Re: WARNING in usb_submit_urb (4)

Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> · Wed, 17 Apr 2019 16:59:20 -0400 (EDT)

On Tue, 16 Apr 2019, syzbot wrote:

> Hello,
> 
> syzbot has tested the proposed patch but the reproducer still triggered  
> crash:
> WARNING in usb_submit_urb
> 
> hub 3-0:1.0: 0000000090da6a2e hub_activate type 4 discon 0
> hub 3-0:1.0: 0000000090da6a2e Submitting status URB
> hub 3-0:1.0: 0000000090da6a2e Submitting status URB
> ------------[ cut here ]------------
> URB 000000000612b84f submitted while active
> WARNING: CPU: 1 PID: 3403 at drivers/usb/core/urb.c:363  
> usb_submit_urb+0x1110/0x1400 drivers/usb/core/urb.c:363

I'm still having trouble understanding this.  Here's some more 
debugging.

Alan Stern

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git e12e00e388de

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1016,6 +1016,9 @@ static void hub_activate(struct usb_hub
 	bool need_debounce_delay = false;
 	unsigned delay;
 
+	dev_info(hub->intfdev, "%p %s type %d discon %d\n",
+			hub, __func__, type, hub->disconnected);
+
 	/* Continue a partial initialization */
 	if (type == HUB_INIT2 || type == HUB_INIT3) {
 		device_lock(&hdev->dev);
@@ -1299,6 +1302,8 @@ static void hub_quiesce(struct usb_hub *
 	unsigned long flags;
 	int i;
 
+	dev_info(hub->intfdev, "%p %s type %d\n", hub, __func__, type);
+
 	/* hub_wq and related activity won't re-trigger */
 	spin_lock_irqsave(&hub->irq_urb_lock, flags);
 	hub->quiescing = 1;
@@ -3711,7 +3716,9 @@ static int hub_suspend(struct usb_interf
 		}
 	}
 
-	dev_dbg(&intf->dev, "%s\n", __func__);
+	dev_info(&intf->dev, "%p %s usage %d\n",
+			hub, __func__,
+			atomic_read(&intf->dev.power.usage_count));
 
 	/* stop hub_wq and related activity */
 	hub_quiesce(hub, HUB_SUSPEND);
@@ -3756,7 +3763,7 @@ static int hub_resume(struct usb_interfa
 {
 	struct usb_hub *hub = usb_get_intfdata(intf);
 
-	dev_dbg(&intf->dev, "%s\n", __func__);
+	dev_info(&intf->dev, "%p %s\n", hub, __func__);
 	hub_activate(hub, HUB_RESUME);
 
 	/*
Index: usb-devel/drivers/usb/core/driver.c
===================================================================
--- usb-devel.orig/drivers/usb/core/driver.c
+++ usb-devel/drivers/usb/core/driver.c
@@ -358,7 +358,11 @@ static int usb_probe_interface(struct de
 		intf->needs_altsetting0 = 0;
 	}
 
+	dev_info(dev, "pre-probe usage %d\n",
+			atomic_read(&intf->dev.power.usage_count));
 	error = driver->probe(intf, id);
+	dev_info(dev, "post-probe usage %d\n",
+			atomic_read(&intf->dev.power.usage_count));
 	if (error)
 		goto err;
 
@@ -420,7 +424,11 @@ static int usb_unbind_interface(struct d
 	if (!driver->soft_unbind || udev->state == USB_STATE_NOTATTACHED)
 		usb_disable_interface(udev, intf, false);
 
+	dev_info(dev, "pre-discon usage %d\n",
+			atomic_read(&intf->dev.power.usage_count));
 	driver->disconnect(intf);
+	dev_info(dev, "post-discon usage %d\n",
+			atomic_read(&intf->dev.power.usage_count));
 
 	/* Free streams */
 	for (i = 0, j = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {







