syzbot

 sign-in | mailing list | source | docs
🐞 Open [1446]
Subsystems
🐞 Fixed [6889]
🐞 Invalid [17904]
Missing Backports [224]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

BUG: corrupted list in usb_hcd_link_urb_to_ep (5)

Status: upstream: reported syz repro on 2025/10/30 15:20
Subsystems: usb
[Documentation on labels]
Reported-by: syzbot+e69c25cf38a53d0cf64c@syzkaller.appspotmail.com
First crash: 96d, last: 10d
Cause bisection: failed (error log, bisect log)
  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [usb?] BUG: corrupted list in usb_hcd_link_urb_to_ep (5) 1 (4) 2026/01/05 04:33
Similar bugs (4)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: corrupted list in usb_hcd_link_urb_to_ep (4) usb 8 syz 7 248d 342d 0/29 auto-obsoleted due to no activity on 2025/09/02 03:21
upstream BUG: corrupted list in usb_hcd_link_urb_to_ep usb 8 1 2024d 2024d 0/29 auto-closed as invalid on 2020/11/11 04:30
upstream BUG: corrupted list in usb_hcd_link_urb_to_ep (2) usb 8 C error error 2 797d 1465d 0/29 auto-obsoleted due to no activity on 2024/03/02 17:43
upstream BUG: corrupted list in usb_hcd_link_urb_to_ep (3) usb 8 1 605d 601d 0/29 auto-obsoleted due to no activity on 2024/08/31 17:07
Last patch testing requests (2)
Created Duration User Patch Repo Result
2026/01/18 09:22 37m retest repro upstream report log
2026/01/05 04:07 25m hdanton@sina.com patch upstream OK log

Sample crash report:
list_add double add: new=ffff888028dc3118, prev=ffff888028dc3118, next=ffff8880761de078.
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:35!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 7322 Comm: syz.2.605 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:__list_add_valid_or_report+0x143/0x190 lib/list_debug.c:35
Code: 89 f1 48 c7 c7 c0 b6 f2 8b 48 89 ee e8 d6 9a e7 fc 90 0f 0b 48 89 f2 48 89 e9 4c 89 e6 48 c7 c7 40 b7 f2 8b e8 be 9a e7 fc 90 <0f> 0b 48 89 f7 48 89 34 24 e8 cf db 73 fd 48 8b 34 24 e9 07 ff ff
RSP: 0018:ffffc90004ca7580 EFLAGS: 00010086
RAX: 0000000000000058 RBX: ffff888028dc3100 RCX: ffffffff819c8fa5
RDX: 0000000000000000 RSI: ffffffff819d0b89 RDI: 0000000000000005
RBP: ffff8880761de078 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000004 R11: 0000000000000001 R12: ffff888028dc3118
R13: ffff8880761de080 R14: 0000000000000000 R15: ffff888028dc3118
FS:  00007fa72ab066c0(0000) GS:ffff8881248f5000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000002000 CR3: 000000007860f000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __list_add_valid include/linux/list.h:96 [inline]
 __list_add include/linux/list.h:158 [inline]
 list_add_tail include/linux/list.h:191 [inline]
 usb_hcd_link_urb_to_ep+0x220/0x3a0 drivers/usb/core/hcd.c:1158
 dummy_urb_enqueue+0x2a7/0x920 drivers/usb/gadget/udc/dummy_hcd.c:1288
 usb_hcd_submit_urb+0x25b/0x1cf0 drivers/usb/core/hcd.c:1546
 usb_submit_urb+0x899/0x1970 drivers/usb/core/urb.c:587
 cm109_submit_buzz_toggle+0xd9/0x180 drivers/input/misc/cm109.c:351
 cm109_toggle_buzzer_async drivers/input/misc/cm109.c:484 [inline]
 cm109_input_ev+0x23d/0x280 drivers/input/misc/cm109.c:615
 input_event_dispose drivers/input/input.c:322 [inline]
 input_handle_event+0x151/0x14d0 drivers/input/input.c:370
 input_inject_event+0x1e8/0x3b0 drivers/input/input.c:424
 kd_sound_helper+0x17a/0x280 drivers/tty/vt/keyboard.c:256
 input_handler_for_each_handle+0xd7/0x250 drivers/input/input.c:2520
 kd_mksound+0x88/0x130 drivers/tty/vt/keyboard.c:280
 handle_ascii drivers/tty/vt/vt.c:2327 [inline]
 do_con_trol drivers/tty/vt/vt.c:2644 [inline]
 do_con_write+0x3246/0x8280 drivers/tty/vt/vt.c:3228
 con_write+0x23/0xb0 drivers/tty/vt/vt.c:3565
 process_output_block drivers/tty/n_tty.c:557 [inline]
 n_tty_write+0x434/0x1280 drivers/tty/n_tty.c:2366
 iterate_tty_write drivers/tty/tty_io.c:1006 [inline]
 file_tty_write.constprop.0+0x503/0x9b0 drivers/tty/tty_io.c:1081
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x7d3/0x11d0 fs/read_write.c:686
 ksys_write+0x12a/0x250 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa729b8f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa72ab06038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fa729de5fa0 RCX: 00007fa729b8f749
RDX: 0000000000001006 RSI: 0000200000001980 RDI: 0000000000000005
RBP: 00007fa729c13f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa729de6038 R14: 00007fa729de5fa0 R15: 00007ffdb843d7a8
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_add_valid_or_report+0x143/0x190 lib/list_debug.c:35
Code: 89 f1 48 c7 c7 c0 b6 f2 8b 48 89 ee e8 d6 9a e7 fc 90 0f 0b 48 89 f2 48 89 e9 4c 89 e6 48 c7 c7 40 b7 f2 8b e8 be 9a e7 fc 90 <0f> 0b 48 89 f7 48 89 34 24 e8 cf db 73 fd 48 8b 34 24 e9 07 ff ff
RSP: 0018:ffffc90004ca7580 EFLAGS: 00010086
RAX: 0000000000000058 RBX: ffff888028dc3100 RCX: ffffffff819c8fa5
RDX: 0000000000000000 RSI: ffffffff819d0b89 RDI: 0000000000000005
RBP: ffff8880761de078 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000004 R11: 0000000000000001 R12: ffff888028dc3118
R13: ffff8880761de080 R14: 0000000000000000 R15: ffff888028dc3118
FS:  00007fa72ab066c0(0000) GS:ffff8881248f5000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000002000 CR3: 000000007860f000 CR4: 00000000003526f0

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/01/04 07:02 upstream aacb0a6d604a d6526ea3 .config console log report syz / log [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root BUG: corrupted list in usb_hcd_link_urb_to_ep
2025/11/26 02:27 upstream 8a2bcda5e139 64219f15 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 BUG: corrupted list in usb_hcd_link_urb_to_ep
2025/11/14 04:28 upstream 2ccec5944606 07e030de .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 BUG: corrupted list in usb_hcd_link_urb_to_ep
2025/10/24 13:28 upstream 6fab32bb6508 c0460fcd .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream BUG: corrupted list in usb_hcd_link_urb_to_ep
* Struck through repros no longer work on HEAD.