I am currently using the rndis-wlan driver in 2.6.27 with a Linksys WUSB54GS USB wifi module. When I attempt to bring the interface down or remove the rndis-wlan module, I am seeing a spinlock recursion bug when usbnet is attempting to unlink the urbs from the device. [ 1234.540000] BUG: spinlock recursion on CPU#0, ifconfig/4379 [ 1234.540000] lock: c1e9d5cc, .magic: dead4ead, .owner: ifconfig/4379, .owner_cpu: 0 [ 1234.540000] [<c0028bdc>] (dump_stack+0x0/0x14) from [<c013e880>] (spin_bug+0x84/0xd8) [ 1234.540000] [<c013e7fc>] (spin_bug+0x0/0xd8) from [<c013ebec>] (_raw_spin_lock+0x144/0x184) [ 1234.540000] r6:60000093 r5:c1fb8000 r4:c1e9d5cc [ 1234.540000] [<c013eaa8>] (_raw_spin_lock+0x0/0x184) from [<c022bb2c>] (_spin_lock_irqsave+0x4c/0x58) [ 1234.540000] [<c022bae0>] (_spin_lock_irqsave+0x0/0x58) from [<bf008320>] (defer_bh+0x28/0xd8 [usbnet]) [ 1234.540000] r6:c1e9d5cc r5:c1e9d5c0 r4:c1fc8900 [ 1234.540000] [<bf0082f8>] (defer_bh+0x0/0xd8 [usbnet]) from [<bf0091b0>] (rx_complete+0x178/0x268 [usbnet]) [ 1234.540000] r8:c1ec0880 r7:c1fc8924 r6:c1fc8900 r5:ffffff98 r4:c1e9d480 [ 1234.540000] [<bf009038>] (rx_complete+0x0/0x268 [usbnet]) from [<c018071c>] (usb_hcd_giveback_urb+0x70/0x120) [ 1234.540000] r8:c1dbf9c0 r7:c1ec0880 r6:ffffff98 r5:c1dea000 r4:c1ec0880 [ 1234.540000] [<c01806ac>] (usb_hcd_giveback_urb+0x0/0x120) from [<bf000e88>] (pehci_hcd_urb_complete+0xb8/0x108 [isp1761]) [ 1234.540000] r6:c1f4fe00 r5:c1dea0f8 r4:00000000 [ 1234.540000] [<bf000dd0>] (pehci_hcd_urb_complete+0x0/0x108 [isp1761]) from [<bf0040c0>] (pehci_hcd_urb_dequeue+0x238/0x268 [isp17 61]) [ 1234.540000] [<bf003e88>] (pehci_hcd_urb_dequeue+0x0/0x268 [isp1761]) from [<c018083c>] (unlink1+0x70/0xe8) [ 1234.540000] [<c01807cc>] (unlink1+0x0/0xe8) from [<c0181714>] (usb_hcd_unlink_urb+0x28/0x7c) [ 1234.540000] r8:c1e9d480 r7:00000000 r6:c1fc89c0 r5:c1ec0880 r4:c1ec0880 [ 1234.540000] [<c01816ec>] (usb_hcd_unlink_urb+0x0/0x7c) from [<c0182420>] (usb_unlink_urb+0x40/0x44) [ 1234.540000] r5:c1e9d5c0 r4:c1ec0880 [ 1234.540000] [<c01823e0>] (usb_unlink_urb+0x0/0x44) from [<bf0080bc>] (unlink_urbs+0x58/0xb4 [usbnet]) [ 1234.540000] [<bf008064>] (unlink_urbs+0x0/0xb4 [usbnet]) from [<bf008ae8>] (usbnet_stop+0xf0/0x1cc [usbnet]) [ 1234.540000] [<bf0089f8>] (usbnet_stop+0x0/0x1cc [usbnet]) from [<c01bb88c>] (dev_close+0x78/0xbc) [ 1234.540000] [<c01bb814>] (dev_close+0x0/0xbc) from [<c01bb65c>] (dev_change_flags+0x78/0x180) [ 1234.540000] r4:00000041 [ 1234.540000] [<c01bb5e4>] (dev_change_flags+0x0/0x180) from [<c01fde2c>] (devinet_ioctl+0x608/0x754) [ 1234.540000] r7:c1dbc100 r6:00000000 r5:c1fb8000 r4:be97cb20 [ 1234.540000] [<c01fd824>] (devinet_ioctl+0x0/0x754) from [<c01fe660>] (inet_ioctl+0x1ac/0x1c4) [ 1234.540000] [<c01fe4b4>] (inet_ioctl+0x0/0x1c4) from [<c01ae828>] (sock_ioctl+0xd0/0x264) [ 1234.540000] [<c01ae758>] (sock_ioctl+0x0/0x264) from [<c0099adc>] (vfs_ioctl+0x34/0x78) [ 1234.540000] r6:00008914 r5:00008914 r4:be97cb20 [ 1234.540000] [<c0099aa8>] (vfs_ioctl+0x0/0x78) from [<c0099d00>] (do_vfs_ioctl+0x1e0/0x2cc) [ 1234.540000] r5:be97cb20 r4:c1dbfc00 [ 1234.540000] [<c0099b20>] (do_vfs_ioctl+0x0/0x2cc) from [<c0099e2c>] (sys_ioctl+0x40/0x68) [ 1234.540000] r6:00008914 r5:be97cb20 r4:00000003 [ 1234.540000] [<c0099dec>] (sys_ioctl+0x0/0x68) from [<c0024c80>] (ret_fast_syscall+0x0/0x2c) [ 1234.540000] r7:00000036 r6:00000015 r5:00089028 r4:00088eac In looking at the code it appears that the unlink_urbs function in usbnet acquires the lock on the skb queue before calling usb_unlink_urb. When the urb is unlinked the completion handler is called (rx_complete) and it sees a status code of -ECONNRESET and jumps to block, which then jumps out of the switch. The statement immediately following calls defer_bh against the rx skb queue where an attempt is made to acquire the lock on the skb queue again, resulting in the recursion bug. I am using the Philips/NXP ISP1761 host controller on a custom ARM9 board. The driver is mostly the Phillips/NXP driver found on sourceforge with a few modifications made to port it to 2.6.27 and to support mutiple host controllers. I have also tried this using the ISP1760 driver that was mainlined in 2.6.27, where the same error also occurs. It does not appear that any of this code has changed in 2.6.28. I'm new at this so I may be completely missing the boat on this one…. Jeremy Williams Software Engineer Northrop Grumman -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
