[RFC PATCH 0/2] staging: rtl8192u: Fix two crashing bugs

[RFC PATCH 0/2] staging: rtl8192u: Fix two crashing bugs

[Philipp Hortmann]

Question: Fix or remove rtl8192u?

I found a USB WLAN Stick with a rtl8192u. I got it last Saturday and 
found out that the firmware is missing in my ubuntu 20.04. I found it on 
the web and fixed it. When I started the driver my computer crashed. The 
missing part was: priv->priv_wq = alloc_workqueue("priv_wq", 0, 0); 
Fixing this the next error was a network = kzalloc(sizeof(*network), 
GFP_KERNEL); in wrong context which leads to a crash of my computer. 
Fixing this the next error is more depending on what I do with the stick.

When lucky the connection is build up and I can surf and download at maximum speed (12,5MB/s) several gigabytes.

But when I open the window to see other stations the computer crashes again. Find a possible dump at the end.

Hint from Arnd Bergmann on the 10/11/23:
https://lore.kernel.org/linux-staging/db98d9ac-7650-4a72-8eb9-4def1f17ea0d@app.fastmail.com/T/#t
I see the two bugs were introduced in 2016 by commit 1761a85c3bed3
("staging: rtl8192u: Remove create_workqueue()") and in 2021 by
commit 061e390b7c87f ("staging: rtl8192u: ieee80211_softmac: Move a
large data struct onto the heap"), so it's been broken for a while.

[  +0.043662] alg name:CCMP
[  +0.724234] rtl819xU 1-1.6:1.0 wlan0: ====================>rx ADDBAREQ from :9c:a2:f4:67:5d:c0
[  +0.000016] rtl819xU 1-1.6:1.0 wlan0: =====>to send ADDBARSP
[Oct10 00:42] BUG: kernel NULL pointer dereference, address: 00000000000001c0
[  +0.000008] #PF: supervisor read access in kernel mode
[  +0.000002] #PF: error_code(0x0000) - not-present page
[  +0.000002] PGD 0 P4D 0 
[  +0.000004] Oops: 0000 [#1] PREEMPT SMP PTI
[  +0.000003] CPU: 0 PID: 1246 Comm: wpa_supplicant Tainted: G         C OE      6.6.0-rc1+ #15
[  +0.000003] Hardware name: FUJITSU ESPRIMO P710/D3161-A1, BIOS V4.6.5.3 R1.16.0 for D3161-A1x 10/29/2012
[  +0.000002] RIP: 0010:__queue_work+0x38/0x610
[  +0.000005] Code: 89 fe 41 55 41 54 49 89 d4 53 48 89 f3 48 83 ec 18 8b 0d 43 23 ce 01 85 c9 74 0f 65 8b 05 c0 af ee 45 85 c0 0f 84 da 02 00 00 <f7> 83 c0 01 00 00 00 80 01 00 0f 85 eb 02 00 00 e8 33 d6 0a 00 31
[  +0.000003] RSP: 0018:ffffc90002e6bc28 EFLAGS: 00010046
[  +0.000002] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
[  +0.000002] RDX: ffff88817ff1a8d8 RSI: 0000000000000000 RDI: 0000000000002000
[  +0.000002] RBP: ffffc90002e6bc68 R08: 0000000000000000 R09: 0000000000000000
[  +0.000001] R10: ffffc90002e6bca0 R11: ffffffffc0fff3e2 R12: ffff88817ff1a8d8
[  +0.000002] R13: 0000000000000001 R14: 0000000000002000 R15: 0000000000000000
[  +0.000002] FS:  00007f9be4ad9140(0000) GS:ffff888215400000(0000) knlGS:0000000000000000
[  +0.000002] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  +0.000002] CR2: 00000000000001c0 CR3: 00000001127ce005 CR4: 00000000001706f0
[  +0.000002] Call Trace:
[  +0.000002]  <TASK>
[  +0.000011]  ? show_regs+0x68/0x70
[  +0.000005]  ? __die_body+0x20/0x70
[  +0.000004]  ? __die+0x2b/0x40
[  +0.000003]  ? page_fault_oops+0x160/0x480
[  +0.000003]  ? search_bpf_extables+0xad/0x160
[  +0.000004]  ? __queue_work+0x38/0x610
[  +0.000002]  ? search_exception_tables+0x5f/0x70
[  +0.000004]  ? kernelmode_fixup_or_oops+0xa2/0x120
[  +0.000011]  ? __bad_area_nosemaphore+0x197/0x250
[  +0.000003]  ? up_read+0xc3/0x270
[  +0.000004]  ? bad_area_nosemaphore+0x16/0x20
[  +0.000002]  ? do_user_addr_fault+0x34d/0xa40
[  +0.000004]  ? exc_page_fault+0x84/0x210
[  +0.000005]  ? asm_exc_page_fault+0x27/0x30
[  +0.000006]  ? ieee80211_wx_set_scan+0x22/0x80 [r8192u_usb]
[  +0.000022]  ? __queue_work+0x38/0x610
[  +0.000003]  ? debug_smp_processor_id+0x17/0x20
[  +0.000004]  queue_work_on+0x7e/0x80
[  +0.000003]  ieee80211_wx_set_scan+0x77/0x80 [r8192u_usb]
[  +0.000016]  r8192_wx_set_scan+0x128/0x190 [r8192u_usb]
[  +0.000014]  ioctl_standard_iw_point+0x2e6/0x390
[  +0.000004]  ? __pfx_r8192_wx_set_scan+0x10/0x10 [r8192u_usb]
[  +0.000014]  ? sched_clock_noinstr+0x9/0x10
[  +0.000003]  ? local_clock_noinstr+0x10/0xd0
[  +0.000004]  ioctl_standard_call+0xaa/0xe0
[  +0.000003]  ? netdev_name_node_lookup+0x65/0x90
[  +0.000003]  ? __pfx_ioctl_private_call+0x10/0x10
[  +0.000003]  ? __pfx_ioctl_standard_call+0x10/0x10
[  +0.000004]  wireless_process_ioctl+0x149/0x170
[  +0.000004]  wext_handle_ioctl+0x9e/0x100
[  +0.000005]  sock_ioctl+0x203/0x340
[  +0.000005]  ? syscall_enter_from_user_mode+0x21/0x60
[  +0.000004]  __x64_sys_ioctl+0x98/0xd0
[  +0.000005]  do_syscall_64+0x3b/0x90
[  +0.000004]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[  +0.000003] RIP: 0033:0x7f9be47223ab
[  +0.000003] Code: 0f 1e fa 48 8b 05 e5 7a 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b5 7a 0d 00 f7 d8 64 89 01 48
[  +0.000002] RSP: 002b:00007ffdecbeeed8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  +0.000003] RAX: ffffffffffffffda RBX: 000055e97efd0580 RCX: 00007f9be47223ab
[  +0.000002] RDX: 00007ffdecbeeee0 RSI: 0000000000008b18 RDI: 0000000000000009
[  +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000010
[  +0.000002] R10: 00007ffdecbfa080 R11: 0000000000000246 R12: 000055e97efa4db0
[  +0.000001] R13: 0000000000000000 R14: 00007ffdecbeeee0 R15: 000055e97efa27c8
[  +0.000005]  </TASK>
[  +0.000001] Modules linked in: ccm r8192u_usb(COE) cfg80211 lib80211 libarc4 xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c xt_addrtype iptable_filter bpfilter br_netfilter bridge stp llc overlay nls_iso8859_1 snd_hda_codec_hdmi snd_hda_codec_conexant snd_hda_codec_generic ledtrig_audio intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm crct10dif_pclmul ghash_clmulni_intel sha512_ssse3 snd_hda_intel sch5627 mei_hdcp snd_intel_dspcfg aesni_intel snd_intel_sdw_acpi crypto_simd binfmt_misc snd_hda_codec cryptd i915 snd_hda_core rapl sch56xx_common snd_hwdep intel_cstate joydev snd_pcm input_leds snd_seq_midi serio_raw snd_seq_midi_event at24 drm_buddy snd_rawmidi snd_seq ttm snd_seq_device drm_display_helper cec snd_timer rc_core drm_kms_helper snd mei_me i2c_algo_bit tpm_infineon soundcore mei mac_hid sch_fq_codel msr parport_pc ppdev lp parport drm ramoops reed_solomon
[  +0.000063]  efi_pstore ip_tables x_tables autofs4 hid_generic usbhid hid i2c_i801 crc32_pclmul i2c_smbus ahci e1000e lpc_ich libahci xhci_pci xhci_pci_renesas video wmi
[  +0.000016] CR2: 00000000000001c0
[  +0.000003] ---[ end trace 0000000000000000 ]---
[  +0.000973] pstore: backend (efi_pstore) writing error (-5)
[  +0.000003] RIP: 0010:__queue_work+0x38/0x610
[  +0.000003] Code: 89 fe 41 55 41 54 49 89 d4 53 48 89 f3 48 83 ec 18 8b 0d 43 23 ce 01 85 c9 74 0f 65 8b 05 c0 af ee 45 85 c0 0f 84 da 02 00 00 <f7> 83 c0 01 00 00 00 80 01 00 0f 85 eb 02 00 00 e8 33 d6 0a 00 31
[  +0.000002] RSP: 0018:ffffc90002e6bc28 EFLAGS: 00010046
[  +0.000003] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
[  +0.000002] RDX: ffff88817ff1a8d8 RSI: 0000000000000000 RDI: 0000000000002000
[  +0.000001] RBP: ffffc90002e6bc68 R08: 0000000000000000 R09: 0000000000000000
[  +0.000002] R10: ffffc90002e6bca0 R11: ffffffffc0fff3e2 R12: ffff88817ff1a8d8
[  +0.000001] R13: 0000000000000001 R14: 0000000000002000 R15: 0000000000000000
[  +0.000002] FS:  00007f9be4ad9140(0000) GS:ffff888215400000(0000) knlGS:0000000000000000
[  +0.000002] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  +0.000002] CR2: 00000000000001c0 CR3: 00000001127ce005 CR4: 00000000001706f0
[  +0.000002] note: wpa_supplicant[1246] exited with irqs disabled


Philipp Hortmann (2):
  staging: rtl8192u: Fix missing alloc_workqueue()
  staging: rtl8192u: Fix sleeping kzalloc() called from invalid context

 .../rtl8192u/ieee80211/ieee80211_softmac.c    | 19 ++++++++-----------
 drivers/staging/rtl8192u/r8192U.h             |  1 +
 drivers/staging/rtl8192u/r8192U_core.c        | 12 ++++++++++++
 3 files changed, 21 insertions(+), 11 deletions(-)

-- 
2.42.0

[RFC PATCH 1/2] staging: rtl8192u: Fix missing alloc_workqueue()

[Philipp Hortmann]

Missing alloc_workqueue() leads to a crash of the system.

Fixes: 1761a85c3bed ("staging: rtl8192u: Remove create_workqueue()")
Signed-off-by: Philipp Hortmann <philipp.g.hortmann@gmail.com>
---
Tested with rtl8192u (Belkin F5D8053) in Mode n (12.5 MB/s)

Dump of Error:
[ 1428.338077] ------------[ cut here ]------------
[ 1428.338079] WARNING: CPU: 2 PID: 6502 at kernel/workqueue.c:1938 __queue_delayed_work+0x77/0xb0
[ 1428.338086] Modules linked in: r8192u_usb(COE) cfg80211 lib80211 libarc4 xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c xt_addrtype iptable_filter bpfilter br_netfilter bridge stp llc overlay nls_iso8859_1 snd_hda_codec_hdmi intel_rapl_msr snd_hda_codec_conexant intel_rapl_common snd_hda_codec_generic x86_pkg_temp_thermal ledtrig_audio intel_powerclamp coretemp sch5627 mei_hdcp kvm_intel binfmt_misc kvm snd_hda_intel snd_intel_dspcfg i915 snd_intel_sdw_acpi crct10dif_pclmul ghash_clmulni_intel snd_hda_codec sha512_ssse3 aesni_intel snd_hda_core crypto_simd snd_hwdep cryptd snd_pcm sch56xx_common rapl snd_seq_midi intel_cstate snd_seq_midi_event input_leds joydev serio_raw drm_buddy snd_rawmidi ttm drm_display_helper snd_seq at24 snd_seq_device snd_timer cec rc_core snd mei_me soundcore mei drm_kms_helper i2c_algo_bit tpm_infineon mac_hid sch_fq_codel msr parport_pc ppdev lp parport drm ramoops reed_solomon efi_pstore
[ 1428.338200]  ip_tables x_tables autofs4 hid_generic usbhid hid crc32_pclmul i2c_i801 xhci_pci video ahci lpc_ich libahci i2c_smbus xhci_pci_renesas e1000e wmi
[ 1428.338223] CPU: 2 PID: 6502 Comm: kworker/2:0 Tainted: G         C OE      6.6.0-rc1+ #15
[ 1428.338226] Hardware name: FUJITSU ESPRIMO P710/D3161-A1, BIOS V4.6.5.3 R1.16.0 for D3161-A1x 10/29/2012
[ 1428.338229] Workqueue: events rtl819x_watchdog_wqcallback [r8192u_usb]
[ 1428.338249] RIP: 0010:__queue_delayed_work+0x77/0xb0
[ 1428.338252] Code: c1 48 89 4a 60 81 ff 00 20 00 00 75 38 4c 89 cf e8 de 59 0d 00 5d c3 cc cc cc cc e8 b3 f5 ff ff 5d c3 cc cc cc cc 0f 0b eb bb <0f> 0b 48 81 7a 68 e0 61 6f 81 74 99 0f 0b 48 8b 42 58 48 85 c0 74
[ 1428.338255] RSP: 0000:ffffc9000c46bd08 EFLAGS: 00010046
[ 1428.338258] RAX: 0000000000000001 RBX: 0000000000000200 RCX: 0000000000000000
[ 1428.338260] RDX: ffff88820efacfe8 RSI: 0000000000000000 RDI: 0000000000002000
[ 1428.338262] RBP: ffffc9000c46bd08 R08: 0000000000000000 R09: ffff88820efad038
[ 1428.338264] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88820efacfe8
[ 1428.338265] R13: 0000000000000001 R14: 0000000000002000 R15: 0000000000000000
[ 1428.338267] FS:  0000000000000000(0000) GS:ffff888215c00000(0000) knlGS:0000000000000000
[ 1428.338270] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1428.338272] CR2: 0000557da4e0d8e5 CR3: 000000011361e001 CR4: 00000000001706e0
[ 1428.338274] Call Trace:
[ 1428.338276]  <TASK>
[ 1428.338280]  ? show_regs+0x68/0x70
[ 1428.338284]  ? __queue_delayed_work+0x77/0xb0
[ 1428.338287]  ? __warn+0x8f/0x180
[ 1428.338291]  ? __queue_delayed_work+0x77/0xb0
[ 1428.338296]  ? report_bug+0x1f5/0x200
[ 1428.338303]  ? handle_bug+0x46/0x80
[ 1428.338307]  ? exc_invalid_op+0x19/0x70
[ 1428.338311]  ? asm_exc_invalid_op+0x1b/0x20
[ 1428.338323]  ? __queue_delayed_work+0x77/0xb0
[ 1428.338327]  ? trace_hardirqs_off+0x4f/0xa0
[ 1428.338331]  queue_delayed_work_on+0x8e/0x90
[ 1428.338337]  hal_dm_watchdog+0x3f5/0x1420 [r8192u_usb]
[ 1428.338356]  rtl819x_watchdog_wqcallback+0x6b/0xb60 [r8192u_usb]
[ 1428.338369]  ? __this_cpu_preempt_check+0x13/0x20
[ 1428.338377]  process_scheduled_works+0x308/0x580
[ 1428.338389]  ? __pfx_worker_thread+0x10/0x10
[ 1428.338392]  worker_thread+0x19b/0x360
[ 1428.338398]  ? __pfx_worker_thread+0x10/0x10
[ 1428.338400]  kthread+0x116/0x150
[ 1428.338405]  ? __pfx_kthread+0x10/0x10
[ 1428.338411]  ret_from_fork+0x3c/0x60
[ 1428.338414]  ? __pfx_kthread+0x10/0x10
[ 1428.338419]  ret_from_fork_asm+0x1b/0x30
[ 1428.338433]  </TASK>
[ 1428.338435] irq event stamp: 3280
[ 1428.338436] hardirqs last  enabled at (3279): [<ffffffff81784921>] console_unlock+0x101/0x120
[ 1428.338440] hardirqs last disabled at (3280): [<ffffffff816f63a4>] queue_delayed_work_on+0x74/0x90
[ 1428.338443] softirqs last  enabled at (3272): [<ffffffff825fd6cd>] __do_softirq+0x2cd/0x3b7
[ 1428.338447] softirqs last disabled at (3265): [<ffffffff816d3fb0>] irq_exit_rcu+0xa0/0xe0
[ 1428.338450] ---[ end trace 0000000000000000 ]---
[ 1428.338456] BUG: kernel NULL pointer dereference, address: 00000000000001c0
[ 1428.338458] #PF: supervisor read access in kernel mode
[ 1428.338460] #PF: error_code(0x0000) - not-present page
[ 1428.338462] PGD 0 P4D 0
[ 1428.338464] Oops: 0000 [#1] PREEMPT SMP PTI
[ 1428.338467] CPU: 2 PID: 6502 Comm: kworker/2:0 Tainted: G        WC OE      6.6.0-rc1+ #15
[ 1428.338469] Hardware name: FUJITSU ESPRIMO P710/D3161-A1, BIOS V4.6.5.3 R1.16.0 for D3161-A1x 10/29/2012
[ 1428.338470] Workqueue: events rtl819x_watchdog_wqcallback [r8192u_usb]
[ 1428.338483] RIP: 0010:__queue_work+0x38/0x610
[ 1428.338485] Code: 89 fe 41 55 41 54 49 89 d4 53 48 89 f3 48 83 ec 18 8b 0d 43 23 ce 01 85 c9 74 0f 65 8b 05 c0 af ae 7e 85 c0 0f 84 da 02 00 00 <f7> 83 c0 01 00 00 00 80 01 00 0f 85 eb 02 00 00 e8 33 d6 0a 00 31
[ 1428.338488] RSP: 0000:ffffc9000c46bcb8 EFLAGS: 00010046
[ 1428.338490] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
[ 1428.338491] RDX: ffff88820efacfe8 RSI: 0000000000000000 RDI: 0000000000002000
[ 1428.338493] RBP: ffffc9000c46bcf8 R08: ffff88820efacff0 R09: ffff88820efad038
[ 1428.338494] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88820efacfe8
[ 1428.338496] R13: 0000000000000001 R14: 0000000000002000 R15: 0000000000000000
[ 1428.338497] FS:  0000000000000000(0000) GS:ffff888215c00000(0000) knlGS:0000000000000000
[ 1428.338499] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1428.338500] CR2: 00000000000001c0 CR3: 000000011361e001 CR4: 00000000001706e0
[ 1428.338502] Call Trace:
[ 1428.338503]  <TASK>
[ 1428.338505]  ? show_regs+0x68/0x70
[ 1428.338508]  ? __die_body+0x20/0x70
[ 1428.338511]  ? __die+0x2b/0x40
[ 1428.338514]  ? page_fault_oops+0x160/0x480
[ 1428.338517]  ? search_bpf_extables+0xad/0x160
[ 1428.338520]  ? __queue_work+0x38/0x610
[ 1428.338523]  ? search_exception_tables+0x5f/0x70
[ 1428.338526]  ? kernelmode_fixup_or_oops+0xa2/0x120
[ 1428.338529]  ? __bad_area_nosemaphore+0x197/0x250
[ 1428.338531]  ? vprintk_default+0x1d/0x30
[ 1428.338535]  ? bad_area_nosemaphore+0x16/0x20
[ 1428.338537]  ? do_user_addr_fault+0x34d/0xa40
[ 1428.338539]  ? debug_smp_processor_id+0x17/0x20
[ 1428.338541]  ? exc_page_fault+0x3c/0x210
[ 1428.338545]  ? __this_cpu_preempt_check+0x13/0x20
[ 1428.338548]  ? exc_page_fault+0x84/0x210
[ 1428.338551]  ? asm_exc_page_fault+0x27/0x30
[ 1428.338555]  ? __queue_work+0x38/0x610
[ 1428.338559]  __queue_delayed_work+0x6d/0xb0
[ 1428.338561]  queue_delayed_work_on+0x8e/0x90
[ 1428.338565]  hal_dm_watchdog+0x3f5/0x1420 [r8192u_usb]
[ 1428.338579]  rtl819x_watchdog_wqcallback+0x6b/0xb60 [r8192u_usb]
[ 1428.338591]  ? __this_cpu_preempt_check+0x13/0x20
[ 1428.338594]  process_scheduled_works+0x308/0x580
[ 1428.338599]  ? __pfx_worker_thread+0x10/0x10
[ 1428.338601]  worker_thread+0x19b/0x360
[ 1428.338604]  ? __pfx_worker_thread+0x10/0x10
[ 1428.338606]  kthread+0x116/0x150
[ 1428.338609]  ? __pfx_kthread+0x10/0x10
[ 1428.338612]  ret_from_fork+0x3c/0x60
[ 1428.338615]  ? __pfx_kthread+0x10/0x10
[ 1428.338618]  ret_from_fork_asm+0x1b/0x30
[ 1428.338623]  </TASK>
---
 drivers/staging/rtl8192u/r8192U_core.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/staging/rtl8192u/r8192U_core.c b/drivers/staging/rtl8192u/r8192U_core.c
index 0a60ef20107c..bf6d93de7a74 100644
--- a/drivers/staging/rtl8192u/r8192U_core.c
+++ b/drivers/staging/rtl8192u/r8192U_core.c
@@ -2024,6 +2024,12 @@ static void rtl8192_init_priv_task(struct net_device *dev)
 {
 	struct r8192_priv *priv = ieee80211_priv(dev);
 
