USB related "unable to handle kernel paging request" in 3.0.0-rc7

USB related "unable to handle kernel paging request" in 3.0.0-rc7

[Tino Keitel]

[-- Attachment #1: Type: text/plain, Size: 2954 bytes --]

Hi,

I get the following Oops when booting 3.0.0-rc7 (actually
1f922d07704c501388a306c78536bca7432b3934):

BUG: unable to handle kernel paging request at 0000000000001e78
IP: [<ffffffffa00b0081>] vp7045_usb_probe+0x51/0x90 [dvb_usb_vp7045]
PGD b920c067 PUD b9327067 PMD 0 
Oops: 0002 [#1] SMP 
CPU 0 
Modules linked in: ath5k(+) ath mac80211 snd_hda_codec_idt
snd_hda_intel snd_hda_codec snd_pcm_oss snd_pcm dvb_usb_vp7045(+)
dvb_usb dvb_core cfg80211 rc_core snd_timer evdev sky2 ata_piix
snd_page_alloc

Pid: 858, comm: modprobe Not tainted 3.0.0-rc7-00177-g5679ce7 #5 Apple
Inc. Macmini2,1/Mac-F4208EAA
RIP: 0010:[<ffffffffa00b0081>]  [<ffffffffa00b0081>]
vp7045_usb_probe+0x51/0x90 [dvb_usb_vp7045]
RSP: 0018:ffff8800b8525da8  EFLAGS: 00010296
RAX: ffff8800b853fde0 RBX: ffff8800b9c3ac00 RCX: 0000000000000008
RDX: 0000000000000064 RSI: 00000000000000d0 RDI: ffff8800bdc000c0
RBP: 0000000000000000 R08: 0000000000000000 R09: ffff8800beebcff0
R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000
R13: ffffffffa00b0dc0 R14: ffff8800b9c3ac00 R15: 0000000000000000
FS:  00007fed482bd700(0000) GS:ffff8800bec00000(0000)
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000001e78 CR3: 00000000b9334000 CR4: 00000000000006b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process modprobe (pid: 858, threadinfo ffff8800b8524000, task
ffff8800bdd1c7a0)
Stack:
 ffff8800babb8800 0000000000000000 ffff8800b9c3ac30 ffff8800babb8800
 ffffffffa00b0ea8 ffffffff81390c05 0000000000405e80 ffff8800b9c3ac30
 00000000ffffffed ffffffffa00b0ea8 0000000000000000 0000000000000000
Call Trace:
 [<ffffffff81390c05>] ? usb_probe_interface+0xe5/0x1e0
 [<ffffffff8133203f>] ? driver_probe_device+0x6f/0x190
 [<ffffffff813321f3>] ? __driver_attach+0x93/0xa0
 [<ffffffff81332160>] ? driver_probe_device+0x190/0x190
 [<ffffffff813310f3>] ? bus_for_each_dev+0x53/0x80
 [<ffffffff813319a8>] ? bus_add_driver+0x178/0x240
 [<ffffffff813326ca>] ? driver_register+0x6a/0x130
 [<ffffffff8138fb3e>] ? usb_register_driver+0x8e/0x180
 [<ffffffffa00b4000>] ? 0xffffffffa00b3fff
 [<ffffffffa00b401b>] ? vp7045_usb_module_init+0x1b/0x35
 [dvb_usb_vp7045]
 [<ffffffff810001cc>] ? do_one_initcall+0x3c/0x170
 [<ffffffff8106d3da>] ? sys_init_module+0x8a/0x200
 [<ffffffff814b653b>] ? system_call_fastpath+0x16/0x1b
Code: 24 18 48 89 fb 4c 89 64 24 20 e8 4b 85 ff ff 85 c0 89 c5 75 2d 48
8b 3d 96 a8 5a e1 be d0 00 00 00 4c 8b 64 24 08 e8 0f 9b 00 e1 
 89 84 24 78 1e 00 00 48 8b 44 24 08 48 83 b8 78 1e 00 00 00 
RIP  [<ffffffffa00b0081>] vp7045_usb_probe+0x51/0x90 [dvb_usb_vp7045]
 RSP <ffff8800b8525da8>
CR2: 0000000000001e78
---[ end trace bbbe095431a3447b ]---

Full dmesg is attached. I also had a hang after suspend to RAM, I don't know if this was
related.

