From mboxrd@z Thu Jan  1 00:00:00 1970
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Subject: WARNING in usb_submit_urb (4)
From: Alan Stern <stern@rowland.harvard.edu>
Message-Id: <Pine.LNX.4.44L0.1904171657370.1320-100000@iolanthe.rowland.org>
Date: Wed, 17 Apr 2019 16:59:20 -0400 (EDT)
To: syzbot <syzbot+7634edaea4d0b341c625@syzkaller.appspotmail.com>
Cc: andreyknvl@google.com, linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com
List-ID: <linux-usb.vger.kernel.org>

T24gVHVlLCAxNiBBcHIgMjAxOSwgc3l6Ym90IHdyb3RlOgoKPiBIZWxsbywKPiAKPiBzeXpib3Qg
aGFzIHRlc3RlZCB0aGUgcHJvcG9zZWQgcGF0Y2ggYnV0IHRoZSByZXByb2R1Y2VyIHN0aWxsIHRy
aWdnZXJlZCAgCj4gY3Jhc2g6Cj4gV0FSTklORyBpbiB1c2Jfc3VibWl0X3VyYgo+IAo+IGh1YiAz
LTA6MS4wOiAwMDAwMDAwMDkwZGE2YTJlIGh1Yl9hY3RpdmF0ZSB0eXBlIDQgZGlzY29uIDAKPiBo
dWIgMy0wOjEuMDogMDAwMDAwMDA5MGRhNmEyZSBTdWJtaXR0aW5nIHN0YXR1cyBVUkIKPiBodWIg
My0wOjEuMDogMDAwMDAwMDA5MGRhNmEyZSBTdWJtaXR0aW5nIHN0YXR1cyBVUkIKPiAtLS0tLS0t
LS0tLS1bIGN1dCBoZXJlIF0tLS0tLS0tLS0tLS0KPiBVUkIgMDAwMDAwMDAwNjEyYjg0ZiBzdWJt
aXR0ZWQgd2hpbGUgYWN0aXZlCj4gV0FSTklORzogQ1BVOiAxIFBJRDogMzQwMyBhdCBkcml2ZXJz
L3VzYi9jb3JlL3VyYi5jOjM2MyAgCj4gdXNiX3N1Ym1pdF91cmIrMHgxMTEwLzB4MTQwMCBkcml2
ZXJzL3VzYi9jb3JlL3VyYi5jOjM2MwoKSSdtIHN0aWxsIGhhdmluZyB0cm91YmxlIHVuZGVyc3Rh
bmRpbmcgdGhpcy4gIEhlcmUncyBzb21lIG1vcmUgCmRlYnVnZ2luZy4KCkFsYW4gU3Rlcm4KCiNz
eXogdGVzdDogZ2l0Oi8vZ2l0Lmtlcm5lbC5vcmcvcHViL3NjbS9saW51eC9rZXJuZWwvZ2l0L3Rv
cnZhbGRzL2xpbnV4LmdpdCBlMTJlMDBlMzg4ZGUKCi0tLSBhL2RyaXZlcnMvdXNiL2NvcmUvaHVi
LmMKKysrIGIvZHJpdmVycy91c2IvY29yZS9odWIuYwpAQCAtMTAxNiw2ICsxMDE2LDkgQEAgc3Rh
dGljIHZvaWQgaHViX2FjdGl2YXRlKHN0cnVjdCB1c2JfaHViCiAJYm9vbCBuZWVkX2RlYm91bmNl
X2RlbGF5ID0gZmFsc2U7CiAJdW5zaWduZWQgZGVsYXk7CiAKKwlkZXZfaW5mbyhodWItPmludGZk
ZXYsICIlcCAlcyB0eXBlICVkIGRpc2NvbiAlZFxuIiwKKwkJCWh1YiwgX19mdW5jX18sIHR5cGUs
IGh1Yi0+ZGlzY29ubmVjdGVkKTsKKwogCS8qIENvbnRpbnVlIGEgcGFydGlhbCBpbml0aWFsaXph
dGlvbiAqLwogCWlmICh0eXBlID09IEhVQl9JTklUMiB8fCB0eXBlID09IEhVQl9JTklUMykgewog
CQlkZXZpY2VfbG9jaygmaGRldi0+ZGV2KTsKQEAgLTEyOTksNiArMTMwMiw4IEBAIHN0YXRpYyB2
b2lkIGh1Yl9xdWllc2NlKHN0cnVjdCB1c2JfaHViICoKIAl1bnNpZ25lZCBsb25nIGZsYWdzOwog
CWludCBpOwogCisJZGV2X2luZm8oaHViLT5pbnRmZGV2LCAiJXAgJXMgdHlwZSAlZFxuIiwgaHVi
LCBfX2Z1bmNfXywgdHlwZSk7CisKIAkvKiBodWJfd3EgYW5kIHJlbGF0ZWQgYWN0aXZpdHkgd29u
J3QgcmUtdHJpZ2dlciAqLwogCXNwaW5fbG9ja19pcnFzYXZlKCZodWItPmlycV91cmJfbG9jaywg
ZmxhZ3MpOwogCWh1Yi0+cXVpZXNjaW5nID0gMTsKQEAgLTM3MTEsNyArMzcxNiw5IEBAIHN0YXRp
YyBpbnQgaHViX3N1c3BlbmQoc3RydWN0IHVzYl9pbnRlcmYKIAkJfQogCX0KIAotCWRldl9kYmco
JmludGYtPmRldiwgIiVzXG4iLCBfX2Z1bmNfXyk7CisJZGV2X2luZm8oJmludGYtPmRldiwgIiVw
ICVzIHVzYWdlICVkXG4iLAorCQkJaHViLCBfX2Z1bmNfXywKKwkJCWF0b21pY19yZWFkKCZpbnRm
LT5kZXYucG93ZXIudXNhZ2VfY291bnQpKTsKIAogCS8qIHN0b3AgaHViX3dxIGFuZCByZWxhdGVk
IGFjdGl2aXR5ICovCiAJaHViX3F1aWVzY2UoaHViLCBIVUJfU1VTUEVORCk7CkBAIC0zNzU2LDcg
KzM3NjMsNyBAQCBzdGF0aWMgaW50IGh1Yl9yZXN1bWUoc3RydWN0IHVzYl9pbnRlcmZhCiB7CiAJ
c3RydWN0IHVzYl9odWIgKmh1YiA9IHVzYl9nZXRfaW50ZmRhdGEoaW50Zik7CiAKLQlkZXZfZGJn
KCZpbnRmLT5kZXYsICIlc1xuIiwgX19mdW5jX18pOworCWRldl9pbmZvKCZpbnRmLT5kZXYsICIl
cCAlc1xuIiwgaHViLCBfX2Z1bmNfXyk7CiAJaHViX2FjdGl2YXRlKGh1YiwgSFVCX1JFU1VNRSk7
CiAKIAkvKgpJbmRleDogdXNiLWRldmVsL2RyaXZlcnMvdXNiL2NvcmUvZHJpdmVyLmMKPT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PQotLS0gdXNiLWRldmVsLm9yaWcvZHJpdmVycy91c2IvY29yZS9kcml2ZXIuYworKysgdXNi
LWRldmVsL2RyaXZlcnMvdXNiL2NvcmUvZHJpdmVyLmMKQEAgLTM1OCw3ICszNTgsMTEgQEAgc3Rh
dGljIGludCB1c2JfcHJvYmVfaW50ZXJmYWNlKHN0cnVjdCBkZQogCQlpbnRmLT5uZWVkc19hbHRz
ZXR0aW5nMCA9IDA7CiAJfQogCisJZGV2X2luZm8oZGV2LCAicHJlLXByb2JlIHVzYWdlICVkXG4i
LAorCQkJYXRvbWljX3JlYWQoJmludGYtPmRldi5wb3dlci51c2FnZV9jb3VudCkpOwogCWVycm9y
ID0gZHJpdmVyLT5wcm9iZShpbnRmLCBpZCk7CisJZGV2X2luZm8oZGV2LCAicG9zdC1wcm9iZSB1
c2FnZSAlZFxuIiwKKwkJCWF0b21pY19yZWFkKCZpbnRmLT5kZXYucG93ZXIudXNhZ2VfY291bnQp
KTsKIAlpZiAoZXJyb3IpCiAJCWdvdG8gZXJyOwogCkBAIC00MjAsNyArNDI0LDExIEBAIHN0YXRp
YyBpbnQgdXNiX3VuYmluZF9pbnRlcmZhY2Uoc3RydWN0IGQKIAlpZiAoIWRyaXZlci0+c29mdF91
bmJpbmQgfHwgdWRldi0+c3RhdGUgPT0gVVNCX1NUQVRFX05PVEFUVEFDSEVEKQogCQl1c2JfZGlz
YWJsZV9pbnRlcmZhY2UodWRldiwgaW50ZiwgZmFsc2UpOwogCisJZGV2X2luZm8oZGV2LCAicHJl
LWRpc2NvbiB1c2FnZSAlZFxuIiwKKwkJCWF0b21pY19yZWFkKCZpbnRmLT5kZXYucG93ZXIudXNh
Z2VfY291bnQpKTsKIAlkcml2ZXItPmRpc2Nvbm5lY3QoaW50Zik7CisJZGV2X2luZm8oZGV2LCAi
cG9zdC1kaXNjb24gdXNhZ2UgJWRcbiIsCisJCQlhdG9taWNfcmVhZCgmaW50Zi0+ZGV2LnBvd2Vy
LnVzYWdlX2NvdW50KSk7CiAKIAkvKiBGcmVlIHN0cmVhbXMgKi8KIAlmb3IgKGkgPSAwLCBqID0g
MDsgaSA8IGludGYtPmN1cl9hbHRzZXR0aW5nLT5kZXNjLmJOdW1FbmRwb2ludHM7IGkrKykgewo=

From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=xlna=ST=vger.kernel.org=linux-usb-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.9 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_PASS autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2D9B3C282DA
	for <linux-usb@archiver.kernel.org>; Wed, 17 Apr 2019 20:59:23 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 03A87217D7
	for <linux-usb@archiver.kernel.org>; Wed, 17 Apr 2019 20:59:23 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1733309AbfDQU7V (ORCPT <rfc822;linux-usb@archiver.kernel.org>);
        Wed, 17 Apr 2019 16:59:21 -0400
Received: from iolanthe.rowland.org ([192.131.102.54]:55254 "HELO
        iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with SMTP id S1733222AbfDQU7V (ORCPT
        <rfc822;linux-usb@vger.kernel.org>); Wed, 17 Apr 2019 16:59:21 -0400
Received: (qmail 1328 invoked by uid 2102); 17 Apr 2019 16:59:20 -0400
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 17 Apr 2019 16:59:20 -0400
Date:   Wed, 17 Apr 2019 16:59:20 -0400 (EDT)
From:   Alan Stern <stern@rowland.harvard.edu>
X-X-Sender: stern@iolanthe.rowland.org
To:     syzbot <syzbot+7634edaea4d0b341c625@syzkaller.appspotmail.com>
cc:     andreyknvl@google.com, <linux-usb@vger.kernel.org>,
        <syzkaller-bugs@googlegroups.com>
Subject: Re: WARNING in usb_submit_urb (4)
In-Reply-To: <00000000000021301c0586ac31f4@google.com>
Message-ID: <Pine.LNX.4.44L0.1904171657370.1320-100000@iolanthe.rowland.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Sender: linux-usb-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-usb.vger.kernel.org>
X-Mailing-List: linux-usb@vger.kernel.org
Message-ID: <20190417205920.zZj5RRhn_fIEWDKNDgVnLAk24IbApfj2ffNTlFX6WIE@z>

On Tue, 16 Apr 2019, syzbot wrote:

> Hello,
> 
> syzbot has tested the proposed patch but the reproducer still triggered  
> crash:
> WARNING in usb_submit_urb
> 
> hub 3-0:1.0: 0000000090da6a2e hub_activate type 4 discon 0
> hub 3-0:1.0: 0000000090da6a2e Submitting status URB
> hub 3-0:1.0: 0000000090da6a2e Submitting status URB
> ------------[ cut here ]------------
> URB 000000000612b84f submitted while active
> WARNING: CPU: 1 PID: 3403 at drivers/usb/core/urb.c:363  
> usb_submit_urb+0x1110/0x1400 drivers/usb/core/urb.c:363

I'm still having trouble understanding this.  Here's some more 
debugging.

Alan Stern

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git e12e00e388de

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1016,6 +1016,9 @@ static void hub_activate(struct usb_hub
 	bool need_debounce_delay = false;
 	unsigned delay;
 
+	dev_info(hub->intfdev, "%p %s type %d discon %d\n",
+			hub, __func__, type, hub->disconnected);
+
 	/* Continue a partial initialization */
 	if (type == HUB_INIT2 || type == HUB_INIT3) {
 		device_lock(&hdev->dev);
@@ -1299,6 +1302,8 @@ static void hub_quiesce(struct usb_hub *
 	unsigned long flags;
 	int i;
 
+	dev_info(hub->intfdev, "%p %s type %d\n", hub, __func__, type);
+
 	/* hub_wq and related activity won't re-trigger */
 	spin_lock_irqsave(&hub->irq_urb_lock, flags);
 	hub->quiescing = 1;
@@ -3711,7 +3716,9 @@ static int hub_suspend(struct usb_interf
 		}
 	}
 
-	dev_dbg(&intf->dev, "%s\n", __func__);
+	dev_info(&intf->dev, "%p %s usage %d\n",
+			hub, __func__,
+			atomic_read(&intf->dev.power.usage_count));
 
 	/* stop hub_wq and related activity */
 	hub_quiesce(hub, HUB_SUSPEND);
@@ -3756,7 +3763,7 @@ static int hub_resume(struct usb_interfa
 {
 	struct usb_hub *hub = usb_get_intfdata(intf);
 
-	dev_dbg(&intf->dev, "%s\n", __func__);
+	dev_info(&intf->dev, "%p %s\n", hub, __func__);
 	hub_activate(hub, HUB_RESUME);
 
 	/*
Index: usb-devel/drivers/usb/core/driver.c
===================================================================
--- usb-devel.orig/drivers/usb/core/driver.c
+++ usb-devel/drivers/usb/core/driver.c
@@ -358,7 +358,11 @@ static int usb_probe_interface(struct de
 		intf->needs_altsetting0 = 0;
 	}
 
+	dev_info(dev, "pre-probe usage %d\n",
+			atomic_read(&intf->dev.power.usage_count));
 	error = driver->probe(intf, id);
+	dev_info(dev, "post-probe usage %d\n",
+			atomic_read(&intf->dev.power.usage_count));
 	if (error)
 		goto err;
 
@@ -420,7 +424,11 @@ static int usb_unbind_interface(struct d
 	if (!driver->soft_unbind || udev->state == USB_STATE_NOTATTACHED)
 		usb_disable_interface(udev, intf, false);
 
+	dev_info(dev, "pre-discon usage %d\n",
+			atomic_read(&intf->dev.power.usage_count));
 	driver->disconnect(intf);
+	dev_info(dev, "post-discon usage %d\n",
+			atomic_read(&intf->dev.power.usage_count));
 
 	/* Free streams */
 	for (i = 0, j = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {