syzbot


BUG: corrupted list in usb_hcd_link_urb_to_ep (5)

Status: upstream: reported C repro on 2025/10/30 15:20
Subsystems: usb
Labels: prio:high
[Documentation on labels]
Reported-by: syzbot+e69c25cf38a53d0cf64c@syzkaller.appspotmail.com
First crash: 254d, last: 11h43m
Cause bisection: failed (error log, bisect log)
  
Fix bisection: failed (error log, bisect log)
  
✨ AI Jobs (1)
ID Workflow Result Correct Bug Created Started Finished Revision Error
fbc76818-ba89-4bbc-be08-bd4e28d418bc assessment-security DenialOfService: ✅ Exploitable: ✅ FilesystemTrigger: ❌ NetworkTrigger: ❌ PeripheralTrigger: ✅ RemoteTrigger: ❌ Unprivileged: ❌ UserNamespace: ❌ VMGuestTrigger: ❌ VMHostTrigger: ✅ BUG: corrupted list in usb_hcd_link_urb_to_ep (5) 2026/05/21 09:23 2026/05/21 09:23 2026/05/21 10:18 cf874a1cf36318c06202027159ddac14acf00db7

			
		
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [usb?] BUG: corrupted list in usb_hcd_link_urb_to_ep (5) 1 (5) 2026/07/05 10:23
Similar bugs (4)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: corrupted list in usb_hcd_link_urb_to_ep (4) usb 8 syz 7 406d 500d 0/29 auto-obsoleted due to no activity on 2025/09/02 03:21
upstream BUG: corrupted list in usb_hcd_link_urb_to_ep usb 8 1 2182d 2182d 0/29 auto-closed as invalid on 2020/11/11 04:30
upstream BUG: corrupted list in usb_hcd_link_urb_to_ep (2) usb 8 C error error 2 955d 1623d 0/29 auto-obsoleted due to no activity on 2024/03/02 17:43
upstream BUG: corrupted list in usb_hcd_link_urb_to_ep (3) usb 8 1 763d 759d 0/29 auto-obsoleted due to no activity on 2024/08/31 17:07
Last patch testing requests (6)
Created Duration User Patch Repo Result
2026/05/28 14:11 32m retest repro linux-next log
2026/05/28 14:11 34m retest repro upstream log
2026/05/28 14:11 25m retest repro linux-next log
2026/05/28 13:35 38m retest repro linux-next log
2026/01/18 09:22 37m retest repro upstream report log
2026/01/05 04:07 25m hdanton@sina.com patch upstream OK log

Sample crash report:
list_add double add: new=ffff88801bf49818, prev=ffff88801bf49818, next=ffff888040cc4078.
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:37!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 7510 Comm: syz.2.757 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
RIP: 0010:__list_add_valid_or_report+0xa5/0x130 lib/list_debug.c:35
Code: 74 12 b0 01 5b 41 5c 41 5d 41 5e 41 5f 5d e9 02 d7 79 06 cc 48 c7 c7 60 9c cb 8b 4c 89 fe 4c 89 f2 48 89 d9 e8 6c a0 50 fc 90 <0f> 0b 48 c7 c7 40 9a cb 8b e8 5d a0 50 fc 90 0f 0b 48 c7 c7 00 9b
RSP: 0018:ffffc90005a3f320 EFLAGS: 00010246
RAX: 0000000000000058 RBX: ffff888040cc4078 RCX: aa19a771139add00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 1ffff11008198810 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffff52000b47e15 R12: 1ffff110037e9303
R13: dffffc0000000000 R14: ffff88801bf49818 R15: ffff88801bf49818
FS:  00007fadf887e6c0(0000) GS:ffff888125b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0f79a3b540 CR3: 000000003c4c0000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __list_add_valid include/linux/list.h:96 [inline]
 __list_add include/linux/list.h:158 [inline]
 list_add_tail include/linux/list.h:191 [inline]
 usb_hcd_link_urb_to_ep+0x1d2/0x330 drivers/usb/core/hcd.c:1154
 dummy_urb_enqueue+0x299/0x760 drivers/usb/gadget/udc/dummy_hcd.c:1292
 usb_hcd_submit_urb+0x322/0x1b40 drivers/usb/core/hcd.c:1542
 cm109_submit_buzz_toggle drivers/input/misc/cm109.c:351 [inline]
 cm109_toggle_buzzer_async drivers/input/misc/cm109.c:484 [inline]
 cm109_input_ev+0x1d1/0x3b0 drivers/input/misc/cm109.c:615
 input_event_dispose+0x80/0x6b0 drivers/input/input.c:322
 input_inject_event+0x1fa/0x310 drivers/input/input.c:424
 kd_sound_helper+0x101/0x210 drivers/tty/vt/keyboard.c:257
 input_handler_for_each_handle+0x101/0x1c0 drivers/input/input.c:2540
 kd_mksound+0x96/0x130 drivers/tty/vt/keyboard.c:281
 handle_ascii drivers/tty/vt/vt.c:2382 [inline]
 do_con_trol drivers/tty/vt/vt.c:2699 [inline]
 do_con_write+0x2f5a/0x5540 drivers/tty/vt/vt.c:3325
 con_write+0x31/0x2e0 drivers/tty/vt/vt.c:3661
 process_output_block drivers/tty/n_tty.c:557 [inline]
 n_tty_write+0xd4f/0x11e0 drivers/tty/n_tty.c:2366
 iterate_tty_write drivers/tty/tty_io.c:1006 [inline]
 file_tty_write+0x50b/0x980 drivers/tty/tty_io.c:1081
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x61e/0xbb0 fs/read_write.c:687
 ksys_write+0x156/0x270 fs/read_write.c:739
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fadf921de59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fadf887e028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fadf94a5fa0 RCX: 00007fadf921de59
RDX: 000000000000045c RSI: 00002000000004c0 RDI: 0000000000000005
RBP: 00007fadf92b3e6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fadf94a6038 R14: 00007fadf94a5fa0 R15: 00007ffcbb190028
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_add_valid_or_report+0xa5/0x130 lib/list_debug.c:35
Code: 74 12 b0 01 5b 41 5c 41 5d 41 5e 41 5f 5d e9 02 d7 79 06 cc 48 c7 c7 60 9c cb 8b 4c 89 fe 4c 89 f2 48 89 d9 e8 6c a0 50 fc 90 <0f> 0b 48 c7 c7 40 9a cb 8b e8 5d a0 50 fc 90 0f 0b 48 c7 c7 00 9b
RSP: 0018:ffffc90005a3f320 EFLAGS: 00010246
RAX: 0000000000000058 RBX: ffff888040cc4078 RCX: aa19a771139add00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 1ffff11008198810 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffff52000b47e15 R12: 1ffff110037e9303
R13: dffffc0000000000 R14: ffff88801bf49818 R15: ffff88801bf49818
FS:  00007fadf887e6c0(0000) GS:ffff888125b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0f79a3b540 CR3: 000000003c4c0000 CR4: 00000000003526f0

