Re: [linux-usb-devel] USB Uhci oops on 2.6.2-rc2

Wed, 28 Jan 2004 16:31:53 -0800 

On Tue, 27 Jan 2004, Stephen Hemminger wrote:

> I am working on a USB driver for an Irda dongle and getting perodic
> oops, that look like a race in the unlink urb code. The machine is
> a 2 cpu SMP running 2.6.2-rc2 (ie latest code).
> 
> Since the device and IRDA are basically half duplex, the driver is
> doing the following (in a kernel thread).
> 
>       Post receive interrupt urb
>       ...
>       Unlink receive urb
>       Transmit...
> 
> I am using synchronous unlink because the transmit can't start until the
> receive has aborted.
> 
> Any clues as to where to go from here on this problem?

> Looks like the entry in the remove list was free and
> is marked as poisoned.

You can try adding printk's to find out what's going wrong.  There are 
several lists the urbp goes on and off, so you can try to track the 
transitions.  They work as follows:

        URB is submitted.  urbp->urb_list linked to uhci->urb_list in 
                        uhci_alloc_urb_priv(), called by uhci_urb_enqueue().

        URB completes normally.  urbp->urb_list unlinked near the end
                        of uhci_transfer_result().
                urbp->complete_list linked to uhci->complete_list in
                        uhci_add_complete(), called by transfer_result.

        URB is cancelled.  urbp->urb_list unlinked in uhci_urb_dequeue().
                urbp->urb_list linked to uhci->urb_remove_list in
                        uhci_urb_dequeue().

        In uhci_remove_pending_qhs() -- where your oops occurred.
                urbp->urb_list unlinked from uhci->urb_remove_list.
                urbp->complete_list linked to uhci->complete_list in
                        uhci_add_complete(), called by remove_pending_qhs.

        In uhci_finish_completion().  urbp->complete_list unlinked.
                Calls uhci_finish_urb().

        In uhci_finish_urb().  Calls uhci_destroy_urb_priv() where
                        urbp is freed and its memory is poisoned.

Note there are some failure paths I didn't list.  For instance, if the URB
fails submission, uhci_destroy_urb_priv() is called directly from 
uhci_urb_enqueue().

To get your oops, urbp->complete_list must have been on the
uhci->complete_list at the same time as (or before) urbp->urb_list was on
the uhci->urb_remove_list.  Given that an URB can't both be cancelled and
complete normally, I don't see how that could have happened.  Maybe with
sufficient tracing you can find out.

Alan Stern




-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
[EMAIL PROTECTED]
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel

Reply via email to