This is a Mac mini Core 2 Duo, and before I ran 2.6.39.3 without such
problems.

Regards,
Tino

[-- Attachment #2: dmesg.xz --]
[-- Type: application/octet-stream, Size: 10304 bytes --]

Re: USB related "unable to handle kernel paging request" in 3.0.0-rc7

[Maciej Rutecki]

On piątek, 22 lipca 2011 o 21:27:22 Tino Keitel wrote:
> Hi,
> 
> I get the following Oops when booting 3.0.0-rc7 (actually
> 1f922d07704c501388a306c78536bca7432b3934):
> 
[...]

I created a Bugzilla entry at 
https://bugzilla.kernel.org/show_bug.cgi?id=40062
for your bug report, please add your address to the CC list in there, thanks!

-- 
Maciej Rutecki
http://www.maciek.unixy.pl

Re: USB related "unable to handle kernel paging request" in 3.0.0-rc7

[Dan Carpenter]

Looking at this, I noticed a memory corruption bug introduce in:
ab22cbda6651d "[media] vp7045: get rid of on-stack dma buffers"

vp7045_properties.size_of_priv is sizeof(u8 *) so in vp7045_usb_probe()
the d->priv buffer gets allocated twice.  Once in:
	dvb_usb_device_init()
	-> dvb_usb_init()

And once explicitly to a larger buffer later on in the function with
a kmalloc().

So the two places that use the buffer will probably race and cause
memory corruption.

regards,
dan carpenter

Re: USB related "unable to handle kernel paging request" in 3.0.0-rc7

[Florian Mickler]

On Tue, 2 Aug 2011 11:54:47 +0300
Dan Carpenter <error27@gmail.com> wrote:

> Looking at this, I noticed a memory corruption bug introduce in:
> ab22cbda6651d "[media] vp7045: get rid of on-stack dma buffers"
> 
> vp7045_properties.size_of_priv is sizeof(u8 *) so in vp7045_usb_probe()
> the d->priv buffer gets allocated twice.  Once in:
> 	dvb_usb_device_init()
> 	-> dvb_usb_init()
> 
> And once explicitly to a larger buffer later on in the function with
> a kmalloc().
> 
> So the two places that use the buffer will probably race and cause
> memory corruption.
> 
> regards,
> dan carpenter

Damn. That (u8*)sized priv buffer should only hold a pointer to the
transfer buffer allocated in the prope routine. But I botched that. 
I will send a fixup in a minute.  

Regards,
Flo

Re: USB related "unable to handle kernel paging request" in 3.0.0-rc7

[Florian Mickler]

On Tue, 2 Aug 2011 11:51:45 +0200
Florian Mickler <florian@mickler.org> wrote:

> On Tue, 2 Aug 2011 11:54:47 +0300
> Dan Carpenter <error27@gmail.com> wrote:
> 
> > Looking at this, I noticed a memory corruption bug introduce in:
> > ab22cbda6651d "[media] vp7045: get rid of on-stack dma buffers"
> > 
> > vp7045_properties.size_of_priv is sizeof(u8 *) so in vp7045_usb_probe()
> > the d->priv buffer gets allocated twice.  Once in:
> > 	dvb_usb_device_init()
> > 	-> dvb_usb_init()
> > 
> > And once explicitly to a larger buffer later on in the function with
> > a kmalloc().
> > 
> > So the two places that use the buffer will probably race and cause
> > memory corruption.

Btw, what two places use the buffer? I only see vp7045_usb_op. Did you
mean s/use/free/ or did I overlook it?

Patch below.

> > 
> > regards,
> > dan carpenter
> 
> Damn. That (u8*)sized priv buffer should only hold a pointer to the
> transfer buffer allocated in the prope routine. But I botched that. 
> I will send a fixup in a minute.  
> 
> Regards,
> Flo

This should fix it. 

[git am -c ]
--------->8-------->8---------->8------------>8---------------------------
commit 2c505d4867be9f3605c20ed505ec62d2096a05b1
Author: Florian Mickler <florian@mickler.org>
Date:   Tue Aug 2 12:18:55 2011 +0200

    [media] vp7045: fix double free and mem leak
    
    The vp7045 priv data should be a pointer to a buffer.
    Make it so.
    
    This was introduced in commit ab22cbda6651db25 ([media] vp7045: get rid of on-stack
    dma buffers).
    
    CC: stable@kernel.org
    Reported-by: Dan Carpenter <error27@gmail.com>
    Signed-off-by: Florian Mickler <florian@mickler.org>

diff --git a/drivers/media/dvb/dvb-usb/vp7045.c b/drivers/media/dvb/dvb-usb/vp7045.c
index 3db89e3..8dd348b 100644
--- a/drivers/media/dvb/dvb-usb/vp7045.c
+++ b/drivers/media/dvb/dvb-usb/vp7045.c
@@ -28,7 +28,8 @@ DVB_DEFINE_MOD_OPT_ADAPTER_NR(adapter_nr);
 int vp7045_usb_op(struct dvb_usb_device *d, u8 cmd, u8 *out, int outlen, u8 *in, int inlen, int msec)
 {
 	int ret = 0;
-	u8 *buf = d->priv;
+	u8 **bufp = d->priv;
+	u8 *buf = *bufp
 
 	buf[0] = cmd;
 
@@ -224,14 +225,16 @@ static struct dvb_usb_device_properties vp7045_properties;
 static int vp7045_usb_probe(struct usb_interface *intf,
 		const struct usb_device_id *id)
 {
+	u8 **bufp;
 	struct dvb_usb_device *d;
 	int ret = dvb_usb_device_init(intf, &vp7045_properties,
 				   THIS_MODULE, &d, adapter_nr);
 	if (ret)
 		return ret;
 
-	d->priv = kmalloc(20, GFP_KERNEL);
-	if (!d->priv) {
+	bufp = d->priv;
+	*bufp = kmalloc(20, GFP_KERNEL);
+	if (!*bufp) {
 		dvb_usb_device_exit(intf);
 		return -ENOMEM;
 	}
@@ -241,8 +244,10 @@ static int vp7045_usb_probe(struct usb_interface *intf,
 
 static void vp7045_usb_disconnect(struct usb_interface *intf)
 {
+	u8 **bufp;
 	struct dvb_usb_device *d = usb_get_intfdata(intf);
-	kfree(d->priv);
+	bufp = d->priv;
+	kfree(*bufp);
 	dvb_usb_device_exit(intf);
 }
 

Re: USB related "unable to handle kernel paging request" in 3.0.0-rc7

[Florian Mickler]

On Tue, 2 Aug 2011 12:40:28 +0200
Florian Mickler <florian@mickler.org> wrote:

> This should fix it. 
> 
Tino, can you test if this also fixes your bug since
 I don't have the hardware. 

At the moment I'm not seeing how the screwup Dan pointed out could
have that effect though... ? The priv-buffer-pointer would have
been simply overriden in the probe routine by the new buffer and it
should have worked happily everafter (until the driver disconnect
routine would have been called...) *headscratch*

Regards,
Flo

Re: USB related "unable to handle kernel paging request" in 3.0.0-rc7

[Dan Carpenter]

On Tue, Aug 02, 2011 at 12:40:28PM +0200, Florian Mickler wrote:
> This should fix it. 
> 

That's not right.  You should just make .size_of_priv = 20 with a
comment.

Btw vp7045_properties is declared twice so it's confusing.  Initially,
I saw the first declaration so I thought .size_of_priv was zero.  I
don't understand why sparse doesn't warn about that.  Could you fix
that as well?

Also I did notice at first that you were the person who added the
.size_of_priv change so that's why I thought someone else must use
that function.

regards,
dan carpenter

Re: USB related "unable to handle kernel paging request" in 3.0.0-rc7

[Dan Carpenter]

On Tue, Aug 02, 2011 at 02:35:54PM +0300, Dan Carpenter wrote:
> Also I did notice at first that you were the person who added the
> .size_of_priv change so that's why I thought someone else must use
> that function.

Grr...  That made no sense.

I thought someone else set .size_of_priv and was using the pointer.
But actually it was you who set the .size_of_priv and no one else
is using it.

regards,
dan carpenter

Re: USB related "unable to handle kernel paging request" in 3.0.0-rc7

[Florian Mickler]

On Tue, 2 Aug 2011 13:10:39 +0200
Florian Mickler <florian@mickler.org> wrote:

> On Tue, 2 Aug 2011 12:40:28 +0200
> Florian Mickler <florian@mickler.org> wrote:
> 
> > This should fix it. 
> > 
> Tino, can you test if this also fixes your bug since
>  I don't have the hardware. 
> 
> At the moment I'm not seeing how the screwup Dan pointed out could
> have that effect though... ? The priv-buffer-pointer would have
> been simply overriden in the probe routine by the new buffer and it
> should have worked happily everafter (until the driver disconnect
> routine would have been called...) *headscratch*
> 
> Regards,
> Flo

ok. I see the problem now. The buffer get's initialzed a little bit too late
because it already get's used from the dvb_usb_device_init call via the
frontend attach call:

dvb_usb_device_init->dvb_usb_init->dvb_usb_adapter_init->dvb_usb_adapter_frontend_init->vp7045_frontend_attach->vp7045_usb_op 

Hm.. let me think about it. In the meantime, you don't need to test
this 'fix'.

Regards,
Flo

Re: USB related "unable to handle kernel paging request" in 3.0.0-rc7

[Dan Carpenter]

On Tue, Aug 02, 2011 at 01:51:17PM +0200, Florian Mickler wrote:

> ok. I see the problem now. The buffer get's initialzed a little bit too late
> because it already get's used from the dvb_usb_device_init call via the
> frontend attach call:
> 
> dvb_usb_device_init->dvb_usb_init->dvb_usb_adapter_init->dvb_usb_adapter_frontend_init->vp7045_frontend_attach->vp7045_usb_op 
> 
> Hm.. let me think about it. In the meantime, you don't need to test
> this 'fix'.

Yep.  That would do it.  But my fix would still work nicely.

Don't forget to remove the kfree(d->priv) from vp7045_usb_disconnect()
because that would be automatic now.

regards,
dan carpenter

Re: USB related "unable to handle kernel paging request" in 3.0.0-rc7

[Florian Mickler]

On Tue, 2 Aug 2011 14:35:54 +0300
Dan Carpenter <error27@gmail.com> wrote:

> On Tue, Aug 02, 2011 at 12:40:28PM +0200, Florian Mickler wrote:
> > This should fix it. 
> > 
> 
> That's not right.  You should just make .size_of_priv = 20 with a
> comment.

Right. Don't know why I didn't do so right from the start. The thing
is, the buffer has to be seperately allocated from the heap in order
for it to be used as a dma target. 
I probably overlooked that that is what actually happens in
dvb_usb_device_init. Or realized and changed everything accordingly but
forgot the .size_of_priv. ? 

Anyway, that is what you get if you can't actually test what you do. 
(Sorry Tino! The original patch submission had a big fat warning
that it was only compile tested, but that got lost somewhere along
the line...) 

