From 59c2afa072506aae10ef93126aab651142e0c908 Mon Sep 17 00:00:00 2001 From: Alan Stern Date: Tue, 5 Jun 2007 16:46:26 -0700 Subject: [PATCH] USB: option: fix usage of urb->status abuse Might fix bug 8561 On Mon, 4 Jun 2007, Paulo Pereira wrote: > The patch that you send is not resolving the problem... :( > I stil have Kernel panic after 45/60 min of work with Ktorrent/Amule... > > The Drump is: > > Call Trace: > [] usb_hcd_submit+0xb1/0x763 > [] ipt_do_table+0x2c7/0x2ef [ip_tables] > [] nf_ct_deliver_cached_events+0x41/0x96 [nf_conntrak] > [] ipv4_confirm+0x36/0c3b [nf_conntrack_ipv4] > [] tcp_v4_rcv+0x827/0x899 > [] nf_hook_slow+0x4d/0xb5 > [] irq_enter+0x19/0x23 > [] irq_enter+0x19/0x23 > [] do_IRQ+0xbd/0xd1 > [] option_write+0xa7/0xef [option] Okay, from this it looks like there's a problem in the option.c serial driver. Glancing at the code, it's obvious why: The thing totally abuses the USB API. Try applying this patch; it should help. From: Alan Stern Cc: Paulo Pereira Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman --- drivers/usb/serial/option.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c index 5d3999e3ff61..b37d65fc8752 100644 --- a/drivers/usb/serial/option.c +++ b/drivers/usb/serial/option.c @@ -38,6 +38,7 @@ #include #include #include +#include #include #include @@ -240,6 +241,7 @@ struct option_port_private { /* Output endpoints and buffer for this port */ struct urb *out_urbs[N_OUT_URB]; char out_buffer[N_OUT_URB][OUT_BUFLEN]; + unsigned long out_busy; /* Bit vector of URBs in use */ /* Settings for the port */ int rts_state; /* Handshaking pins (outputs) */ @@ -370,7 +372,7 @@ static int option_write(struct usb_serial_port *port, todo = OUT_BUFLEN; this_urb = portdata->out_urbs[i]; - if (this_urb->status == -EINPROGRESS) { + if (test_and_set_bit(i, &portdata->out_busy)) { if (time_before(jiffies, portdata->tx_start_time[i] + 10 * HZ)) continue; @@ -394,6 +396,7 @@ static int option_write(struct usb_serial_port *port, dbg("usb_submit_urb %p (write bulk) failed " "(%d, has %d)", this_urb, err, this_urb->status); + clear_bit(i, &portdata->out_busy); continue; } portdata->tx_start_time[i] = jiffies; @@ -446,12 +449,23 @@ static void option_indat_callback(struct urb *urb) static void option_outdat_callback(struct urb *urb) { struct usb_serial_port *port; + struct option_port_private *portdata; + int i; dbg("%s", __FUNCTION__); port = (struct usb_serial_port *) urb->context; usb_serial_port_softint(port); + + portdata = usb_get_serial_port_data(port); + for (i = 0; i < N_OUT_URB; ++i) { + if (portdata->out_urbs[i] == urb) { + smp_mb__before_clear_bit(); + clear_bit(i, &portdata->out_busy); + break; + } + } } static void option_instat_callback(struct urb *urb) @@ -518,7 +532,7 @@ static int option_write_room(struct usb_serial_port *port) for (i=0; i < N_OUT_URB; i++) { this_urb = portdata->out_urbs[i]; - if (this_urb && this_urb->status != -EINPROGRESS) + if (this_urb && !test_bit(i, &portdata->out_busy)) data_len += OUT_BUFLEN; } @@ -537,7 +551,7 @@ static int option_chars_in_buffer(struct usb_serial_port *port) for (i=0; i < N_OUT_URB; i++) { this_urb = portdata->out_urbs[i]; - if (this_urb && this_urb->status == -EINPROGRESS) + if (this_urb && test_bit(i, &portdata->out_busy)) data_len += this_urb->transfer_buffer_length; } dbg("%s: %d", __FUNCTION__, data_len); -- 2.39.5