[BUG] list_add double add in cm109_input_open

[BUG] list_add double add in cm109_input_open

[许东洁]

Hi,

While running fuzzing tests on 6.19.0-rc5, we hit a "list_add double add" bug triggered by the cm109 driver.

The root cause lies in how the driver handles multiple input devices. During probe, the driver registers two separate input devices (idev and keypad). Both devices share the same cm109_input_open() and cm109_input_close() callbacks. If both input devices are opened by user space, cm109_input_open() is called twice.

However, cm109_input_open() doesn't check if the URBs are already in flight. It simply sets dev->open = 1 and calls usb_submit_urb() unconditionally. Submitting the same URB twice causes the double list_add BUG in the USB core.

A possible fix would be to convert the dev->open variable from a boolean flag into a reference counter. We could increment it in cm109_input_open() and only submit the URBs if it transitions from 0 to 1, and decrement it in cm109_input_close(), killing the URBs only when the counter reaches 0.

We do not have a formal patch ready yet, but we are happy to help test any proposed fixes.

Crash log, call trace, and machine info are as follows:

[Machine Info]
QEMU emulator version 6.2.0
CPU: Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz (4 cores)
Kernel Version: 6.19.0-rc5-00042-g944aacb68baf

[Crash Report & Call Trace]
input: CM109 USB driver as /devices/platform/dummy_hcd.2/usb3/3-1/3-1:0.0/input/input24 list_add double add: new=ffff888033606818, prev=ffff888033606818, next=ffff88802dac6078. ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:35! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 840 Comm: kworker/0:2 Tainted: G             L      6.19.0-rc5-00042-g944aacb68baf #1 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: usb_hub_wq hub_event RIP: 0010:__list_add_valid_or_report+0x142/0x190 lib/list_debug.c:35 Code: 16 48 89 f1 48 c7 c7 c0 ba d2 8b 4c 89 e6 e8 b5 13 f1 fc 0f 0b 48 89 f2 4c 89 e1 4c 89 ee 48 c7 c7 40 bb d2 8b e8 9e 13 f1 fc <0f> 0b 48 RSP: 0018:ffffc9000562ecc0 EFLAGS: 00010086 RAX: 0000000000000058 RBX: ffff888033606800 RCX: ffffc9002335e000 RDX: 0000000000000000 RSI: ffffffff819ecb10 RDI: 0000000000000005 RBP: 0000000000000020 R08: 0000000000000001 R09: ffffed100c4c48f1 R10: 0000000080000002 R11: 00000000000a48c0 R12: ffff88802dac6078 R13: ffff888033606818 R14: ffff88802dac6080 R15: ffff888033606818 FS:  0000000000000000(0000) GS:ffff8880ced64000(0000) knlGS:0000000000000000 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb35e7afe00 CR3: 000000003b6b8000 CR4: 0000000000752ef0 PKRU: 55555554 Call Trace: <TASK> __list_add_valid include/linux/list.h:96 [inline] __list_add include/linux/list.h:158 [inline] list_add_tail include/linux/list.h:191 [inline] usb_hcd_link_urb_to_ep+0x220/0x3a0 drivers/usb/core/hcd.c:1158 dummy_urb_enqueue+0x2b1/0x970 drivers/usb/gadget/udc/dummy_hcd.c:1288 usb_hcd_submit_urb+0x266/0x1fd0 drivers/usb/core/hcd.c:1546 usb_submit_urb+0x880/0x18f0 drivers/usb/core/urb.c:587 cm109_input_open+0x279/0x490 drivers/input/misc/cm109.c:566 input_open_device+0x245/0x3f0 drivers/input/input.c:601 kbd_connect+0x127/0x180 drivers/tty/vt/keyboard.c:1563 input_attach_handler+0x17b/0x260 drivers/input/input.c:994 input_register_device+0xa4f/0x1190 drivers/input/input.c:2378 cm109_usb_probe+0x128c/0x1880 drivers/input/misc/cm109.c:797 usb_probe_interface+0x30b/0xab0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:581 [inline] really_probe+0x252/0xb20 drivers/base/dd.c:659 __driver_probe_device+0x1df/0x470 drivers/base/dd.c:801 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:831 __device_attach_driver+0x1db/0x340 drivers/base/dd.c:959 bus_for_each_drv+0x14b/0x1d0 drivers/base/bus.c:500 __device_attach+0x1ee/0x4f0 drivers/base/dd.c:1031 device_initial_probe+0xaa/0xc0 drivers/base/dd.c:1086 bus_probe_device+0x64/0x150 drivers/base/bus.c:574 device_add+0x1132/0x1930 drivers/base/core.c:3689 usb_set_configuration+0x1194/0x1c70 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb7/0x110 drivers/usb/core/generic.c:250 usb_probe_device+0xed/0x400 drivers/usb/core/driver.c:291 call_driver_probe drivers/base/dd.c:581 [inline] really_probe+0x252/0xb20 drivers/base/dd.c:659 __driver_probe_device+0x1df/0x470 drivers/base/dd.c:801 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:831 __device_attach_driver+0x1db/0x340 drivers/base/dd.c:959 bus_for_each_drv+0x14b/0x1d0 drivers/base/bus.c:500 __device_attach+0x1ee/0x4f0 drivers/base/dd.c:1031 device_initial_probe+0xaa/0xc0 drivers/base/dd.c:1086 bus_probe_device+0x64/0x150 drivers/base/bus.c:574 device_add+0x1132/0x1930 drivers/base/core.c:3689 usb_new_device+0xd2c/0x1ac0 drivers/usb/core/hub.c:2695 hub_port_connect drivers/usb/core/hub.c:5567 [inline] hub_port_connect_change drivers/usb/core/hub.c:5707 [inline] port_event drivers/usb/core/hub.c:5871 [inline] hub_event+0x2efa/0x5020 drivers/usb/core/hub.c:5953 process_one_work+0x990/0x1af0 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x67e/0xe90 kernel/workqueue.c:3421 kthread+0x446/0x890 kernel/kthread.c:463 ret_from_fork+0x95b/0xae0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK>
Xu Dongjie
University of Chinese Academy of Sciences

Re: [BUG] list_add double add in cm109_input_open

[Dmitry Torokhov]

On Wed, Apr 15, 2026 at 11:38:06AM +0800, 许东洁 wrote:
> Hi,
> 
> While running fuzzing tests on 6.19.0-rc5, we hit a "list_add double add" bug triggered by the cm109 driver.
> 
> The root cause lies in how the driver handles multiple input devices. During probe, the driver registers two separate input devices (idev and keypad). Both devices share the same cm109_input_open() and cm109_input_close() callbacks. If both input devices are opened by user space, cm109_input_open() is called twice.

Your LLM hallucinated a bunch of stuff. Please refrain from reporting
any more "bugs" to us.

Thanks.

-- 
Dmitry