On Tue, 16 Apr 2019, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer still triggered
> crash:
> WARNING in usb_submit_urb
>
> hub 3-0:1.0: hub_activate type 4
> hub 3-0:1.0: Submitting status URB
> hub 3-0:1.0: Submitting status URB
> ------------[ cut here ]------------
> URB 00000000a8d7a6c6 submitted while active
The console output shows pretty clearly that there is a race. But I
can't quite see how it is caused. Let's try a little bit more
debugging.
Alan Stern
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git e12e00e388de
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1016,6 +1016,9 @@ static void hub_activate(struct usb_hub
bool need_debounce_delay = false;
unsigned delay;
+ dev_info(hub->intfdev, "%p %s type %d discon %d\n",
+ hub, __func__, type, hub->disconnected);
+
/* Continue a partial initialization */
if (type == HUB_INIT2 || type == HUB_INIT3) {
device_lock(&hdev->dev);
@@ -1254,6 +1257,7 @@ static void hub_activate(struct usb_hub
init3:
hub->quiescing = 0;
+ dev_info(hub->intfdev, "%p Submitting status URB\n", hub);
status = usb_submit_urb(hub->urb, GFP_NOIO);
if (status < 0)
dev_err(hub->intfdev, "activate --> %d\n", status);
@@ -1299,6 +1303,8 @@ static void hub_quiesce(struct usb_hub *
unsigned long flags;
int i;
+ dev_info(hub->intfdev, "%p %s type %d\n", hub, __func__, type);
+
/* hub_wq and related activity won't re-trigger */
spin_lock_irqsave(&hub->irq_urb_lock, flags);
hub->quiescing = 1;
@@ -3711,7 +3717,7 @@ static int hub_suspend(struct usb_interf
}
}
- dev_dbg(&intf->dev, "%s\n", __func__);
+ dev_info(&intf->dev, "%p %s\n", hub, __func__);
/* stop hub_wq and related activity */
hub_quiesce(hub, HUB_SUSPEND);
@@ -3756,7 +3762,7 @@ static int hub_resume(struct usb_interfa
{
struct usb_hub *hub = usb_get_intfdata(intf);
- dev_dbg(&intf->dev, "%s\n", __func__);
+ dev_info(&intf->dev, "%p %s\n", hub, __func__);
hub_activate(hub, HUB_RESUME);
/*