Crashes (18):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/07/05 10:22 linux-next 2b763db0c276 fcece630 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce BUG: corrupted list in usb_hcd_link_urb_to_ep
2026/06/21 14:51 upstream 390d73adf896 43bfcdb0 .config console log report syz / log [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce BUG: corrupted list in usb_hcd_link_urb_to_ep
2026/01/04 07:02 upstream aacb0a6d604a d6526ea3 .config console log report syz / log [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root BUG: corrupted list in usb_hcd_link_urb_to_ep
2026/05/14 13:20 linux-next e98d21c170b0 6ccb967e .config console log report syz / log [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root BUG: corrupted list in usb_hcd_link_urb_to_ep
2026/04/23 06:57 linux-next 70c8a7ec6715 b10da5ec .config console log report syz / log [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce BUG: corrupted list in usb_hcd_link_urb_to_ep
2026/07/01 13:41 upstream 665159e24674 00a5cf1c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce BUG: corrupted list in usb_hcd_link_urb_to_ep
2026/05/10 00:34 upstream 1bfaee9d3351 29233ece .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: corrupted list in usb_hcd_link_urb_to_ep
2026/04/02 00:52 upstream 9147566d8016 0285fe54 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: corrupted list in usb_hcd_link_urb_to_ep
2026/06/09 06:26 upstream 2d3090a8aeb5 656e94c6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 BUG: corrupted list in usb_hcd_link_urb_to_ep
2026/05/09 13:39 upstream 70390501d194 29233ece .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 BUG: corrupted list in usb_hcd_link_urb_to_ep
2025/11/26 02:27 upstream 8a2bcda5e139 64219f15 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 BUG: corrupted list in usb_hcd_link_urb_to_ep
2025/11/14 04:28 upstream 2ccec5944606 07e030de .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 BUG: corrupted list in usb_hcd_link_urb_to_ep
2026/02/22 23:16 upstream 189f164e573e 6e7b5511 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream BUG: corrupted list in usb_hcd_link_urb_to_ep
2025/10/24 13:28 upstream 6fab32bb6508 c0460fcd .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream BUG: corrupted list in usb_hcd_link_urb_to_ep
2026/07/05 07:57 linux-next 2b763db0c276 fcece630 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce BUG: corrupted list in usb_hcd_link_urb_to_ep
2026/05/14 08:51 linux-next e98d21c170b0 6ccb967e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root BUG: corrupted list in usb_hcd_link_urb_to_ep
2026/04/30 07:51 linux-next 0787c45ea08a 005438fc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root BUG: corrupted list in usb_hcd_link_urb_to_ep
2026/04/21 16:46 linux-next bee6ea30c487 0b6ab7ec .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root BUG: corrupted list in usb_hcd_link_urb_to_ep
* Struck through repros no longer work on HEAD.