Re: [syzbot] [usb?] BUG: corrupted list in usb_hcd_link_urb_to_ep (5)
From: Hillf Danton
Date: Sun Jan 04 2026 - 23:07:36 EST
> Date: Sat, 03 Jan 2026 23:03:24 -0800
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: aacb0a6d604a Merge tag 'pmdomain-v6.19-rc3' of git://git.k..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16578f92580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a11e0f726bfb6765
> dashboard link: https://syzkaller.appspot.com/bug?extid=e69c25cf38a53d0cf64c
> compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1627369a580000
#syz test
--- x/drivers/input/misc/cm109.c
+++ y/drivers/input/misc/cm109.c
@@ -562,15 +562,18 @@ static int cm109_input_open(struct input
dev->ctl_data->byte[HID_OR2] = dev->keybit;
dev->ctl_data->byte[HID_OR3] = 0x00;
+ spin_lock_irq(&dev->ctl_submit_lock);
dev->ctl_urb_pending = 1;
- error = usb_submit_urb(dev->urb_ctl, GFP_KERNEL);
+ error = usb_submit_urb(dev->urb_ctl, GFP_ATOMIC);
if (!error) {
dev->open = 1;
+ spin_unlock_irq(&dev->ctl_submit_lock);
return 0;
}
+ dev->ctl_urb_pending = 0;
+ spin_unlock_irq(&dev->ctl_submit_lock);
}
- dev->ctl_urb_pending = 0;
usb_autopm_put_interface(dev->intf);
dev_err(&dev->intf->dev, "%s: usb_submit_urb (urb_ctl) failed %d\n",
--