[RFC PATCH 0/2] staging: rtl8192u: Fix two crashing bugs

[Philipp Hortmann <philipp.g.hortmann@gmail.com>]

Question: Fix or remove rtl8192u?

I found a USB WLAN Stick with a rtl8192u. I got it last Saturday and 
found out that the firmware is missing in my ubuntu 20.04. I found it on 
the web and fixed it. When I started the driver my computer crashed. The 
missing part was: priv->priv_wq = alloc_workqueue("priv_wq", 0, 0); 
Fixing this the next error was a network = kzalloc(sizeof(*network), 
GFP_KERNEL); in wrong context which leads to a crash of my computer. 
Fixing this the next error is more depending on what I do with the stick.

When lucky the connection is build up and I can surf and download at maximum speed (12,5MB/s) several gigabytes.

But when I open the window to see other stations the computer crashes again. Find a possible dump at the end.

Hint from Arnd Bergmann on the 10/11/23:
https://lore.kernel.org/linux-staging/db98d9ac-7650-4a72-8eb9-4def1f17ea0d@app.fastmail.com/T/#t
I see the two bugs were introduced in 2016 by commit 1761a85c3bed3
("staging: rtl8192u: Remove create_workqueue()") and in 2021 by
commit 061e390b7c87f ("staging: rtl8192u: ieee80211_softmac: Move a
large data struct onto the heap"), so it's been broken for a while.

[  +0.043662] alg name:CCMP
[  +0.724234] rtl819xU 1-1.6:1.0 wlan0: ====================>rx ADDBAREQ from :9c:a2:f4:67:5d:c0
[  +0.000016] rtl819xU 1-1.6:1.0 wlan0: =====>to send ADDBARSP
[Oct10 00:42] BUG: kernel NULL pointer dereference, address: 00000000000001c0
[  +0.000008] #PF: supervisor read access in kernel mode
[  +0.000002] #PF: error_code(0x0000) - not-present page
[  +0.000002] PGD 0 P4D 0 
[  +0.000004] Oops: 0000 [#1] PREEMPT SMP PTI
[  +0.000003] CPU: 0 PID: 1246 Comm: wpa_supplicant Tainted: G         C OE      6.6.0-rc1+ #15
[  +0.000003] Hardware name: FUJITSU ESPRIMO P710/D3161-A1, BIOS V4.6.5.3 R1.16.0 for D3161-A1x 10/29/2012
[  +0.000002] RIP: 0010:__queue_work+0x38/0x610
[  +0.000005] Code: 89 fe 41 55 41 54 49 89 d4 53 48 89 f3 48 83 ec 18 8b 0d 43 23 ce 01 85 c9 74 0f 65 8b 05 c0 af ee 45 85 c0 0f 84 da 02 00 00 <f7> 83 c0 01 00 00 00 80 01 00 0f 85 eb 02 00 00 e8 33 d6 0a 00 31
[  +0.000003] RSP: 0018:ffffc90002e6bc28 EFLAGS: 00010046
[  +0.000002] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
[  +0.000002] RDX: ffff88817ff1a8d8 RSI: 0000000000000000 RDI: 0000000000002000
[  +0.000002] RBP: ffffc90002e6bc68 R08: 0000000000000000 R09: 0000000000000000
[  +0.000001] R10: ffffc90002e6bca0 R11: ffffffffc0fff3e2 R12: ffff88817ff1a8d8
[  +0.000002] R13: 0000000000000001 R14: 0000000000002000 R15: 0000000000000000
[  +0.000002] FS:  00007f9be4ad9140(0000) GS:ffff888215400000(0000) knlGS:0000000000000000
[  +0.000002] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  +0.000002] CR2: 00000000000001c0 CR3: 00000001127ce005 CR4: 00000000001706f0
[  +0.000002] Call Trace:
[  +0.000002]  <TASK>
[  +0.000011]  ? show_regs+0x68/0x70
[  +0.000005]  ? __die_body+0x20/0x70
[  +0.000004]  ? __die+0x2b/0x40
[  +0.000003]  ? page_fault_oops+0x160/0x480
[  +0.000003]  ? search_bpf_extables+0xad/0x160
[  +0.000004]  ? __queue_work+0x38/0x610
[  +0.000002]  ? search_exception_tables+0x5f/0x70
[  +0.000004]  ? kernelmode_fixup_or_oops+0xa2/0x120
[  +0.000011]  ? __bad_area_nosemaphore+0x197/0x250
[  +0.000003]  ? up_read+0xc3/0x270
[  +0.000004]  ? bad_area_nosemaphore+0x16/0x20
[  +0.000002]  ? do_user_addr_fault+0x34d/0xa40
[  +0.000004]  ? exc_page_fault+0x84/0x210
[  +0.000005]  ? asm_exc_page_fault+0x27/0x30
[  +0.000006]  ? ieee80211_wx_set_scan+0x22/0x80 [r8192u_usb]
[  +0.000022]  ? __queue_work+0x38/0x610
[  +0.000003]  ? debug_smp_processor_id+0x17/0x20
[  +0.000004]  queue_work_on+0x7e/0x80
[  +0.000003]  ieee80211_wx_set_scan+0x77/0x80 [r8192u_usb]
[  +0.000016]  r8192_wx_set_scan+0x128/0x190 [r8192u_usb]
[  +0.000014]  ioctl_standard_iw_point+0x2e6/0x390
[  +0.000004]  ? __pfx_r8192_wx_set_scan+0x10/0x10 [r8192u_usb]
[  +0.000014]  ? sched_clock_noinstr+0x9/0x10
[  +0.000003]  ? local_clock_noinstr+0x10/0xd0
[  +0.000004]  ioctl_standard_call+0xaa/0xe0
[  +0.000003]  ? netdev_name_node_lookup+0x65/0x90
[  +0.000003]  ? __pfx_ioctl_private_call+0x10/0x10
[  +0.000003]  ? __pfx_ioctl_standard_call+0x10/0x10
[  +0.000004]  wireless_process_ioctl+0x149/0x170
[  +0.000004]  wext_handle_ioctl+0x9e/0x100
[  +0.000005]  sock_ioctl+0x203/0x340
[  +0.000005]  ? syscall_enter_from_user_mode+0x21/0x60
[  +0.000004]  __x64_sys_ioctl+0x98/0xd0
[  +0.000005]  do_syscall_64+0x3b/0x90
[  +0.000004]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[  +0.000003] RIP: 0033:0x7f9be47223ab
[  +0.000003] Code: 0f 1e fa 48 8b 05 e5 7a 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b5 7a 0d 00 f7 d8 64 89 01 48
[  +0.000002] RSP: 002b:00007ffdecbeeed8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  +0.000003] RAX: ffffffffffffffda RBX: 000055e97efd0580 RCX: 00007f9be47223ab
[  +0.000002] RDX: 00007ffdecbeeee0 RSI: 0000000000008b18 RDI: 0000000000000009
[  +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000010
[  +0.000002] R10: 00007ffdecbfa080 R11: 0000000000000246 R12: 000055e97efa4db0
[  +0.000001] R13: 0000000000000000 R14: 00007ffdecbeeee0 R15: 000055e97efa27c8
[  +0.000005]  </TASK>
[  +0.000001] Modules linked in: ccm r8192u_usb(COE) cfg80211 lib80211 libarc4 xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c xt_addrtype iptable_filter bpfilter br_netfilter bridge stp llc overlay nls_iso8859_1 snd_hda_codec_hdmi snd_hda_codec_conexant snd_hda_codec_generic ledtrig_audio intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm crct10dif_pclmul ghash_clmulni_intel sha512_ssse3 snd_hda_intel sch5627 mei_hdcp snd_intel_dspcfg aesni_intel snd_intel_sdw_acpi crypto_simd binfmt_misc snd_hda_codec cryptd i915 snd_hda_core rapl sch56xx_common snd_hwdep intel_cstate joydev snd_pcm input_leds snd_seq_midi serio_raw snd_seq_midi_event at24 drm_buddy snd_rawmidi snd_seq ttm snd_seq_device drm_display_helper cec snd_timer rc_core drm_kms_helper snd mei_me i2c_algo_bit tpm_infineon soundcore mei mac_hid sch_fq_codel msr parport_pc ppdev lp parport drm ramoops reed_solomon
[  +0.000063]  efi_pstore ip_tables x_tables autofs4 hid_generic usbhid hid i2c_i801 crc32_pclmul i2c_smbus ahci e1000e lpc_ich libahci xhci_pci xhci_pci_renesas video wmi
[  +0.000016] CR2: 00000000000001c0
[  +0.000003] ---[ end trace 0000000000000000 ]---
[  +0.000973] pstore: backend (efi_pstore) writing error (-5)
[  +0.000003] RIP: 0010:__queue_work+0x38/0x610
[  +0.000003] Code: 89 fe 41 55 41 54 49 89 d4 53 48 89 f3 48 83 ec 18 8b 0d 43 23 ce 01 85 c9 74 0f 65 8b 05 c0 af ee 45 85 c0 0f 84 da 02 00 00 <f7> 83 c0 01 00 00 00 80 01 00 0f 85 eb 02 00 00 e8 33 d6 0a 00 31
[  +0.000002] RSP: 0018:ffffc90002e6bc28 EFLAGS: 00010046
[  +0.000003] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
[  +0.000002] RDX: ffff88817ff1a8d8 RSI: 0000000000000000 RDI: 0000000000002000
[  +0.000001] RBP: ffffc90002e6bc68 R08: 0000000000000000 R09: 0000000000000000
[  +0.000002] R10: ffffc90002e6bca0 R11: ffffffffc0fff3e2 R12: ffff88817ff1a8d8
[  +0.000001] R13: 0000000000000001 R14: 0000000000002000 R15: 0000000000000000
[  +0.000002] FS:  00007f9be4ad9140(0000) GS:ffff888215400000(0000) knlGS:0000000000000000
[  +0.000002] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  +0.000002] CR2: 00000000000001c0 CR3: 00000001127ce005 CR4: 00000000001706f0
[  +0.000002] note: wpa_supplicant[1246] exited with irqs disabled


Philipp Hortmann (2):
  staging: rtl8192u: Fix missing alloc_workqueue()
  staging: rtl8192u: Fix sleeping kzalloc() called from invalid context

 .../rtl8192u/ieee80211/ieee80211_softmac.c    | 19 ++++++++-----------
 drivers/staging/rtl8192u/r8192U.h             |  1 +
 drivers/staging/rtl8192u/r8192U_core.c        | 12 ++++++++++++
 3 files changed, 21 insertions(+), 11 deletions(-)

-- 
2.42.0