I got this crash (twice) on 2.6.4 with IRDA dongle; the driver does a lot link/unlink and this is an SMP box, so this looks like a race.
See if the attached patch helps. I've done 24+ hours of abusive SMP unlink testing on OHCI ... but that included this patch.
Also, this bit of dl_done_list() is a bit wrong:
if (list_empty (&ed->td_list) && ed->state == ED_OPER)
start_ed_unlink (ohci, ed);
else ...Should be
if (list_empty (&ed->td_list)) {
if (ed->state == ED_OPER)
start_ed_unlink (ohci, ed);
} else ...Given your EIP and stack I'd assume the attached patch is your answer, I can't see how that little bracketing problem would fault that way.
I'll have a slightly better fix at some point, making all three HCDs handle that awkward window (one CPU unlinks while another submits) in the same way, but of course that means extra work to abuse each HCD ... and I don't think anyone's really done that assiduously since the first USB code arrived in 2.2 ! ;)
- Dave
--- a/drivers/usb/host/ohci-hcd.c Thu Mar 18 10:10:47 2004
+++ b/drivers/usb/host/ohci-hcd.c Thu Mar 18 10:10:47 2004
@@ -233,7 +233,7 @@
spin_lock (&urb->lock);
if (urb->status != -EINPROGRESS) {
spin_unlock (&urb->lock);
-
+ urb->hcpriv = urb_priv;
finish_urb (ohci, urb, 0);
retval = 0;
goto fail;
