On Wed, 6 May 2020, Pete Zaitcev wrote: > On Wed, 06 May 2020 11:14:42 +0200 > Oliver Neukum <oneukum@xxxxxxxx> wrote: > > > Very well. We are not going to find it without exceptional luck. Yet > > there may be a real issue, too. We simply do not know. How about the > > attached patch? > > > usblp_unlink_urbs(usblp); > > mutex_unlock(&usblp->mut); > > + usb_poison_anchored_urbs(&usblp->urbs); > > > > if (!usblp->used) > > usblp_cleanup(usblp); > > This can't be right. Our URBs are freed by the callback, and this > technique is not compatible with poisoning, at least with how the > usb/core.c implements it. The usb_poison_urb() waits for URB > to complete, and if the callback frees it, it's a problem. That's not a problem. URBs are reference-counted, and usb_poison_anchored_urbs() does usb_get_urb() before and usb_put_urb() after calling usb_poison_urb(). Alan Stern