+	priv->priv_wq = alloc_workqueue("priv_wq", 0, 0);
+	if (!priv->priv_wq) {
+		pr_err("alloc_workqueue for priv->priv_wq failed\n");
+		return;
+	}
+
 	INIT_WORK(&priv->reset_wq, rtl8192_restart);
 
 	INIT_DELAYED_WORK(&priv->watch_dog_wq,
-- 
2.42.0

[RFC PATCH 2/2] staging: rtl8192u: Fix sleeping kzalloc() called from invalid context

[Philipp Hortmann]

Sleeping kzalloc() called from invalid context leads to a crash of the
system.

Fixes: 061e390b7c87f ("staging: rtl8192u: ieee80211_softmac: Move a large data struct onto the heap")
Signed-off-by: Philipp Hortmann <philipp.g.hortmann@gmail.com>
---
Tested with rtl8192u (Belkin F5D8053) in Mode n (12.5 MB/s)

Dump of Error:
[ 2141.025340] ================================
[ 2141.025341] WARNING: inconsistent lock state
[ 2141.025343] 6.6.0-rc1+ #15 Tainted: G         C OE
[ 2141.025345] --------------------------------
[ 2141.025346] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
[ 2141.025348] gnome-shell/3018 [HC0[0]:SC1[1]:HE1:SE0] takes:
[ 2141.025350] ffffffffbbe6b600 (fs_reclaim){+.?.}-{0:0}, at: __kmem_cache_alloc_node+0x48/0x720
[ 2141.025360] {SOFTIRQ-ON-W} state was registered at:
[ 2141.025362]   lock_acquire+0xdc/0x2c0
[ 2141.025368]   fs_reclaim_acquire+0xaa/0xe0
[ 2141.025371]   __kmem_cache_alloc_node+0x48/0x720
[ 2141.025374]   __kmalloc_node+0x57/0x1a0
[ 2141.025376]   alloc_cpumask_var_node+0x1f/0x30
[ 2141.025380]   smp_prepare_cpus_common+0xce/0x180
[ 2141.025385]   native_smp_prepare_cpus+0xe/0xd0
[ 2141.025387]   kernel_init_freeable+0x284/0x560
[ 2141.025391]   kernel_init+0x1a/0x140
[ 2141.025395]   ret_from_fork+0x3c/0x60
[ 2141.025398]   ret_from_fork_asm+0x1b/0x30
[ 2141.025402] irq event stamp: 53750354
[ 2141.025404] hardirqs last  enabled at (53750354): [<ffffffffbb1fbd21>] _raw_spin_unlock_irqrestore+0x31/0x70
[ 2141.025408] hardirqs last disabled at (53750353): [<ffffffffbb1fb9b4>] _raw_spin_lock_irqsave+0x84/0xa0
[ 2141.025411] softirqs last  enabled at (53750290): [<ffffffffbb1fd6cd>] __do_softirq+0x2cd/0x3b7
[ 2141.025415] softirqs last disabled at (53750323): [<ffffffffba2d3fb0>] irq_exit_rcu+0xa0/0xe0
[ 2141.025419]
               other info that might help us debug this:
[ 2141.025420]  Possible unsafe locking scenario:

[ 2141.025422]        CPU0
[ 2141.025423]        ----
[ 2141.025424]   lock(fs_reclaim);
[ 2141.025426]   <Interrupt>
[ 2141.025427]     lock(fs_reclaim);
[ 2141.025429]
                *** DEADLOCK ***

[ 2141.025430] no locks held by gnome-shell/3018.
[ 2141.025432]
               stack backtrace:
[ 2141.025433] CPU: 2 PID: 3018 Comm: gnome-shell Tainted: G         C OE      6.6.0-rc1+ #15
[ 2141.025436] Hardware name: FUJITSU ESPRIMO P710/D3161-A1, BIOS V4.6.5.3 R1.16.0 for D3161-A1x 10/29/2012
[ 2141.025438] Call Trace:
[ 2141.025439]  <TASK>
[ 2141.025441]  dump_stack_lvl+0x5c/0xa0
[ 2141.025445]  dump_stack+0x10/0x20
[ 2141.025447]  print_usage_bug+0x22f/0x2c0
[ 2141.025452]  mark_lock.part.0+0x6bf/0x8a0
[ 2141.025456]  ? sched_clock_noinstr+0x9/0x10
[ 2141.025461]  __lock_acquire+0xb75/0x1de0
[ 2141.025465]  ? sched_clock_noinstr+0x9/0x10
[ 2141.025469]  lock_acquire+0xdc/0x2c0
[ 2141.025473]  ? __kmem_cache_alloc_node+0x48/0x720
[ 2141.025478]  fs_reclaim_acquire+0xaa/0xe0
[ 2141.025481]  ? __kmem_cache_alloc_node+0x48/0x720
[ 2141.025484]  __kmem_cache_alloc_node+0x48/0x720
[ 2141.025487]  ? ieee80211_rx_frame_softmac+0x2d3/0x1a10 [r8192u_usb]
[ 2141.025508]  kmalloc_trace+0x2a/0xc0
[ 2141.025510]  ? kmalloc_trace+0x2a/0xc0
[ 2141.025513]  ieee80211_rx_frame_softmac+0x2d3/0x1a10 [r8192u_usb]
[ 2141.025527]  ? ehci_urb_enqueue+0x12a/0x1020
[ 2141.025534]  ieee80211_rx+0xf44/0x1e60 [r8192u_usb]
[ 2141.025549]  ? __lock_acquire+0xbf3/0x1de0
[ 2141.025552]  ? __lock_acquire+0xbf3/0x1de0
[ 2141.025558]  rtl8192_rx_nomal+0x583/0x1180 [r8192u_usb]
[ 2141.025570]  ? sched_clock_noinstr+0x9/0x10
[ 2141.025573]  ? exc_page_fault+0x1b0/0x210
[ 2141.025580]  rtl8192_irq_rx_tasklet+0x8a/0xc0 [r8192u_usb]
[ 2141.025593]  tasklet_action_common.isra.0+0x10a/0x290
[ 2141.025597]  tasklet_action+0x2d/0x40
[ 2141.025600]  __do_softirq+0xca/0x3b7
[ 2141.025605]  irq_exit_rcu+0xa0/0xe0
[ 2141.025608]  common_interrupt+0x68/0xe0
[ 2141.025611]  asm_common_interrupt+0x27/0x40
[ 2141.025614] RIP: 0033:0x7f31fcbc5634
[ 2141.025617] Code: 89 c9 48 c7 c6 3f 00 00 00 48 d3 ef 48 85 ff 0f 84 96 fe ff ff 48 0f bc cf 0f b6 04 08 0f b6 14 0a 29 d0 c3 66 90 38 c8 75 1c <48> 83 c2 01 48 83 fa 40 0f 84 23 fe ff ff 0f b6 04 17 0f b6 0c 16
[ 2141.025620] RSP: 002b:00007fff36dad668 EFLAGS: 00000246
[ 2141.025623] RAX: 0000000000000072 RBX: 0000000000000000 RCX: 0000000000000072
[ 2141.025624] RDX: 0000000000000008 RSI: 0000563837956fc0 RDI: 000056383759c230
[ 2141.025626] RBP: 0000563837956fc0 R08: 000000000000e000 R09: 0000000000000000
[ 2141.025628] R10: 0000000000000001 R11: 00007f31fccca2e4 R12: 0000000000000012
[ 2141.025629] R13: 000056383759c270 R14: 0000563837e1a5a0 R15: 0000563837956fc0
[ 2141.025634]  </TASK>
[ 2141.025644] BUG: sleeping function called from invalid context at include/linux/sched/mm.h:306
[ 2141.025647] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 3018, name: gnome-shell
[ 2141.025650] preempt_count: 100, expected: 0
[ 2141.025651] RCU nest depth: 0, expected: 0
[ 2141.025653] INFO: lockdep is turned off.
[ 2141.025654] Preemption disabled at:
[ 2141.025655] [<ffffffffbb1fd45e>] __do_softirq+0x5e/0x3b7
[ 2141.025659] CPU: 2 PID: 3018 Comm: gnome-shell Tainted: G         C OE      6.6.0-rc1+ #15
[ 2141.025662] Hardware name: FUJITSU ESPRIMO P710/D3161-A1, BIOS V4.6.5.3 R1.16.0 for D3161-A1x 10/29/2012
[ 2141.025663] Call Trace:
[ 2141.025664]  <TASK>
[ 2141.025666]  dump_stack_lvl+0x7d/0xa0
[ 2141.025669]  dump_stack+0x10/0x20
[ 2141.025672]  __might_resched+0x1be/0x2e0
[ 2141.025676]  __might_sleep+0x43/0x70
[ 2141.025679]  __kmem_cache_alloc_node+0x568/0x720
[ 2141.025682]  ? ieee80211_rx_frame_softmac+0x2d3/0x1a10 [r8192u_usb]
[ 2141.025698]  kmalloc_trace+0x2a/0xc0
[ 2141.025700]  ? kmalloc_trace+0x2a/0xc0
[ 2141.025703]  ieee80211_rx_frame_softmac+0x2d3/0x1a10 [r8192u_usb]
[ 2141.025716]  ? ehci_urb_enqueue+0x12a/0x1020
[ 2141.025721]  ieee80211_rx+0xf44/0x1e60 [r8192u_usb]
[ 2141.025735]  ? __lock_acquire+0xbf3/0x1de0
[ 2141.025738]  ? __lock_acquire+0xbf3/0x1de0
[ 2141.025744]  rtl8192_rx_nomal+0x583/0x1180 [r8192u_usb]
[ 2141.025756]  ? sched_clock_noinstr+0x9/0x10
[ 2141.025758]  ? exc_page_fault+0x1b0/0x210
[ 2141.025765]  rtl8192_irq_rx_tasklet+0x8a/0xc0 [r8192u_usb]
[ 2141.025778]  tasklet_action_common.isra.0+0x10a/0x290
[ 2141.025782]  tasklet_action+0x2d/0x40
[ 2141.025785]  __do_softirq+0xca/0x3b7
[ 2141.025790]  irq_exit_rcu+0xa0/0xe0
[ 2141.025793]  common_interrupt+0x68/0xe0
[ 2141.025796]  asm_common_interrupt+0x27/0x40
[ 2141.025798] RIP: 0033:0x7f31fcbc5634
[ 2141.025800] Code: 89 c9 48 c7 c6 3f 00 00 00 48 d3 ef 48 85 ff 0f 84 96 fe ff ff 48 0f bc cf 0f b6 04 08 0f b6 14 0a 29 d0 c3 66 90 38 c8 75 1c <48> 83 c2 01 48 83 fa 40 0f 84 23 fe ff ff 0f b6 04 17 0f b6 0c 16
[ 2141.025802] RSP: 002b:00007fff36dad668 EFLAGS: 00000246
[ 2141.025804] RAX: 0000000000000072 RBX: 0000000000000000 RCX: 0000000000000072
[ 2141.025806] RDX: 0000000000000008 RSI: 0000563837956fc0 RDI: 000056383759c230
[ 2141.025807] RBP: 0000563837956fc0 R08: 000000000000e000 R09: 0000000000000000
[ 2141.025809] R10: 0000000000000001 R11: 00007f31fccca2e4 R12: 0000000000000012
[ 2141.025811] R13: 000056383759c270 R14: 0000563837e1a5a0 R15: 0000563837956fc0
[ 2141.025815]  </TASK>
---
 .../rtl8192u/ieee80211/ieee80211_softmac.c    | 19 ++++++++-----------
 drivers/staging/rtl8192u/r8192U.h             |  1 +
 drivers/staging/rtl8192u/r8192U_core.c        |  6 ++++++
 3 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/drivers/staging/rtl8192u/ieee80211/ieee80211_softmac.c b/drivers/staging/rtl8192u/ieee80211/ieee80211_softmac.c
index 92001cb36730..ff5d6f5aeed1 100644
--- a/drivers/staging/rtl8192u/ieee80211/ieee80211_softmac.c
+++ b/drivers/staging/rtl8192u/ieee80211/ieee80211_softmac.c
@@ -12,6 +12,7 @@
  * Copyright who own it's copyright.
  */
 #include "ieee80211.h"
+#include "../r8192U.h"
 
 #include <linux/random.h>
 #include <linux/delay.h>
@@ -1892,6 +1893,8 @@ ieee80211_rx_frame_softmac(struct ieee80211_device *ieee, struct sk_buff *skb,
 			   u16 stype)
 {
 	struct rtl_80211_hdr_3addr *header = (struct rtl_80211_hdr_3addr *)skb->data;
+	struct net_device *dev = ieee->dev;
+	struct r8192_priv *priv = ieee80211_priv(dev);
 	u16 errcode;
 	int aid;
 	struct ieee80211_assoc_response_frame *assoc_resp;
@@ -1917,12 +1920,7 @@ ieee80211_rx_frame_softmac(struct ieee80211_device *ieee, struct sk_buff *skb,
 		if ((ieee->softmac_features & IEEE_SOFTMAC_ASSOCIATE) &&
 		    ieee->state == IEEE80211_ASSOCIATING_AUTHENTICATED &&
 		    ieee->iw_mode == IW_MODE_INFRA) {
-			struct ieee80211_network *network;
-
-			network = kzalloc(sizeof(*network), GFP_KERNEL);
-			if (!network)
-				return -ENOMEM;
-
+			memset(priv->network, 0, sizeof(struct ieee80211_network));
 			errcode = assoc_parse(ieee, skb, &aid);
 			if (!errcode) {
 				ieee->state = IEEE80211_LINKED;
@@ -1934,15 +1932,15 @@ ieee80211_rx_frame_softmac(struct ieee80211_device *ieee, struct sk_buff *skb,
 					assoc_resp = (struct ieee80211_assoc_response_frame *)skb->data;
 					if (ieee80211_parse_info_param(ieee, assoc_resp->info_element,\
 								       rx_stats->len - sizeof(*assoc_resp), \
-								       network, rx_stats)) {
+								       priv->network, rx_stats)) {
 						return 1;
 					} else {
 						//filling the PeerHTCap. //maybe not necessary as we can get its info from current_network.
-						memcpy(ieee->pHTInfo->PeerHTCapBuf, network->bssht.bdHTCapBuf, network->bssht.bdHTCapLen);
-						memcpy(ieee->pHTInfo->PeerHTInfoBuf, network->bssht.bdHTInfoBuf, network->bssht.bdHTInfoLen);
+						memcpy(ieee->pHTInfo->PeerHTCapBuf, priv->network->bssht.bdHTCapBuf, priv->network->bssht.bdHTCapLen);
+						memcpy(ieee->pHTInfo->PeerHTInfoBuf, priv->network->bssht.bdHTInfoBuf, priv->network->bssht.bdHTInfoLen);
 					}
 					if (ieee->handle_assoc_response)
-						ieee->handle_assoc_response(ieee->dev, (struct ieee80211_assoc_response_frame *)header, network);
+						ieee->handle_assoc_response(ieee->dev, (struct ieee80211_assoc_response_frame *)header, priv->network);
 				}
 				ieee80211_associate_complete(ieee);
 			} else {
@@ -1957,7 +1955,6 @@ ieee80211_rx_frame_softmac(struct ieee80211_device *ieee, struct sk_buff *skb,
 				else
 					ieee80211_associate_abort(ieee);
 			}
-			kfree(network);
 		}
 		break;
 
diff --git a/drivers/staging/rtl8192u/r8192U.h b/drivers/staging/rtl8192u/r8192U.h
index ff0ada00bf41..672bd19e4db7 100644
--- a/drivers/staging/rtl8192u/r8192U.h
+++ b/drivers/staging/rtl8192u/r8192U.h
@@ -908,6 +908,7 @@ typedef struct r8192_priv {
 
 	struct	ChnlAccessSetting  ChannelAccessSetting;
 	struct work_struct reset_wq;
+	struct ieee80211_network *network;
 
 /**********************************************************/
 	/* For rtl819xUsb */
diff --git a/drivers/staging/rtl8192u/r8192U_core.c b/drivers/staging/rtl8192u/r8192U_core.c
index bf6d93de7a74..060475017d0d 100644
--- a/drivers/staging/rtl8192u/r8192U_core.c
+++ b/drivers/staging/rtl8192u/r8192U_core.c
@@ -1990,6 +1990,10 @@ static int rtl8192_init_priv_variable(struct net_device *dev)
 	if (!priv->pFirmware)
 		return -ENOMEM;
 
+	priv->network = kzalloc(sizeof(*priv->network), GFP_KERNEL);
+	if (!priv->network)
+		return -ENOMEM;
+
 	/* rx related queue */
 	skb_queue_head_init(&priv->rx_queue);
 	skb_queue_head_init(&priv->skb_queue);
@@ -4572,6 +4576,8 @@ static int rtl8192_usb_probe(struct usb_interface *intf,
 fail:
 	kfree(priv->pFirmware);
 	priv->pFirmware = NULL;
+	kfree(priv->network);
+	priv->network = NULL;
 	rtl8192_usb_deleteendpoints(dev);
 	msleep(10);
 	free_ieee80211(dev);
-- 
2.42.0

Re: [RFC PATCH 0/2] staging: rtl8192u: Fix two crashing bugs

[Greg Kroah-Hartman]

On Thu, Oct 12, 2023 at 08:02:58AM +0200, Philipp Hortmann wrote:
> Question: Fix or remove rtl8192u?

We should remove it if it's obviously broken and no one has reported it
in a very long time.

> I found a USB WLAN Stick with a rtl8192u. I got it last Saturday and 
> found out that the firmware is missing in my ubuntu 20.04. I found it on 
> the web and fixed it. When I started the driver my computer crashed. The 
> missing part was: priv->priv_wq = alloc_workqueue("priv_wq", 0, 0); 
> Fixing this the next error was a network = kzalloc(sizeof(*network), 
> GFP_KERNEL); in wrong context which leads to a crash of my computer. 
> Fixing this the next error is more depending on what I do with the stick.
> 
> When lucky the connection is build up and I can surf and download at maximum speed (12,5MB/s) several gigabytes.

Do you want to keep it here so that you can maintain it and keep it
working?

thanks,

greg k-h