syzbot

 sign-in | mailing list | source | docs
🐞 Open [1467]
Subsystems
🐞 Fixed [6810]
🐞 Invalid [17605]
Missing Backports [225]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

BUG: corrupted list in usb_hcd_link_urb_to_ep (5)

Status: upstream: reported on 2025/10/30 15:20
Subsystems: usb
[Documentation on labels]
Reported-by: syzbot+e69c25cf38a53d0cf64c@syzkaller.appspotmail.com
First crash: 60d, last: 28d
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [usb?] BUG: corrupted list in usb_hcd_link_urb_to_ep (5) 0 (1) 2025/10/30 15:20
Similar bugs (4)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: corrupted list in usb_hcd_link_urb_to_ep (4) usb 8 syz 7 213d 307d 0/29 auto-obsoleted due to no activity on 2025/09/02 03:21
upstream BUG: corrupted list in usb_hcd_link_urb_to_ep usb 8 1 1989d 1989d 0/29 auto-closed as invalid on 2020/11/11 04:30
upstream BUG: corrupted list in usb_hcd_link_urb_to_ep (2) usb 8 C error error 2 761d 1429d 0/29 auto-obsoleted due to no activity on 2024/03/02 17:43
upstream BUG: corrupted list in usb_hcd_link_urb_to_ep (3) usb 8 1 569d 565d 0/29 auto-obsoleted due to no activity on 2024/08/31 17:07

Sample crash report:
usb 5-1: config 0 descriptor??
cm109 5-1:0.8: invalid payload size 0, expected 4
input: CM109 USB driver as /devices/platform/dummy_hcd.4/usb5/5-1/5-1:0.8/input/input199
list_add double add: new=ffff888038663e18, prev=ffff888038663e18, next=ffff888077693078.
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:37!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 16425 Comm: kworker/1:0 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: usb_hub_wq hub_event
RIP: 0010:__list_add_valid_or_report+0xa5/0x130 lib/list_debug.c:35
Code: 74 12 b0 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 48 c7 c7 a0 0b bf 8b 4c 89 fe 4c 89 f2 48 89 d9 e8 1c a5 94 fc 90 <0f> 0b 48 c7 c7 a0 09 bf 8b e8 0d a5 94 fc 90 0f 0b 48 c7 c7 40 0a
RSP: 0018:ffffc9001babea40 EFLAGS: 00010046
RAX: 0000000000000058 RBX: ffff888077693078 RCX: 0dfa0c7bace5e100
RDX: ffffc90019e52000 RSI: 00000000000a3fe4 RDI: 00000000000a3fe5
RBP: 1ffff1100eed2610 R08: ffff8880b8924293 R09: 1ffff11017124852
R10: dffffc0000000000 R11: ffffed1017124853 R12: 1ffff110070cc7c3
R13: dffffc0000000000 R14: ffff888038663e18 R15: ffff888038663e18
FS:  0000000000000000(0000) GS:ffff888126239000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000f543cda4 CR3: 00000000626ac000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __list_add_valid include/linux/list.h:96 [inline]
 __list_add include/linux/list.h:158 [inline]
 list_add_tail include/linux/list.h:191 [inline]
 usb_hcd_link_urb_to_ep+0x1d2/0x330 drivers/usb/core/hcd.c:1158
 dummy_urb_enqueue+0x2a1/0x780 drivers/usb/gadget/udc/dummy_hcd.c:1288
 usb_hcd_submit_urb+0x325/0x1aa0 drivers/usb/core/hcd.c:1546
 cm109_input_open+0x1fe/0x4b0 drivers/input/misc/cm109.c:566
 input_open_device+0x1d3/0x390 drivers/input/input.c:601
 kbd_connect+0xed/0x140 drivers/tty/vt/keyboard.c:1584
 input_attach_handler drivers/input/input.c:994 [inline]
 input_register_device+0xd00/0x1140 drivers/input/input.c:2378
 cm109_usb_probe+0x118c/0x1690 drivers/input/misc/cm109.c:797
 usb_probe_interface+0x668/0xc30 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26d/0x9e0 drivers/base/dd.c:659
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1031
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3689
 usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
 usb_probe_device+0x1c4/0x390 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26d/0x9e0 drivers/base/dd.c:659
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1031
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3689
 usb_new_device+0xa39/0x16f0 drivers/usb/core/hub.c:2694
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x2958/0x4a20 drivers/usb/core/hub.c:5952
 process_one_work kernel/workqueue.c:3263 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_add_valid_or_report+0xa5/0x130 lib/list_debug.c:35
Code: 74 12 b0 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 48 c7 c7 a0 0b bf 8b 4c 89 fe 4c 89 f2 48 89 d9 e8 1c a5 94 fc 90 <0f> 0b 48 c7 c7 a0 09 bf 8b e8 0d a5 94 fc 90 0f 0b 48 c7 c7 40 0a
RSP: 0018:ffffc9001babea40 EFLAGS: 00010046
RAX: 0000000000000058 RBX: ffff888077693078 RCX: 0dfa0c7bace5e100
RDX: ffffc90019e52000 RSI: 00000000000a3fe4 RDI: 00000000000a3fe5
RBP: 1ffff1100eed2610 R08: ffff8880b8924293 R09: 1ffff11017124852
R10: dffffc0000000000 R11: ffffed1017124853 R12: 1ffff110070cc7c3
R13: dffffc0000000000 R14: ffff888038663e18 R15: ffff888038663e18
FS:  0000000000000000(0000) GS:ffff888126239000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000f543cda4 CR3: 00000000626ac000 CR4: 00000000003526f0

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/11/26 02:27 upstream 8a2bcda5e139 64219f15 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 BUG: corrupted list in usb_hcd_link_urb_to_ep
2025/11/14 04:28 upstream 2ccec5944606 07e030de .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 BUG: corrupted list in usb_hcd_link_urb_to_ep
2025/10/24 13:28 upstream 6fab32bb6508 c0460fcd .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream BUG: corrupted list in usb_hcd_link_urb_to_ep
* Struck through repros no longer work on HEAD.