From: Kloetzke Jan <Jan.Kloetzke@xxxxxxx> Date: Tue, 21 May 2019 13:18:40 +0000 > When disconnecting cdc_ncm the kernel sporadically crashes shortly > after the disconnect: ... > The crash happens roughly 125..130ms after the disconnect. This > correlates with the 'delay' timer that is started on certain USB tx/rx > errors in the URB completion handler. > > The problem is a race of usbnet_stop() with usbnet_start_xmit(). In > usbnet_stop() we call usbnet_terminate_urbs() to cancel all URBs in > flight. This only makes sense if no new URBs are submitted > concurrently, though. But the usbnet_start_xmit() can run at the same > time on another CPU which almost unconditionally submits an URB. The > error callback of the new URB will then schedule the timer after it was > already stopped. > > The fix adds a check if the tx queue is stopped after the tx list lock > has been taken. This should reliably prevent the submission of new URBs > while usbnet_terminate_urbs() does its job. The same thing is done on > the rx side even though it might be safe due to other flags that are > checked there. > > Signed-off-by: Jan Klötzke <Jan.Kloetzke@xxxxxxx> Applied.
