>Number:         26547
>Category:       misc
>Synopsis:       ohci can cancel timeouts before transfer have finished
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    misc-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Aug 04 15:47:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Dan Ellis
>Release:        
>Organization:
Conexant Systems Inc.
>Environment:
>Description:
In usb/ohci.c, some devices fail to abort cleanly - transfers can be removed from the done queue resulting in a kernel panic.
>How-To-Repeat:
Plugging in mass storage devices such as a Canon 750Z Camera.
>Fix:
Transfers should only be removed if they haven't already completed (in usb/ohci.c):

@@ -2229,7 +2244,9 @@
 	for (; p->xfer == xfer; p = n) {
 		hit |= headp == p->physaddr;
 		n = p->nexttd;
-		ohci_free_std(sc, p);
+		if (OHCI_TD_GET_CC(le32toh(p->td.td_flags)) ==
+                    OHCI_CC_NOT_ACCESSED)
+                    ohci_free_std(sc, p);
 	}
 	/* Zap headp register if hardware pointed inside the xfer. */
 	if (hit) {

>Release-Note:
>Audit-Trail:
>Unformatted: