1. On SIGINT, v4l closes ov511, which isses a string of
control requests to quescent the cam.
2. One of those requests enters usb_internal_control_msg
where it submits the URB and does schedule_timeout().
3. Since the signal is pending [sic], it does not wait,
but spins testing urb->status.
4. The interrupt is taken on other CPU and it gets into
sohci_return_urb, then clears status and calls urb_rm_priv.
5. The user thread sees that status becomes zero and *frees the URB*.
6. The urb_rm_priv takes a spinlock and does its dirty buseness.
7. User thread reallocates the URB and resubmits it,
waiting on the spinlock meanwhile.
8. urb_rm_priv zaps urb->dev in the URB which was already
freed and reallocated and releases the spinlock.
9. The user thread keels over deep inside td_submit_urb()
dereferencing urb->dev->something
Took me a couple of days to figure it all out. :)
diff -ur -X dontdiff linux-2.4.8/drivers/usb/usb.c linux-2.4.8-e/drivers/usb/usb.c
--- linux-2.4.8/drivers/usb/usb.c Tue Jul 24 14:20:56 2001
+++ linux-2.4.8-e/drivers/usb/usb.c Fri Aug 17 22:03:27 2001
@@ -1066,7 +1066,7 @@
awd.wakeup = &wqh;
init_waitqueue_head(&wqh);
- current->state = TASK_INTERRUPTIBLE;
+ current->state = TASK_UNINTERRUPTIBLE; /* MUST BE SO. -- zaitcev */
add_wait_queue(&wqh, &wait);
urb->context = &awd;
status = usb_submit_urb(urb);
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/