bisecting cause commit starting from 291009f656e8eaebbdfd3a8d99f6b190a9ce9deb
building syzkaller on a52ee10ae11c1342cfca60cf3957619bcf92bd1a
testing commit 291009f656e8eaebbdfd3a8d99f6b190a9ce9deb with gcc (GCC) 10.2.1 20210217
kernel signature: 1ef186fdf3b441ce865fe65f74af12a41fe3782ad94651aad6f64371cb923f45
all runs: crashed: KASAN: use-after-free Read in v4l2_fh_init
testing release v5.10
testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 10.2.1 20210217
kernel signature: f26ae76c497d0e70a137a85addc37ce69d0bef14ff4871949878829c7ce33c78
run #0: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #1: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #2: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #3: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #4: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #5: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #6: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #7: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #8: crashed: KASAN: out-of-bounds Read in v4l2_fh_init
run #9: crashed: KASAN: use-after-free Read in v4l2_fh_init
testing release v5.9
testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 10.2.1 20210217
kernel signature: f6af433c65ce7c5e2234d302f1a6bbdbce86bd79c35da2556acce5b97a6766b7
run #0: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #1: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #2: crashed: KASAN: out-of-bounds Read in v4l2_fh_init
run #3: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #4: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #5: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #6: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #7: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #8: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #9: crashed: KASAN: use-after-free Read in v4l2_fh_init
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.4.1 20210217
kernel signature: 8cc8db85d854d27e25286e087aa33d6452acd9bd7fd81de81ef2cbbe37ad84c3
all runs: crashed: KASAN: use-after-free Read in v4l2_fh_init
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.4.1 20210217
kernel signature: 3845eb4ee043f760a55e8edfcbc97545f2aebc57aeacb8481f2edbaadad31014
run #0: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #1: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #2: crashed: KASAN: out-of-bounds Read in v4l2_fh_init
run #3: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #4: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #5: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #6: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #7: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #8: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #9: crashed: KASAN: out-of-bounds Read in v4l2_fh_init
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.4.1 20210217
kernel signature: ed150f5a0fabc6ed11f266145b40f9cf1f73824f02a616b86452d565d5a7fbed
all runs: OK
# git bisect start 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 7111951b8d4973bda27ff663f2cf18b663d15b48
Bisecting: 7542 revisions left to test after this (roughly 13 steps)
[50a5de895dbe5df947b3a695777db5b2c313e065] Merge tag 'for-linus-hmm' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma

testing commit 50a5de895dbe5df947b3a695777db5b2c313e065 with gcc (GCC) 8.4.1 20210217
kernel signature: ec152463591b708275a221b7aa42341206e53b3e390a50d6f0200043d8aeb6c2
run #0: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #1: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #2: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #3: crashed: KASAN: out-of-bounds Read in v4l2_fh_init
run #4: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #5: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #6: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #7: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #8: crashed: KASAN: use-after-free Read in v4l2_fh_init
run #9: crashed: KASAN: use-after-free Read in v4l2_fh_init
# git bisect bad 50a5de895dbe5df947b3a695777db5b2c313e065
Bisecting: 4204 revisions left to test after this (roughly 12 steps)
[56a451b780676bc1cdac011735fe2869fa2e9abf] Merge tag 'ntb-5.7' of git://github.com/jonmason/ntb

testing commit 56a451b780676bc1cdac011735fe2869fa2e9abf with gcc (GCC) 8.4.1 20210217
kernel signature: 2a32e84a7ac9624204aa0a6adf35d824795ee9daf7debc62bff6a08998f415e5
all runs: crashed: KASAN: use-after-free Read in v4l2_fh_init
# git bisect bad 56a451b780676bc1cdac011735fe2869fa2e9abf
Bisecting: 1643 revisions left to test after this (roughly 11 steps)
[49835c15a55225e9b3ff9cc9317135b334ea2d49] Merge tag 'pm-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

testing commit 49835c15a55225e9b3ff9cc9317135b334ea2d49 with gcc (GCC) 8.4.1 20210217
kernel signature: 981a840cf3ab5c893f83e9cbe4191639ee5434d36f07eb44e86ee33006cafbd9
all runs: crashed: KASAN: use-after-free Read in v4l2_fh_init
# git bisect bad 49835c15a55225e9b3ff9cc9317135b334ea2d49
Bisecting: 934 revisions left to test after this (roughly 10 steps)
[063d1942247668eb0bb800aef5afbbef337344be] Merge tag 'media/v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media

