USB: ohci_hcd hang: submit vs. rmmod race
If we do rmmod ohci_hcd while an application is doing something, the following may happen: - a control URB completes (in finish_urb) and the ohci's endpoint is set into ED_UNLINK in ed_deschedule - same URB is (re)submitted because of the open/close loop or other such application behaviour - rmmod sets the state to HC_STATE_QUESCING - finish_unlinks happens at next SOF; normally it would set ed into ED_IDLE and immediately call ed_schedule (since URB had extra TDs queued), which sets it into ED_OPER. But the check in ed_schedule makes it fail with -EAGAIN (which is ignored) - from now on we have a dead URB stuck; it cannot even be unlinked because the ed status is not ED_OPER, and thus start_ed_unlink is not invoked. This patch removes the check. In 2.6.25, all callers check for __ACTIVE bit before invoking ed_schedule, which is more appropriate. Alan Stern and David Brownell approved of this (cautiously). Signed-off-by: Pete Zaitcev <zaitcev@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Loading
Please register or sign in to comment