syzbot

 sign-in | mailing list | source | docs
🐞 Open [1438]
Subsystems
🐞 Fixed [6949]
🐞 Invalid [18115]
Missing Backports [223]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

BUG: corrupted list in az6007_i2c_xfer

Status: upstream: reported C repro on 2025/04/21 01:41
Subsystems: usb media
[Documentation on labels]
Reported-by: syzbot+0192952caa411a3be209@syzkaller.appspotmail.com
First crash: 387d, last: 7d18h
Cause bisection: failed (error log, bisect log)
  
Discussions (8)
Title Replies (including bot) Last reply
[PATCH] media: az6007: validate I2C message length 1 (1) 2025/11/17 12:31
[PATCH] media: az6007: Add upper bound check to the data of device state 3 (3) 2025/11/03 10:06
[PATCH v2 1/2] media: az6007: fix out-of-bounds in az6007_i2c_xfer() 3 (3) 2025/10/14 11:03
[syzbot] [media?] BUG: corrupted list in az6007_i2c_xfer 15 (31) 2025/09/07 10:30
[syzbot] Monthly media report (Aug 2025) 0 (1) 2025/08/26 07:14
Re: [PATCH 2/2] media: dvb-usbv2: ensure safe USB transfers on disconnect in i2c_xfer 2 (2) 2025/08/04 15:46
[syzbot] Monthly media report (Jul 2025) 0 (1) 2025/07/26 20:43
[PATCH 0/2] media: dvb-usbv2: Prevent usb race condition, buffer overflow az6007 3 (3) 2025/04/21 16:33
Similar bugs (1)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 BUG: corrupted list in az6007_i2c_xfer 8 1 193d 193d 0/3 auto-obsoleted due to no activity on 2025/11/27 17:33
Last patch testing requests (19)
Created Duration User Patch Repo Result
2026/02/07 07:20 16m retest repro upstream error
2026/02/07 06:57 27m retest repro upstream report log
2026/01/24 04:10 22m retest repro linux-next report log
2025/09/07 10:05 23m aha310510@gmail.com patch upstream OK log
2025/09/07 08:26 24m aha310510@gmail.com patch upstream OK log
2025/09/06 16:40 25m aha310510@gmail.com patch upstream OK log
2025/09/06 15:24 32m aha310510@gmail.com patch upstream report log
2025/09/06 10:56 41m aha310510@gmail.com patch upstream report log
2025/09/06 10:04 17m aha310510@gmail.com patch upstream report log
2025/09/06 04:56 41m aha310510@gmail.com patch upstream report log
2025/09/06 03:32 15m aha310510@gmail.com upstream report log
2025/09/06 02:58 16m aha310510@gmail.com patch upstream report log
2025/09/05 16:06 40m aha310510@gmail.com patch upstream report log
2025/09/05 14:25 1h01m aha310510@gmail.com patch upstream report log
2025/05/05 16:51 17m retest repro upstream report log
2025/04/21 14:22 1h13m contact@arnaud-lcm.com patch upstream OK log
2025/04/21 13:46 32m contact@arnaud-lcm.com patch upstream error
2025/04/21 13:44 38m eadavis@qq.com patch upstream report log
2025/04/21 13:40 1m contact@arnaud-lcm.com patch upstream error
Fix bisection attempts (6)
Created Duration User Patch Repo Result
2025/12/12 14:24 2h35m bisect fix upstream OK (0) job log log
2025/11/12 11:44 2h12m bisect fix upstream OK (0) job log log
2025/10/07 03:29 6h31m bisect fix upstream OK (0) job log log
2025/08/14 04:48 4h58m bisect fix upstream OK (0) job log log
2025/07/12 06:23 4h49m bisect fix upstream OK (0) job log log
2025/06/06 07:21 4h12m bisect fix upstream OK (0) job log log