testing commit 063d1942247668eb0bb800aef5afbbef337344be with gcc (GCC) 8.4.1 20210217
kernel signature: f67bfd83fdc224354f0d7f3f0400bef6c640b6afae8f32b671048fb3cb15d106
all runs: OK
# git bisect good 063d1942247668eb0bb800aef5afbbef337344be
Bisecting: 516 revisions left to test after this (roughly 9 steps)
[e681bb287f40e7a9dbcb04cef80fd87a2511ab86] staging: vt6656: Use DIV_ROUND_UP macro instead of specific code

testing commit e681bb287f40e7a9dbcb04cef80fd87a2511ab86 with gcc (GCC) 8.4.1 20210217
kernel signature: fd01ebfd48e53922be956cf01de4d43542c30cbc1fe8d9df54d0a70d750c3237
all runs: OK
# git bisect good e681bb287f40e7a9dbcb04cef80fd87a2511ab86
Bisecting: 266 revisions left to test after this (roughly 8 steps)
[db34c5ffee649e2c4c870d1031a996398a187cf5] Merge tag 'usb-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

testing commit db34c5ffee649e2c4c870d1031a996398a187cf5 with gcc (GCC) 8.4.1 20210217
kernel signature: ba1045a375f78ff84642cb4ce0cee0e189c12435713d7dfc5ebf4e753c9f424f
all runs: crashed: KASAN: use-after-free Read in v4l2_fh_init
# git bisect bad db34c5ffee649e2c4c870d1031a996398a187cf5
Bisecting: 121 revisions left to test after this (roughly 7 steps)
[a8ab3e76297ea85d92f4ee0833bd469816a13ccf] Merge tag 'usb-for-v5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-next

testing commit a8ab3e76297ea85d92f4ee0833bd469816a13ccf with gcc (GCC) 8.4.1 20210217
kernel signature: 66bbec72bb89d7f3dd40c820b9a06b53ffa51c2bf3809da949a148cc051b3eaf
all runs: crashed: KASAN: use-after-free Read in v4l2_fh_init
# git bisect bad a8ab3e76297ea85d92f4ee0833bd469816a13ccf
Bisecting: 63 revisions left to test after this (roughly 6 steps)
[d1c6a769cdf466053ae211789f2b0671c8a72331] usb: typec: mux: Allow the mux handles to be requested with fwnode

testing commit d1c6a769cdf466053ae211789f2b0671c8a72331 with gcc (GCC) 8.4.1 20210217
kernel signature: a746f3b9bf79aef0c25c1f620985e49027d3e132773c0ce4d90f6ef1134406b7
all runs: OK
# git bisect good d1c6a769cdf466053ae211789f2b0671c8a72331
Bisecting: 31 revisions left to test after this (roughly 5 steps)
[eeead847487f726fa177d0f4060c4f0816ad9cd9] usb: gadget: amd5536udc: fix spelling mistake "reserverd" -> "reserved"

testing commit eeead847487f726fa177d0f4060c4f0816ad9cd9 with gcc (GCC) 8.4.1 20210217
kernel signature: 732546d9ede63f555a5f976925cc28873820a2e066e966be31ea4d3e3e0692b9
all runs: crashed: KASAN: use-after-free Read in v4l2_fh_init
# git bisect bad eeead847487f726fa177d0f4060c4f0816ad9cd9
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[3d157c28d2289edf0439e8308e8de3a06acaaf0e] doc: dt: bindings: usb: dwc3: Update entries for disabling SS instances in park mode

testing commit 3d157c28d2289edf0439e8308e8de3a06acaaf0e with gcc (GCC) 8.4.1 20210217
kernel signature: 88fa0598e3cf6dde97b67c0d50dbbfe9d970d051e14dd206e0ca1b5ebb177382
all runs: OK
# git bisect good 3d157c28d2289edf0439e8308e8de3a06acaaf0e
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[0227cc84c44417a29c8102e41db8ec2c11ebc6b2] usb: dwc3: core: don't do suspend for device mode if already suspended

testing commit 0227cc84c44417a29c8102e41db8ec2c11ebc6b2 with gcc (GCC) 8.4.1 20210217
kernel signature: 76a96987d8cc2aae15eed22e3d25a5d9abd8b44c0c4f729fbd5a9dcbdc8c1073
all runs: OK
# git bisect good 0227cc84c44417a29c8102e41db8ec2c11ebc6b2
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[95b18f28979e12539cc02f6ec4e2c776e8551f39] dt-bindings: usb: dwc2: add compatible property for rk3328 usb

testing commit 95b18f28979e12539cc02f6ec4e2c776e8551f39 with gcc (GCC) 8.4.1 20210217
kernel signature: b8ddb6899e22c24a04babffadd9a889e0dc42e5d60f724ea1353e73812df60b7
all runs: crashed: KASAN: use-after-free Read in v4l2_fh_init
# git bisect bad 95b18f28979e12539cc02f6ec4e2c776e8551f39
Bisecting: 1 revision left to test after this (roughly 1 step)
[1a0808cb9e417170ed6ab97254cf319dc3e3c310] usb: dwc2: Implement set_selfpowered()

testing commit 1a0808cb9e417170ed6ab97254cf319dc3e3c310 with gcc (GCC) 8.4.1 20210217
kernel signature: 76a96987d8cc2aae15eed22e3d25a5d9abd8b44c0c4f729fbd5a9dcbdc8c1073
all runs: OK
# git bisect good 1a0808cb9e417170ed6ab97254cf319dc3e3c310
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10] usb: gadget: add raw-gadget interface

testing commit f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 with gcc (GCC) 8.4.1 20210217
kernel signature: b8ddb6899e22c24a04babffadd9a889e0dc42e5d60f724ea1353e73812df60b7
all runs: crashed: KASAN: use-after-free Read in v4l2_fh_init
# git bisect bad f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10
f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 is the first bad commit
commit f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10
Author: Andrey Konovalov <andreyknvl@google.com>
Date:   Mon Feb 24 17:13:03 2020 +0100

    usb: gadget: add raw-gadget interface
    
    USB Raw Gadget is a kernel module that provides a userspace interface for
    the USB Gadget subsystem. Essentially it allows to emulate USB devices
    from userspace. Enabled with CONFIG_USB_RAW_GADGET. Raw Gadget is
    currently a strictly debugging feature and shouldn't be used in
    production.
    
    Raw Gadget is similar to GadgetFS, but provides a more low-level and
    direct access to the USB Gadget layer for the userspace. The key
    differences are:
    
    1. Every USB request is passed to the userspace to get a response, while
       GadgetFS responds to some USB requests internally based on the provided
       descriptors. However note, that the UDC driver might respond to some
       requests on its own and never forward them to the Gadget layer.
    
    2. GadgetFS performs some sanity checks on the provided USB descriptors,
       while Raw Gadget allows you to provide arbitrary data as responses to
       USB requests.
    
    3. Raw Gadget provides a way to select a UDC device/driver to bind to,
       while GadgetFS currently binds to the first available UDC.
    
    4. Raw Gadget uses predictable endpoint names (handles) across different
       UDCs (as long as UDCs have enough endpoints of each required transfer
       type).
    
    5. Raw Gadget has ioctl-based interface instead of a filesystem-based one.
    
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
    Signed-off-by: Felipe Balbi <balbi@kernel.org>

 Documentation/usb/index.rst            |    1 +
 Documentation/usb/raw-gadget.rst       |   61 ++
 drivers/usb/gadget/legacy/Kconfig      |   11 +
 drivers/usb/gadget/legacy/Makefile     |    1 +
 drivers/usb/gadget/legacy/raw_gadget.c | 1078 ++++++++++++++++++++++++++++++++
 include/uapi/linux/usb/raw_gadget.h    |  167 +++++
 6 files changed, 1319 insertions(+)
 create mode 100644 Documentation/usb/raw-gadget.rst
 create mode 100644 drivers/usb/gadget/legacy/raw_gadget.c
 create mode 100644 include/uapi/linux/usb/raw_gadget.h

culprit signature: b8ddb6899e22c24a04babffadd9a889e0dc42e5d60f724ea1353e73812df60b7
parent  signature: 76a96987d8cc2aae15eed22e3d25a5d9abd8b44c0c4f729fbd5a9dcbdc8c1073
revisions tested: 20, total time: 4h15m20.772652349s (build: 2h13m17.642105448s, test: 2h0m12.82422566s)
first bad commit: f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 usb: gadget: add raw-gadget interface
recipients (to): ["andreyknvl@google.com" "balbi@kernel.org" "gregkh@linuxfoundation.org"]
recipients (cc): []
crash: KASAN: use-after-free Read in v4l2_fh_init
==================================================================
BUG: KASAN: use-after-free in v4l2_fh_init+0x274/0x2c0 drivers/media/v4l2-core/v4l2-fh.c:25
Read of size 8 at addr ffff8880a4ccc878 by task v4l_id/11119

