07 07:40
Reported-by: syzbot+d4ebc877b1223f20d5a0@syzkaller.appspotmail.com
First crash: 257d, last: 3d14h

Cause bisection: failed (bisect log)

Sample crash report:

usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: SerialNumber: syz
usb 1-1: config 0 descriptor??
------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 2 != type 3
WARNING: CPU: 1 PID: 29 at drivers/usb/core/urb.c:503 usb_submit_urb+0xcd2/0x1970 drivers/usb/core/urb.c:502
Modules linked in:
CPU: 1 PID: 29 Comm: kworker/1:1 Not tainted 5.14.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xcd2/0x1970 drivers/usb/core/urb.c:502
Code: d8 48 c1 e8 03 42 8a 04 20 84 c0 0f 85 89 09 00 00 44 8b 03 48 c7 c7 00 d9 e2 8a 4c 89 fe 4c 89 f2 89 e9 31 c0 e8 1e ed 7f fb <0f> 0b 4c 8b 7c 24 10 4c 8b 64 24 38 8b 5c 24 28 45 89 e6 4c 89 f7
RSP: 0018:ffffc90000e4e3c0 EFLAGS: 00010246
RAX: e334f66526beff00 RBX: ffffffff8ae2d648 RCX: ffff8880161a1c40
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000002 R08: ffffffff81664f82 R09: ffffed10173a97a8
R10: ffffed10173a97a8 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff888012d9c400 R14: ffff8880173fc668 R15: ffffffff8ae378c0
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000560667766160 CR3: 000000003746d000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 usb_start_wait_urb+0x11a/0x550 drivers/usb/core/message.c:58
 usb_internal_control_msg drivers/usb/core/message.c:102 [inline]
 usb_control_msg+0x281/0x470 drivers/usb/core/message.c:153
 go7007_usb_onboard_write_interrupt+0x157/0x270 drivers/media/usb/go7007/go7007-usb.c:735
 go7007_usb_interface_reset+0x13c/0x560 drivers/media/usb/go7007/go7007-usb.c:649
 go7007_load_encoder+0x289/0x520 drivers/media/usb/go7007/go7007-driver.c:107
 go7007_boot_encoder+0x2a/0xd0 drivers/media/usb/go7007/go7007-driver.c:131
 go7007_usb_probe+0x906/0x1e30 drivers/media/usb/go7007/go7007-usb.c:1161
 usb_probe_interface+0x633/0xb40 drivers/usb/core/driver.c:396
 call_driver_probe+0x96/0x250 drivers/base/dd.c:517
 really_probe+0x223/0x9b0 drivers/base/dd.c:595
 __driver_probe_device+0x1f8/0x3e0 drivers/base/dd.c:747
 driver_probe_device+0x50/0x240 drivers/base/dd.c:777
 __device_attach_driver+0x1e1/0x3b0 drivers/base/dd.c:894
 bus_for_each_drv+0x16a/0x1f0 drivers/base/bus.c:427
 __device_attach+0x301/0x560 drivers/base/dd.c:965
 bus_probe_device+0xb8/0x1f0 drivers/base/bus.c:487
 device_add+0x1295/0x1790 drivers/base/core.c:3355
 usb_set_configuration+0x1a86/0x2100 drivers/usb/core/message.c:2170
 usb_generic_driver_probe+0x83/0x140 drivers/usb/core/generic.c:238
 usb_probe_device+0x13a/0x260 drivers/usb/core/driver.c:293
 call_driver_probe+0x96/0x250 drivers/base/dd.c:517
 really_probe+0x223/0x9b0 drivers/base/dd.c:595
 __driver_probe_device+0x1f8/0x3e0 drivers/base/dd.c:747
 driver_probe_device+0x50/0x240 drivers/base/dd.c:777
 __device_attach_driver+0x1e1/0x3b0 drivers/base/dd.c:894
 bus_for_each_drv+0x16a/0x1f0 drivers/base/bus.c:427
 __device_attach+0x301/0x560 drivers/base/dd.c:965
 bus_probe_device+0xb8/0x1f0 drivers/base/bus.c:487
 device_add+0x1295/0x1790 drivers/base/core.c:3355
 usb_new_device+0x108a/0x1940 drivers/usb/core/hub.c:2563
 hub_port_connect+0x1055/0x27a0 drivers/usb/core/hub.c:5348
 hub_port_connect_change+0x5d0/0xbf0 drivers/usb/core/hub.c:5488
 port_event+0xaee/0x1140 drivers/usb/core/hub.c:5634
 hub_event+0x48d/0xd80 drivers/usb/core/hub.c:5716
 process_one_work+0x833/0x10c0 kernel/workqueue.c:2276
 worker_thread+0xac1/0x1320 kernel/workqueue.c:2422
 kthread+0x453/0x480 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
----------------
Code disassembly (best guess):
   0:	d8 48 c1             	fmuls  -0x3f(%rax)
   3:	e8 03 42 8a 04       	callq  0x48a420b
   8:	20 84 c0 0f 85 89 09 	and    %al,0x989850f(%rax,%rax,8)
   f:	00 00                	add    %al,(%rax)
  11:	44 8b 03             	mov    (%rbx),%r8d
  14:	48 c7 c7 00 d9 e2 8a 	mov    $0xffffffff8ae2d900,%rdi
  1b:	4c 89 fe             	mov    %r15,%rsi
  1e:	4c 89 f2             	mov    %r14,%rdx
  21:	89 e9                	mov    %ebp,%ecx
  23:	31 c0                	xor    %eax,%eax
  25:	e8 1e ed 7f fb       	callq  0xfb7fed48
  2a:	0f 0b                	ud2     <-- trapping instruction
  2c:	4c 8b 7c 24 10       	mov    0x10(%rsp),%r15
  31:	4c 8b 64 24 38       	mov    0x38(%rsp),%r12
  36:	8b 5c 24 28          	mov    0x28(%rsp),%ebx
  3a:	45 89 e6             	mov    %r12d,%r14d
  3d:	4c 89 f7             	mov    %r14,%rdi