> 
> regards,
> dan carpenter
> 

Thx,
Flo

[PATCH] [media] vp7045: fix buffer setup

[Florian Mickler]

dvb_usb_device_init calls the frontend_attach method of this driver which
uses vp7045_usb_ob. In order to have a buffer ready in vp7045_usb_op, it has to
be allocated before that happens.

Luckily we can use the whole private data as the buffer as it gets separately
allocated on the heap via kzalloc in dvb_usb_device_init and is thus apt for
use via usb_control_msg.

This fixes a
	BUG: unable to handle kernel paging request at 0000000000001e78

reported by Tino Keitel and diagnosed by Dan Carpenter.

Reported-by: Tino Keitel <tino.keitel@tikei.de>
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Florian Mickler <florian@mickler.org>
---

Tino, can you test this?

I'm quite certain that I now nailed the bug with this.

Regards,
Flo

drivers/media/dvb/dvb-usb/vp7045.c |   26 ++++----------------------
 1 files changed, 4 insertions(+), 22 deletions(-)

diff --git a/drivers/media/dvb/dvb-usb/vp7045.c b/drivers/media/dvb/dvb-usb/vp7045.c
index 3db89e3..536c16c 100644
--- a/drivers/media/dvb/dvb-usb/vp7045.c
+++ b/drivers/media/dvb/dvb-usb/vp7045.c
@@ -224,26 +224,8 @@ static struct dvb_usb_device_properties vp7045_properties;
 static int vp7045_usb_probe(struct usb_interface *intf,
 		const struct usb_device_id *id)
 {
-	struct dvb_usb_device *d;
-	int ret = dvb_usb_device_init(intf, &vp7045_properties,
-				   THIS_MODULE, &d, adapter_nr);
-	if (ret)
-		return ret;
-
-	d->priv = kmalloc(20, GFP_KERNEL);
-	if (!d->priv) {
-		dvb_usb_device_exit(intf);
-		return -ENOMEM;
-	}
-
-	return ret;
-}
-
-static void vp7045_usb_disconnect(struct usb_interface *intf)
-{
-	struct dvb_usb_device *d = usb_get_intfdata(intf);
-	kfree(d->priv);
-	dvb_usb_device_exit(intf);
+	return dvb_usb_device_init(intf, &vp7045_properties,
+				   THIS_MODULE, NULL, adapter_nr);
 }
 
 static struct usb_device_id vp7045_usb_table [] = {
@@ -258,7 +240,7 @@ MODULE_DEVICE_TABLE(usb, vp7045_usb_table);
 static struct dvb_usb_device_properties vp7045_properties = {
 	.usb_ctrl = CYPRESS_FX2,
 	.firmware = "dvb-usb-vp7045-01.fw",
-	.size_of_priv = sizeof(u8 *),
+	.size_of_priv = 20,
 
 	.num_adapters = 1,
 	.adapter = {
@@ -305,7 +287,7 @@ static struct dvb_usb_device_properties vp7045_properties = {
 static struct usb_driver vp7045_usb_driver = {
 	.name		= "dvb_usb_vp7045",
 	.probe		= vp7045_usb_probe,
-	.disconnect	= vp7045_usb_disconnect,
+	.disconnect	= dvb_usb_device_exit,
 	.id_table	= vp7045_usb_table,
 };
 
-- 
1.7.6

Re: [PATCH] [media] vp7045: fix buffer setup

[Tino Keitel]

On Tue, Aug 02, 2011 at 14:29:05 +0200, Florian Mickler wrote:
> dvb_usb_device_init calls the frontend_attach method of this driver which
> uses vp7045_usb_ob. In order to have a buffer ready in vp7045_usb_op, it has to
> be allocated before that happens.
> 
> Luckily we can use the whole private data as the buffer as it gets separately
> allocated on the heap via kzalloc in dvb_usb_device_init and is thus apt for
> use via usb_control_msg.
> 
> This fixes a
> 	BUG: unable to handle kernel paging request at 0000000000001e78
> 
> reported by Tino Keitel and diagnosed by Dan Carpenter.
> 
> Reported-by: Tino Keitel <tino.keitel@tikei.de>
> Reported-by: Dan Carpenter <error27@gmail.com>
> Signed-off-by: Florian Mickler <florian@mickler.org>
> ---
> 
> Tino, can you test this?

Hi,

thanks for the patch. It works fine on top of 3.0. No more Oops at
boot, and the DVB-T receiver is working.

Regards,
Tino

Re: [PATCH] [media] vp7045: fix buffer setup

[Tino Keitel]

On Wed, Aug 03, 2011 at 21:02:04 +0200, Tino Keitel wrote:

[...]

> Hi,
> 
> thanks for the patch. It works fine on top of 3.0. No more Oops at
> boot, and the DVB-T receiver is working.
> 
> Regards,
> Tino

Hi,

I didn't see the patch show up in git yet. This is a prerequisite to
include it in 3.0.x AFAIK.

Regards,
Tino

Re: [PATCH] [media] vp7045: fix buffer setup

[Florian Mickler]

On Tue, 9 Aug 2011 22:08:43 +0200
Tino Keitel <tino.keitel@tikei.de> wrote:

> On Wed, Aug 03, 2011 at 21:02:04 +0200, Tino Keitel wrote:
> 
> [...]
> 
> > Hi,
> > 
> > thanks for the patch. It works fine on top of 3.0. No more Oops at
> > boot, and the DVB-T receiver is working.
> > 
> > Regards,
> > Tino
> 
> Hi,
> 
> I didn't see the patch show up in git yet. This is a prerequisite to
> include it in 3.0.x AFAIK.
> 
> Regards,
> Tino

Yes, I pinged Mauro yesterday about it but didn't hear back. I remember
in the back of my head that Mauro uses patchwork on the linux-media
list, so that is where I will resend the patch... 

Regards,
Flo

[PATCH] [media] vp7045: fix buffer setup

[Florian Mickler]

dvb_usb_device_init calls the frontend_attach method of this driver which
uses vp7045_usb_ob. In order to have a buffer ready in vp7045_usb_op, it has to
be allocated before that happens.

Luckily we can use the whole private data as the buffer as it gets separately
allocated on the heap via kzalloc in dvb_usb_device_init and is thus apt for
use via usb_control_msg.

This fixes a
	BUG: unable to handle kernel paging request at 0000000000001e78

reported by Tino Keitel and diagnosed by Dan Carpenter.

References: https://bugzilla.kernel.org/show_bug.cgi?id=40062
Cc: v3.0.y <stable@kernel.org>
Tested-by: Tino Keitel <tino.keitel@tikei.de>
Signed-off-by: Florian Mickler <florian@mickler.org>
---
 drivers/media/dvb/dvb-usb/vp7045.c |   26 ++++----------------------
 1 files changed, 4 insertions(+), 22 deletions(-)

diff --git a/drivers/media/dvb/dvb-usb/vp7045.c b/drivers/media/dvb/dvb-usb/vp7045.c
index 3db89e3..536c16c 100644
--- a/drivers/media/dvb/dvb-usb/vp7045.c
+++ b/drivers/media/dvb/dvb-usb/vp7045.c
@@ -224,26 +224,8 @@ static struct dvb_usb_device_properties vp7045_properties;
 static int vp7045_usb_probe(struct usb_interface *intf,
 		const struct usb_device_id *id)
 {
-	struct dvb_usb_device *d;
-	int ret = dvb_usb_device_init(intf, &vp7045_properties,
-				   THIS_MODULE, &d, adapter_nr);
-	if (ret)
-		return ret;
-
-	d->priv = kmalloc(20, GFP_KERNEL);
-	if (!d->priv) {
-		dvb_usb_device_exit(intf);
-		return -ENOMEM;
-	}
-
-	return ret;
-}
-
-static void vp7045_usb_disconnect(struct usb_interface *intf)
-{
-	struct dvb_usb_device *d = usb_get_intfdata(intf);
-	kfree(d->priv);
-	dvb_usb_device_exit(intf);
+	return dvb_usb_device_init(intf, &vp7045_properties,
+				   THIS_MODULE, NULL, adapter_nr);
 }
 
