ChangeSet 1.811.1.17, 2002/12/16 11:55:30-08:00, jkt@Helius.COM

[PATCH] uhci corruption on usb_submit_urb when already -EINPROGRESS

  uhci corrupts a list, either uhci->urb_list or uhci->urb_remove_list,
  when usb_submit_urb is called against an urb already in flight
  (urb->status == -EINPROGRESS).  yeah, i know you're not *supposed* to do
  that but Real Programmers(tm) make Real Mistakes(tm) (and timeouts are
  oh, so tricky!) and the code catches this case otherwise; unfortunately,
  the INIT_LIST_HEAD has already hammered your list.

  :{)}


diff -Nru a/drivers/usb/uhci.c b/drivers/usb/uhci.c
--- a/drivers/usb/uhci.c	Mon Dec 16 16:33:47 2002
+++ b/drivers/usb/uhci.c	Mon Dec 16 16:33:47 2002
@@ -1498,7 +1498,6 @@
 
 	uhci = (struct uhci *)urb->dev->bus->hcpriv;
 
-	INIT_LIST_HEAD(&urb->urb_list);
 	usb_inc_dev_use(urb->dev);
 
 	spin_lock_irqsave(&uhci->urb_list_lock, flags);
@@ -1515,6 +1514,7 @@
 		return ret;
 	}
 
+    INIT_LIST_HEAD(&urb->urb_list);
 	if (!uhci_alloc_urb_priv(uhci, urb)) {
 		ret = -ENOMEM;