Sample crash report:
 slab kmalloc-8k start ffff888078558000 pointer offset 80 size 8192
list_del corruption. prev->next should be ffffc900035478e0, but was ffff888078558050. (prev=ffff888078558050)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:64!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 6086 Comm: syz.2.19 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:__list_del_entry_valid_or_report+0x15a/0x190 lib/list_debug.c:62
Code: e8 7b b0 54 fd 43 80 3c 2c 00 74 08 4c 89 ff e8 1c ae 77 fd 49 8b 17 48 c7 c7 40 a9 27 8c 48 89 de 4c 89 f9 e8 77 b2 6f fc 90 <0f> 0b 4c 89 f7 e8 4c b0 54 fd 43 80 3c 2c 00 74 08 4c 89 ff e8 ed
RSP: 0018:ffffc900035477b0 EFLAGS: 00010046
RAX: 000000000000006d RBX: ffffc900035478e0 RCX: 0c000a6a8990bb00
RDX: 0000000000000000 RSI: 0000000080000002 RDI: 0000000000000000
RBP: ffffc90003547998 R08: ffff8880b87247d3 R09: 1ffff110170e48fa
R10: dffffc0000000000 R11: ffffed10170e48fb R12: 1ffff1100f0ab00a
R13: dffffc0000000000 R14: ffff888078558050 R15: ffff888078558050
FS:  000055555f992500(0000) GS:ffff888125566000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b30563fff CR3: 00000000780f8000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __list_del_entry_valid include/linux/list.h:132 [inline]
 __list_del_entry include/linux/list.h:223 [inline]
 list_del include/linux/list.h:237 [inline]
 __mutex_remove_waiter kernel/locking/mutex.c:221 [inline]
 __mutex_lock_common kernel/locking/mutex.c:742 [inline]
 __mutex_lock+0xbb1/0x1300 kernel/locking/mutex.c:776
 az6007_i2c_xfer+0x84/0xb90 drivers/media/usb/dvb-usb-v2/az6007.c:755
 __i2c_transfer+0x79a/0x2020 drivers/i2c/i2c-core-base.c:-1
 i2c_transfer+0x1cc/0x2d0 drivers/i2c/i2c-core-base.c:2317
 i2c_transfer_buffer_flags+0x10d/0x1a0 drivers/i2c/i2c-core-base.c:2345
 i2c_master_recv include/linux/i2c.h:79 [inline]
 i2cdev_read+0x10d/0x250 drivers/i2c/i2c-dev.c:155
 do_loop_readv_writev fs/read_write.c:849 [inline]
 vfs_readv+0x587/0x840 fs/read_write.c:1022
 do_preadv fs/read_write.c:1134 [inline]
 __do_sys_preadv fs/read_write.c:1181 [inline]
 __se_sys_preadv fs/read_write.c:1176 [inline]
 __x64_sys_preadv+0x19f/0x2a0 fs/read_write.c:1176
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7a4639c629
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff1801c938 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 00007f7a46615fa0 RCX: 00007f7a4639c629
RDX: 0000000000000001 RSI: 00002000000025c0 RDI: 0000000000000004
RBP: 00007f7a46432b39 R08: 000000000000007e R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7a46615fac R14: 00007f7a46615fa0 R15: 00007f7a46615fa0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x15a/0x190 lib/list_debug.c:62
Code: e8 7b b0 54 fd 43 80 3c 2c 00 74 08 4c 89 ff e8 1c ae 77 fd 49 8b 17 48 c7 c7 40 a9 27 8c 48 89 de 4c 89 f9 e8 77 b2 6f fc 90 <0f> 0b 4c 89 f7 e8 4c b0 54 fd 43 80 3c 2c 00 74 08 4c 89 ff e8 ed
RSP: 0018:ffffc900035477b0 EFLAGS: 00010046
RAX: 000000000000006d RBX: ffffc900035478e0 RCX: 0c000a6a8990bb00
RDX: 0000000000000000 RSI: 0000000080000002 RDI: 0000000000000000
RBP: ffffc90003547998 R08: ffff8880b87247d3 R09: 1ffff110170e48fa
R10: dffffc0000000000 R11: ffffed10170e48fb R12: 1ffff1100f0ab00a
R13: dffffc0000000000 R14: ffff888078558050 R15: ffff888078558050
FS:  000055555f992500(0000) GS:ffff888125566000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b30563fff CR3: 00000000780f8000 CR4: 00000000003526f0

Crashes (10):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/02/21 12:04 upstream a95f71ad3e2e 6e7b5511 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce BUG: corrupted list in az6007_i2c_xfer
2026/01/09 03:38 upstream 79b95d74470d d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root UBSAN: array-index-out-of-bounds in az6007_i2c_xfer
2025/04/21 01:40 upstream ac71fabf1567 2a20f901 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root UBSAN: array-index-out-of-bounds in az6007_i2c_xfer
2026/01/09 22:56 linux-next f417b7ffcbef d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce UBSAN: array-index-out-of-bounds in az6007_i2c_xfer
2025/02/06 18:14 upstream 92514ef226f5 577d049b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: corrupted list in az6007_i2c_xfer
2025/05/06 04:48 upstream 01f95500a162 ae98e6b9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 BUG: corrupted list in az6007_i2c_xfer
2026/02/13 11:45 upstream cee73b1e840c 6a673c50 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root UBSAN: array-index-out-of-bounds in az6007_i2c_xfer
2026/01/08 23:23 upstream 79b95d74470d d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root UBSAN: array-index-out-of-bounds in az6007_i2c_xfer
2025/04/21 00:30 upstream ac71fabf1567 2a20f901 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root UBSAN: array-index-out-of-bounds in az6007_i2c_xfer
2025/04/21 08:20 upstream ac71fabf1567 2a20f901 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 UBSAN: array-index-out-of-bounds in az6007_i2c_xfer
* Struck through repros no longer work on HEAD.