Alan,
Will below race condition cause the problem?
cancel_bulk_urbs() async_completed()
------------------------------ ----------------------------------
spin_unlock(&ps->lock);
list_move_tail(&as->asynclist, &ps->async_completed);
wake_up(&ps->wait);
then lead to free_async() be triggered,
and the urb and 'as' be freed.
usb_unlink_urb(as->urb);
===> refer to the freed 'as'
If so, Oncaphillis, could you please try following patch:
==============================================
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 8df4b76..9e65f6a 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -399,6 +399,7 @@ __releases(ps->lock)
__acquires(ps->lock)
{
struct async *as;
+ struct urb *urb;
/* Mark all the pending URBs that match bulk_addr, up to but not
* including the first one without AS_CONTINUATION. If such an
@@ -420,8 +421,11 @@ __acquires(ps->lock)
list_for_each_entry(as, &ps->async_pending, asynclist) {
if (as->bulk_status == AS_UNLINK) {
as->bulk_status = 0; /* Only once */
+ urb = as->urb;
+ usb_get_urb(urb);
spin_unlock(&ps->lock); /* Allow completions */
- usb_unlink_urb(as->urb);
+ usb_unlink_urb(urb);
+ usb_put_urb(urb);
spin_lock(&ps->lock);
goto rescan;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
