On Tue, 11 Sep 2012, Hemant Kumar wrote: > Hi > > I came across an issue where I see WARN_ON from iaa_watchdog_start() and > after almost 10ms I see NULL ptr dereference in start_unlink_async() > It happens exactly here > prev = ehci->async; > => while (prev->qh_next.qh != qh) > prev = prev->qh_next.qh; > Which looks to me that qh that we are trying to unlink is not part for the > async list maintained by ehci. Here is the status of ehci_hcd struct at > the time of crash > This issue was reported when interface suspend happened as a result of > runtime suspend and our bridge driver called usb_kill_anchored_urbs(). > Bridge driver queues 50 rx URBs when it resumes and unlinks them during > suspend. > > This issue is very hard to reproduce (takes around week's time to show > up). So I was trying to analyze it statically based on the ram dump but > couldn�t figure out of a code path which can show this behavior. > > Can someone please provide some pointers which can cause this issue to > happen or if this is something known ? I can't tell from this what happened. You're right that the qh being unlinked was not on the async list at the time. My first thought was that you saw a race between ehci_iaa_watchdog() and iaa_watchdog_done() -- which could account for the WARN_ON -- but it's hard to see how that would cause the NULL dereference. The logic for all of this code was changed completely in the 3.6 kernel. You might want to try running the current -rc. Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
