From: Pete Zaitcev <zaitcev@redhat.com>
To: johannes@erdfelt.com
Cc: linux-kernel@vger.kernel.org, Pete Zaitcev <zaitcev@redhat.com>
Subject: Patch for bizzare oops in USB
Date: Sat, 18 Aug 2001 01:31:01 -0400 [thread overview]
Message-ID: <20010818013101.A7058@devserv.devel.redhat.com> (raw)
I ran webcam(1) with ov511 and if I hit ^C, the box oopses.
Apparently, the following happens:
1. On SIGINT, v4l closes ov511, which isses a string of
control requests to quescent the cam.
2. One of those requests enters usb_internal_control_msg
where it submits the URB and does schedule_timeout().
3. Since the signal is pending [sic], it does not wait,
but spins testing urb->status.
4. The interrupt is taken on other CPU and it gets into
sohci_return_urb, then clears status and calls urb_rm_priv.
5. The user thread sees that status becomes zero and *frees the URB*.
6. The urb_rm_priv takes a spinlock and does its dirty buseness.
7. User thread reallocates the URB and resubmits it,
waiting on the spinlock meanwhile.
8. urb_rm_priv zaps urb->dev in the URB which was already
freed and reallocated and releases the spinlock.
9. The user thread keels over deep inside td_submit_urb()
dereferencing urb->dev->something
Took me a couple of days to figure it all out. :)
diff -ur -X dontdiff linux-2.4.8/drivers/usb/usb.c linux-2.4.8-e/drivers/usb/usb.c
--- linux-2.4.8/drivers/usb/usb.c Tue Jul 24 14:20:56 2001
+++ linux-2.4.8-e/drivers/usb/usb.c Fri Aug 17 22:03:27 2001
@@ -1066,7 +1066,7 @@
awd.wakeup = &wqh;
init_waitqueue_head(&wqh);
- current->state = TASK_INTERRUPTIBLE;
+ current->state = TASK_UNINTERRUPTIBLE; /* MUST BE SO. -- zaitcev */
add_wait_queue(&wqh, &wait);
urb->context = &awd;
status = usb_submit_urb(urb);
next reply other threads:[~2001-08-18 5:31 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-08-18 5:31 Pete Zaitcev [this message]
2001-08-20 11:59 ` Patch for bizzare oops in USB Thomas Sailer
2001-08-20 21:06 ` Pete Zaitcev
2001-08-21 8:29 ` Thomas Sailer
2001-08-20 21:44 ` Pete Zaitcev
2001-08-21 4:01 ` Johannes Erdfelt
2001-08-21 4:17 ` Pete Zaitcev
2001-08-20 22:12 ` Eugene Crosser
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20010818013101.A7058@devserv.devel.redhat.com \
--to=zaitcev@redhat.com \
--cc=johannes@erdfelt.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox