Thomas Kear <thomas@xxxxxxxxxx> writes:
> On Sat, Jan 11, 2014 at 11:09 AM, Bjørn Mork <bjorn@xxxxxxx> wrote:
>> But looking at the code I think I found and obvious miss in the SG list
>> initialisation. I'll post a proposed fix for that. Would be good if
>> someone was able to test it.
>
> I've built 3.13.0-rc7-next-20140110 with your patch applied.
> Unfortunately since this bug has taken anywhere from minutes to days
> to manifest previously I'm not sure how quickly I'll be able to report
> on its efficacy.
Thanks for testing it.
If I'm correct, then your problem is caused by usbnet incrementing
urb->num_sgs above the value sg_init_table was called with. This happens
if usbnet adds padding to a fragmented skb. Unfortunately I have no
idea how you can create fragmented skbs with a certain length. But I'm
sure others here know?
This bug in usbnet makes usb_hcd_map_urb_for_dma() call dma_map_sg()
with nents set past an entry with the SG chain termination bit set. This
bit makes the call to sg_next return NULL, even if there is another non
NULL entry in the list. So when dma_map_sg does
for_each_sg(sg, s, nents, i)
kmemcheck_mark_initialized(sg_virt(s), s->length);
it ends up dereferencing NULL.
> I currently have the adapter plugged in through a 4-port USB3 hub
> (2109:0811, which appears to be a VIA chip) but I will test it
> directly attached to the laptop too.
I don't think that should matter.
Bjørn
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
