syzbot

 sign-in | mailing list | source | docs
🐞 Open [1466]
Subsystems
🐞 Fixed [6733]
🐞 Invalid [17303]
Missing Backports [220]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

BUG: corrupted list in usb_hcd_link_urb_to_ep (5)

Status: upstream: reported on 2025/10/30 15:20
Subsystems: usb
[Documentation on labels]
Reported-by: syzbot+e69c25cf38a53d0cf64c@syzkaller.appspotmail.com
First crash: 21d, last: 1d01h
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [usb?] BUG: corrupted list in usb_hcd_link_urb_to_ep (5) 0 (1) 2025/10/30 15:20
Similar bugs (4)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: corrupted list in usb_hcd_link_urb_to_ep (4) usb 8 syz 7 174d 268d 0/29 auto-obsoleted due to no activity on 2025/09/02 03:21
upstream BUG: corrupted list in usb_hcd_link_urb_to_ep usb 8 1 1950d 1949d 0/29 auto-closed as invalid on 2020/11/11 04:30
upstream BUG: corrupted list in usb_hcd_link_urb_to_ep (2) usb 8 C error error 2 722d 1390d 0/29 auto-obsoleted due to no activity on 2024/03/02 17:43
upstream BUG: corrupted list in usb_hcd_link_urb_to_ep (3) usb 8 1 530d 526d 0/29 auto-obsoleted due to no activity on 2024/08/31 17:07

Sample crash report:
usb 5-1: Product: syz
usb 5-1: SerialNumber: syz
usb 5-1: config 0 descriptor??
input: CM109 USB driver as /devices/platform/dummy_hcd.4/usb5/5-1/5-1:0.8/input/input15
list_add double add: new=ffff88807bbeb618, prev=ffff88807bbeb618, next=ffff88807e1b3078.
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:37!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 5917 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: usb_hub_wq hub_event
RIP: 0010:__list_add_valid_or_report+0xa5/0x130 lib/list_debug.c:35
Code: 74 12 b0 01 5b 41 5c 41 5d 41 5e 41 5f 5d e9 82 78 b6 06 cc 48 c7 c7 20 0a bf 8b 4c 89 fe 4c 89 f2 48 89 d9 e8 3c c5 94 fc 90 <0f> 0b 48 c7 c7 20 08 bf 8b e8 2d c5 94 fc 90 0f 0b 48 c7 c7 c0 08
RSP: 0018:ffffc900045dea40 EFLAGS: 00010046
RAX: 0000000000000058 RBX: ffff88807e1b3078 RCX: 61df6075ca2f8500
RDX: ffffc9001a074000 RSI: 000000000006e02d RDI: 000000000006e02e
RBP: 1ffff1100fc36610 R08: ffff8880b8824293 R09: 1ffff11017104852
R10: dffffc0000000000 R11: ffffed1017104853 R12: 1ffff1100f77d6c3
R13: dffffc0000000000 R14: ffff88807bbeb618 R15: ffff88807bbeb618
FS:  0000000000000000(0000) GS:ffff88812613b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000f51caa2c CR3: 000000007d230000 CR4: 00000000003526f0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083
DR3: ffffffffefffff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __list_add_valid include/linux/list.h:96 [inline]
 __list_add include/linux/list.h:158 [inline]
 list_add_tail include/linux/list.h:191 [inline]
 usb_hcd_link_urb_to_ep+0x1d2/0x330 drivers/usb/core/hcd.c:1158
 dummy_urb_enqueue+0x2a1/0x780 drivers/usb/gadget/udc/dummy_hcd.c:1288
 usb_hcd_submit_urb+0x325/0x1aa0 drivers/usb/core/hcd.c:1546
 cm109_input_open+0x1fe/0x4b0 drivers/input/misc/cm109.c:566
 input_open_device+0x1d3/0x390 drivers/input/input.c:601
 kbd_connect+0xed/0x140 drivers/tty/vt/keyboard.c:1584
 input_attach_handler drivers/input/input.c:994 [inline]
 input_register_device+0xd00/0x1140 drivers/input/input.c:2378
 cm109_usb_probe+0x118c/0x1690 drivers/input/misc/cm109.c:797
 usb_probe_interface+0x668/0xc30 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26d/0x9e0 drivers/base/dd.c:659
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1031
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3689
 usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
 usb_probe_device+0x1c4/0x390 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26d/0x9e0 drivers/base/dd.c:659
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1031
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3689
 usb_new_device+0xa39/0x16f0 drivers/usb/core/hub.c:2694
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x2958/0x4a20 drivers/usb/core/hub.c:5952
 process_one_work kernel/workqueue.c:3263 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_add_valid_or_report+0xa5/0x130 lib/list_debug.c:35
Code: 74 12 b0 01 5b 41 5c 41 5d 41 5e 41 5f 5d e9 82 78 b6 06 cc 48 c7 c7 20 0a bf 8b 4c 89 fe 4c 89 f2 48 89 d9 e8 3c c5 94 fc 90 <0f> 0b 48 c7 c7 20 08 bf 8b e8 2d c5 94 fc 90 0f 0b 48 c7 c7 c0 08
RSP: 0018:ffffc900045dea40 EFLAGS: 00010046
RAX: 0000000000000058 RBX: ffff88807e1b3078 RCX: 61df6075ca2f8500
RDX: ffffc9001a074000 RSI: 000000000006e02d RDI: 000000000006e02e
RBP: 1ffff1100fc36610 R08: ffff8880b8824293 R09: 1ffff11017104852
R10: dffffc0000000000 R11: ffffed1017104853 R12: 1ffff1100f77d6c3
R13: dffffc0000000000 R14: ffff88807bbeb618 R15: ffff88807bbeb618
FS:  0000000000000000(0000) GS:ffff88812613b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000f51caa2c CR3: 000000007d230000 CR4: 00000000003526f0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083
DR3: ffffffffefffff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/11/14 04:28 upstream 2ccec5944606 07e030de .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 BUG: corrupted list in usb_hcd_link_urb_to_ep
2025/10/24 13:28 upstream 6fab32bb6508 c0460fcd .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream BUG: corrupted list in usb_hcd_link_urb_to_ep
* Struck through repros no longer work on HEAD.