Fix bisection attempts:
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro
ci-upstream-kasan-gce	2021/08/02 03:39	upstream	c500bee1c5b2	6a81331a	.config	log	report	syz	C
ci-upstream-kasan-gce	2021/07/01 05:39	upstream	dbe69e433722	6a81331a	.config	log	report	syz	C
ci-upstream-kasan-gce	2021/05/31 07:41	upstream	8124c8a6b353	6a81331a	.config	log	report	syz	C

Crashes (23):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kasan-gce-smack-root	2021/08/17 07:16	upstream	a2824f19e606	33c26cb7	.config	log	report	syz	C		WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci-upstream-kasan-gce	2021/04/09 15:16	upstream	4fa56ad0d12e	6a81331a	.config	log	report	syz	C		WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci-upstream-linux-next-kasan-gce-root	2021/09/19 01:32	linux-next	9004fd387338	70b76c1d	.config	log	report	syz	C		WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci2-upstream-usb	2021/02/03 08:18	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	64eaa0fa66ac	624dad51	.config	log	report	syz	C		WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci-upstream-kasan-gce	2021/04/26 07:44	upstream	9f4ad9e425a1	2a82f1b3	.config	log	report			info	WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci2-upstream-usb	2021/10/15 09:21	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	660a92a59b9e	aab7690b	.config	log	report			info	WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci2-upstream-usb	2021/10/12 22:33	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	620b74d01b9d	08362356	.config	log	report			info	WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci2-upstream-usb	2021/10/09 01:13	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	2c52ad743fee	efe0f24d	.config	log	report			info	WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci2-upstream-usb	2021/09/22 14:52	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	8217f07a5023	8cac236e	.config	log	report			info	WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci2-upstream-usb	2021/09/15 03:03	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	44a0f3bb69a3	07e953c1	.config	log	report			info	WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci2-upstream-usb	2021/09/03 15:37	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	1b4f3dfb4792	d236a457	.config	log	report			info	WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci2-upstream-usb	2021/08/29 00:53	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	9c1587d99f93	be2c130d	.config	log	report			info	WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci2-upstream-usb	2021/08/26 00:23	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	d7428bc26fc7	b599f2fc	.config	log	report			info	WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci2-upstream-usb	2021/08/25 02:12	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	bfa109d761a4	b599f2fc	.config	log	report			info	WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci2-upstream-usb	2021/08/22 03:41	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	e4788edc730a	b599f2fc	.config	log	report			info	WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci2-upstream-usb	2021/06/01 02:46	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	aa10fab0f859	032639db	.config	log	report			info	WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci2-upstream-usb	2021/04/28 04:54	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	4a0225c3d208	805b5003	.config	log	report			info	WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci2-upstream-usb	2021/03/13 03:24	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	14b02f023c09	429d8a6b	.config	log	report			info	WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci2-upstream-usb	2021/03/12 00:36	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	60a35ba9141f	429d8a6b	.config	log	report			info	WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci2-upstream-usb	2021/02/25 07:31	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	3b9cdafb5358	fcc6d71b	.config	log	report			info	WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci2-upstream-usb	2021/02/07 17:30	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	8cf9045b9138	2ce644fc	.config	log	report			info	WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci2-upstream-usb	2021/02/05 03:28	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	8dc6e6dd1bee	23a562df	.config	log	report			info	WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb
ci2-upstream-usb	2021/02/03 07:38	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	64eaa0fa66ac	624dad51	.config	log	report			info	WARNING in go7007_usb_onboard_write_interrupt/usb_submit_urb