An outstanding syzbot bug report has been traced to a race between the routine that reads in the device descriptor for a device being reinitialized and the routine that writes the descriptors to a sysfs attribute file. The problem is that reinitializing a device, like initializing it for the first time, stores the device descriptor directly in the usb_device structure, where it may be accessed concurrently as part of sending the descriptors to the sysfs reader. This three-part series fixes the problem: The first patch unites the code paths responsible for first reading the device descriptor in hub.c's old scheme and new scheme, so that neither of them will call usb_get_device_descriptor(). The second patch changes usb_get_device_descriptor(), making it return the descriptor in a dynamically allocated buffer rather than storing it directly in the device structure. The third patch changes hub_port_init(), adding a new argument that specifies a buffer in which to store the device descriptor for devices being reinitialized. As a result of these changes, the copy of the device descriptor stored in the usb_device structure will never be overwritten once it has been initialized. This eliminates the data race causing the bug identified by syzbot. It would be nice at some point to make a similar change to the code that reads the device's BOS descriptor; reinitialization should not overwrite its existing data either. This series doesn't attempt to do that, but it would be a good thing to do. Alan Stern
