MUSB crash on OMAP3 board with second load of gadget

From: Sergey Lapin
Date: Thu Jan 21 2010 - 06:26:58 EST

Hi! I have crashes in MUSB code when working with USB gadget drivers.
Kernel version: linux-omap master d8ebff302ff819587377b123e900e501e4135d86
To reproduce: (USB device cable should be attached).

dd if=/dev/zero of=/tmp/disk bs=1k count=1024
mkdosfs -F 32 /tmp/disk
insmod g_mass_storage file=/tmp/disk stall=0

Wait till disk is mounted on host, then

rmmod g_mass_storage
insmod g_mass_storage file=/tmp/disk stall=0

And here we get Oops in include/linux/list.h line 93,
list_del function, which leads us to drivers/usb/musb/musb_gadget.c,
function void musb_g_giveback(
struct musb_ep *ep,
struct usb_request *request,
int status),
just at the beginning of function.

if we add
pr_debug("list.prev = %p\n", request->list.prev);
pr_debug(" = %p\n", request->;

and we see

list.prev = 6b6b6b6b = 6b6b6b6b

And these are NOT values set during list deletion.

Any ideas where to debug from here? If I just do return from that
function in case
of list.prev = 6b6b6b6b, then there's no crash, but there's no working
USB either.
if I just ignore list_del, I have crash later, where it seems to
execute bad code
from address 0x6b6b6b6a. Please, help!

Thanks a lot,