 static struct usb_device_id vp7045_usb_table [] = {
@@ -258,7 +240,7 @@ MODULE_DEVICE_TABLE(usb, vp7045_usb_table);
 static struct dvb_usb_device_properties vp7045_properties = {
 	.usb_ctrl = CYPRESS_FX2,
 	.firmware = "dvb-usb-vp7045-01.fw",
-	.size_of_priv = sizeof(u8 *),
+	.size_of_priv = 20,
 
 	.num_adapters = 1,
 	.adapter = {
@@ -305,7 +287,7 @@ static struct dvb_usb_device_properties vp7045_properties = {
 static struct usb_driver vp7045_usb_driver = {
 	.name		= "dvb_usb_vp7045",
 	.probe		= vp7045_usb_probe,
-	.disconnect	= vp7045_usb_disconnect,
+	.disconnect	= dvb_usb_device_exit,
 	.id_table	= vp7045_usb_table,
 };
 
-- 
1.7.6

Re: [PATCH] [media] vp7045: fix buffer setup

[Florian Mickler]

On Wed, 10 Aug 2011 12:05:20 +0200
Florian Mickler <florian@mickler.org> wrote:

> dvb_usb_device_init calls the frontend_attach method of this driver which
> uses vp7045_usb_ob. In order to have a buffer ready in vp7045_usb_op, it has to
> be allocated before that happens.
> 
> Luckily we can use the whole private data as the buffer as it gets separately
> allocated on the heap via kzalloc in dvb_usb_device_init and is thus apt for
> use via usb_control_msg.
> 
> This fixes a
> 	BUG: unable to handle kernel paging request at 0000000000001e78
> 
> reported by Tino Keitel and diagnosed by Dan Carpenter.
> 
> References: https://bugzilla.kernel.org/show_bug.cgi?id=40062
> Cc: v3.0.y <stable@kernel.org>
> Tested-by: Tino Keitel <tino.keitel@tikei.de>
> Signed-off-by: Florian Mickler <florian@mickler.org>

...ping...

Re: [PATCH] [media] vp7045: fix buffer setup

[Tino Keitel]

On Fri, Aug 19, 2011 at 18:35:21 +0200, Florian Mickler wrote:
> On Wed, 10 Aug 2011 12:05:20 +0200
> Florian Mickler <florian@mickler.org> wrote:
> 
> > dvb_usb_device_init calls the frontend_attach method of this driver which
> > uses vp7045_usb_ob. In order to have a buffer ready in vp7045_usb_op, it has to
> > be allocated before that happens.
> > 
> > Luckily we can use the whole private data as the buffer as it gets separately
> > allocated on the heap via kzalloc in dvb_usb_device_init and is thus apt for
> > use via usb_control_msg.
> > 
> > This fixes a
> > 	BUG: unable to handle kernel paging request at 0000000000001e78
> > 
> > reported by Tino Keitel and diagnosed by Dan Carpenter.
> > 
> > References: https://bugzilla.kernel.org/show_bug.cgi?id=40062
> > Cc: v3.0.y <stable@kernel.org>
> > Tested-by: Tino Keitel <tino.keitel@tikei.de>
> > Signed-off-by: Florian Mickler <florian@mickler.org>
> 
> ...ping...

Even pinger. I can't see the patch in 3.1 git yet, and I'm using the
patch on 3.0 kernels for 2 weeks now without problems.

Regards,
Tino