Patch for bizzare oops in USB

From: Pete Zaitcev (zaitcev@redhat.com)
Date: Sat Aug 18 2001 - 00:31:01 EST


I ran webcam(1) with ov511 and if I hit ^C, the box oopses.
Apparently, the following happens:

1. On SIGINT, v4l closes ov511, which isses a string of
   control requests to quescent the cam.
2. One of those requests enters usb_internal_control_msg
   where it submits the URB and does schedule_timeout().
3. Since the signal is pending [sic], it does not wait,
   but spins testing urb->status.
4. The interrupt is taken on other CPU and it gets into
   sohci_return_urb, then clears status and calls urb_rm_priv.
5. The user thread sees that status becomes zero and *frees the URB*.
6. The urb_rm_priv takes a spinlock and does its dirty buseness.
7. User thread reallocates the URB and resubmits it,
   waiting on the spinlock meanwhile.
8. urb_rm_priv zaps urb->dev in the URB which was already
   freed and reallocated and releases the spinlock.
9. The user thread keels over deep inside td_submit_urb()
   dereferencing urb->dev->something

Took me a couple of days to figure it all out. :)

diff -ur -X dontdiff linux-2.4.8/drivers/usb/usb.c linux-2.4.8-e/drivers/usb/usb.c
--- linux-2.4.8/drivers/usb/usb.c Tue Jul 24 14:20:56 2001
+++ linux-2.4.8-e/drivers/usb/usb.c Fri Aug 17 22:03:27 2001
@@ -1066,7 +1066,7 @@
   
         awd.wakeup = &wqh;
         init_waitqueue_head(&wqh);
- current->state = TASK_INTERRUPTIBLE;
+ current->state = TASK_UNINTERRUPTIBLE; /* MUST BE SO. -- zaitcev */
         add_wait_queue(&wqh, &wait);
         urb->context = &awd;
         status = usb_submit_urb(urb);
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Thu Aug 23 2001 - 21:00:26 EST