Hi all,
been redirected here from bug #91511 [1].
I'm getting sporadic crashes in io_watchdog_func() in drivers/usb/host/ohci-
hcd.c:761:
"
list_for_each_entry(ed, &ohci->eds_in_use, in_use_list) {
if (ed->pending_td) {
"
with the in_use list getting corrupted:
from ohci_urb_enqueue():
[43656.918055] list_add double add: new=ffff8800cbaa8040, prev=ffff8800cb8aa5b8,
next=ffff8800cbaa8040.
from ohci_work.part():
[43656.920980] list_del corruption. next->prev should be ffff8800cbaa8040, but
was ffff8800cb8aa5b8
One or both set the pointer to 0xdead000000100100 and 0xdead0000001000c0,
where io_watchdog_func() chokes on [2].
It seems to be related to keyboard input (at least it happens when using the
keyboard), without relation to system load. Can happen within a day after boot
or after several days of hibernated uptime. Unfortunately, I haven't found a
way to reliably reproduce the issue, yet.
The box is a "Gigabyte GA-78LMT-USB3" with "AMD FX(tm)-6300 Six-Core
Processor" and "[AMD/ATI] SB7x0 USB OHCI1 Controller".
For more info including crash trace, just have a look at the bug report [1]
My (pretty wild) guess is, that the corruption happens through a race in the
interrupt handler ohci_irq(), which calls ohci_work(), which calls
finish_urb(), which states:
" * PRECONDITION: ohci lock held, irqs blocked"
But ohci_irq() seems to only spin_[un]lock(), not spin_[un]lock_irq[save|
restore](). All other functions that call ohci_work() do at least
spin_[un]lock_irq. So irqs could still be enabled and possibly the event
triggered twice, thus the double list add?
If you need more information just let me know (per the bug [1] or CC, since
I'm not subscribed to this list).
Kind regards,
Heiko
[1] https://bugzilla.kernel.org/show_bug.cgi?id=91511
[2] https://bugzilla.kernel.org/attachment.cgi?id=163721
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