CPU: 1 PID: 11119 Comm: v4l_id Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x96/0xe0 lib/dump_stack.c:118
 print_address_description.constprop.4.cold.6+0x9/0x373 mm/kasan/report.c:374
 __kasan_report.cold.7+0x7a/0x92 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:641
 v4l2_fh_init+0x274/0x2c0 drivers/media/v4l2-core/v4l2-fh.c:25
 v4l2_fh_open+0x7b/0xa0 drivers/media/v4l2-core/v4l2-fh.c:63
 em28xx_v4l2_open+0xda/0x670 drivers/media/usb/em28xx/em28xx-video.c:2163
 v4l2_open+0x20a/0x420 drivers/media/v4l2-core/v4l2-dev.c:423
 chrdev_open+0x1d8/0x4e0 fs/char_dev.c:414
 do_dentry_open+0x3e5/0x1020 fs/open.c:797
 do_last fs/namei.c:3490 [inline]
 path_openat+0x891/0x2750 fs/namei.c:3607
 do_filp_open+0x171/0x240 fs/namei.c:3637
 do_sys_openat2+0x2b9/0x480 fs/open.c:1149
 do_sys_open+0x85/0xd0 fs/open.c:1165
 do_syscall_64+0x8e/0x4f0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f8248f88840
Code: 73 01 c3 48 8b 0d 68 77 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 bb 20 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 1e f6 ff ff 48 89 04 24
RSP: 002b:00007ffdb0ee5428 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007ffdb0ee5598 RCX: 00007f8248f88840
RDX: 00007f8248f74ea0 RSI: 0000000000000000 RDI: 00007ffdb0ee5f1e
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 000055aee69f38d0
R13: 00007ffdb0ee5590 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 10989:
 save_stack+0x19/0x80 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc mm/kasan/common.c:515 [inline]
 __kasan_kmalloc.constprop.15+0xc1/0xd0 mm/kasan/common.c:488
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 em28xx_v4l2_init drivers/media/usb/em28xx/em28xx-video.c:2542 [inline]
 em28xx_v4l2_init+0xf2/0x3470 drivers/media/usb/em28xx/em28xx-video.c:2520
 em28xx_init_extension+0x106/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1128
 process_one_work+0x8ff/0x1690 kernel/workqueue.c:2264
 process_scheduled_works kernel/workqueue.c:2326 [inline]
 worker_thread+0x546/0xb50 kernel/workqueue.c:2415
 kthread+0x31d/0x3e0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 10989:
 save_stack+0x19/0x80 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0x124/0x170 mm/kasan/common.c:476
 slab_free_hook mm/slub.c:1444 [inline]
 slab_free_freelist_hook+0x53/0x140 mm/slub.c:1477
 slab_free mm/slub.c:3024 [inline]
 kfree+0xd6/0x3c0 mm/slub.c:3976
 kref_put include/linux/kref.h:65 [inline]
 em28xx_v4l2_init drivers/media/usb/em28xx/em28xx-video.c:2911 [inline]
 em28xx_v4l2_init+0x2e42/0x3470 drivers/media/usb/em28xx/em28xx-video.c:2520
 em28xx_init_extension+0x106/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1128
 process_one_work+0x8ff/0x1690 kernel/workqueue.c:2264
 process_scheduled_works kernel/workqueue.c:2326 [inline]
 worker_thread+0x546/0xb50 kernel/workqueue.c:2415
 kthread+0x31d/0x3e0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff8880a4ccc000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 2168 bytes inside of
 8192-byte region [ffff8880a4ccc000, ffff8880a4cce000)
The buggy address belongs to the page:
page:ffffea0002933200 refcount:1 mapcount:0 mapping:ffff8880b580c500 index:0x0 compound_mapcount: 0
flags: 0xfff00000010200(slab|head)
raw: 00fff00000010200 ffffea00028ee800 0000000200000002 ffff8880b580c500
raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a4ccc700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a4ccc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880a4ccc800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff8880a4ccc880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a4ccc900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================