[PATCH 0/4] staging: rtl8192e: Resolve circular locking with wx_mutex

[PATCH 0/4] staging: rtl8192e: Resolve circular locking with wx_mutex

[Philipp Hortmann]

Resolve circular locking with wx_mutex, rx_pkt_pending_timer and
reorder_spinlock.

Tested with rtl8192e (WLL6130-D99) in Mode n (12.5 MB/s)
Transferred this patch over wlan connection of rtl8192e.

Philipp Hortmann (4):
  staging: rtl8192e: Put kfree() to end of rtllib_softmac_free()
  staging: rtl8192e: Remove mutex from rtllib_softmac_free()
  staging: rtl8192e: Unlock mutex for one line in rtllib_stop_protocol()
  staging: rtl8192e: Resolve circular locking with rx_pkt_pending_timer

 drivers/staging/rtl8192e/rtllib_rx.c      | 4 ++++
 drivers/staging/rtl8192e/rtllib_softmac.c | 9 +++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

-- 
2.42.0

[PATCH 1/4] staging: rtl8192e: Put kfree() to end of rtllib_softmac_free()

[Philipp Hortmann]

To reverse order of initialization put kfree() to the end of
rtllib_softmac_free().

Signed-off-by: Philipp Hortmann <philipp.g.hortmann@gmail.com>
---
 drivers/staging/rtl8192e/rtllib_softmac.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/rtl8192e/rtllib_softmac.c b/drivers/staging/rtl8192e/rtllib_softmac.c
index 982578e1c0af..d3468b646ca8 100644
--- a/drivers/staging/rtl8192e/rtllib_softmac.c
+++ b/drivers/staging/rtl8192e/rtllib_softmac.c
@@ -2462,8 +2462,6 @@ int rtllib_softmac_init(struct rtllib_device *ieee)
 void rtllib_softmac_free(struct rtllib_device *ieee)
 {
 	mutex_lock(&ieee->wx_mutex);
-	kfree(ieee->dot11d_info);
-	ieee->dot11d_info = NULL;
 	del_timer_sync(&ieee->associate_timer);
 
 	cancel_delayed_work_sync(&ieee->associate_retry_wq);
@@ -2476,6 +2474,9 @@ void rtllib_softmac_free(struct rtllib_device *ieee)
 	cancel_work_sync(&ieee->ips_leave_wq);
 	cancel_work_sync(&ieee->wx_sync_scan_wq);
 	cancel_work_sync(&ieee->ps_task);
+
+	kfree(ieee->dot11d_info);
+	ieee->dot11d_info = NULL;
 	mutex_unlock(&ieee->wx_mutex);
 }
 
-- 
2.42.0

[PATCH 2/4] staging: rtl8192e: Remove mutex from rtllib_softmac_free()

[Philipp Hortmann]

The following commands use the mutex ieee->wx_mutex:
cancel_delayed_work_sync(&ieee->associate_retry_wq)
cancel_delayed_work_sync(&ieee->associate_procedure_wq)
cancel_work_sync(&ieee->wx_sync_scan_wq)
Therefore they cannot be canceled with ieee->wx_mutex locked. As the
work functions are executed time shifted during normal operation of the
driver, proper locking can only be done inside the functions.

Signed-off-by: Philipp Hortmann <philipp.g.hortmann@gmail.com>
---
Tested with rtl8192e (WLL6130-D99) in Mode n (12.5 MB/s)
Transferred this patch over wlan connection of rtl8192e.

[  261.339100] ======================================================
[  261.339102] WARNING: possible circular locking dependency detected
[  261.339103] 6.6.0-rc1+ #15 Tainted: G         C OE
[  261.339105] ------------------------------------------------------
[  261.339106] rmmod/6566 is trying to acquire lock:
[  261.339109] ffff888113ca8800 ((work_completion)(&(&ieee->associate_procedure_wq)->work)){+.+.}-{0:0}, at: __flush_work+0x4d/0x490
[  261.339118]
               but task is already holding lock:
[  261.339119] ffff888113ca7aa0 (&ieee->wx_mutex){+.+.}-{4:4}, at: rtllib_softmac_free+0x20/0xd0 [rtllib]
[  261.339134]
               which lock already depends on the new lock.

[  261.339136]
               the existing dependency chain (in reverse order) is:
[  261.339137]
               -> #1 (&ieee->wx_mutex){+.+.}-{4:4}:
[  261.339140]        __mutex_lock+0x99/0xce0
[  261.339146]        mutex_lock_nested+0x1b/0x30
[  261.339149]        rtllib_associate_procedure_wq+0x5b/0x4b0 [rtllib]
[  261.339159]        process_scheduled_works+0x308/0x580
[  261.339161]        worker_thread+0x19b/0x360
[  261.339163]        kthread+0x116/0x150
[  261.339166]        ret_from_fork+0x3c/0x60
[  261.339170]        ret_from_fork_asm+0x1b/0x30
[  261.339174]
               -> #0 ((work_completion)(&(&ieee->associate_procedure_wq)->work)){+.+.}-{0:0}:
[  261.339177]        __lock_acquire+0x12e0/0x1de0
[  261.339182]        lock_acquire+0xdc/0x2c0
[  261.339185]        __flush_work+0x6d/0x490
[  261.339187]        __cancel_work_timer+0x137/0x1c0
[  261.339190]        cancel_delayed_work_sync+0x13/0x20
[  261.339192]        rtllib_softmac_free+0x5b/0xd0 [rtllib]
[  261.339201]        free_rtllib+0x27/0x70 [rtllib]
[  261.339209]        _rtl92e_pci_disconnect+0xaf/0x140 [r8192e_pci]
[  261.339217]        pci_device_remove+0x39/0xb0
[  261.339221]        device_remove+0x46/0x70
[  261.339225]        device_release_driver_internal+0xb9/0x140
[  261.339228]        driver_detach+0x4d/0xa0
[  261.339231]        bus_remove_driver+0x6e/0xf0
[  261.339233]        driver_unregister+0x31/0x50
[  261.339236]        pci_unregister_driver+0x40/0x90
[  261.339239]        rtl8192_pci_driver_exit+0x10/0x380 [r8192e_pci]
[  261.339247]        __do_sys_delete_module.isra.0+0x187/0x2f0
[  261.339251]        __x64_sys_delete_module+0x12/0x20
[  261.339254]        do_syscall_64+0x3b/0x90
[  261.339257]        entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[  261.339261]
               other info that might help us debug this:

[  261.339262]  Possible unsafe locking scenario:

[  261.339263]        CPU0                    CPU1
[  261.339264]        ----                    ----
[  261.339265]   lock(&ieee->wx_mutex);
[  261.339268]                                lock((work_completion)(&(&ieee->associate_procedure_wq)->work));
[  261.339270]                                lock(&ieee->wx_mutex);
[  261.339272]   lock((work_completion)(&(&ieee->associate_procedure_wq)->work));
[  261.339274]
                *** DEADLOCK ***

[  261.339275] 2 locks held by rmmod/6566:
[  261.339277]  #0: ffff8881015d51b0 (&dev->mutex){....}-{4:4}, at: __device_driver_lock+0x2d/0x50
[  261.339283]  #1: ffff888113ca7aa0 (&ieee->wx_mutex){+.+.}-{4:4}, at: rtllib_softmac_free+0x20/0xd0 [rtllib]
[  261.339295]
               stack backtrace:
[  261.339296] CPU: 1 PID: 6566 Comm: rmmod Tainted: G         C OE      6.6.0-rc1+ #15
[  261.339299] Hardware name: FUJITSU ESPRIMO P710/D3161-A1, BIOS V4.6.5.3 R1.16.0 for D3161-A1x 10/29/2012
[  261.339301] Call Trace:
[  261.339302]  <TASK>
[  261.339304]  dump_stack_lvl+0x5c/0xa0
[  261.339309]  dump_stack+0x10/0x20
[  261.339311]  print_circular_bug.isra.0+0x300/0x440
[  261.339316]  check_noncircular+0x136/0x150
[  261.339319]  ? register_lock_class+0x4c/0x460
[  261.339322]  ? __bfs+0x110/0x250
[  261.339326]  __lock_acquire+0x12e0/0x1de0
[  261.339330]  ? hugetlb_init+0x5b2/0x720
[  261.339335]  lock_acquire+0xdc/0x2c0
[  261.339339]  ? __flush_work+0x4d/0x490
[  261.339342]  ? __this_cpu_preempt_check+0x13/0x20
[  261.339345]  ? lock_release+0x14f/0x380
[  261.339349]  __flush_work+0x6d/0x490
[  261.339352]  ? __flush_work+0x4d/0x490
[  261.339354]  ? lock_timer_base+0x72/0xa0
[  261.339357]  ? __this_cpu_preempt_check+0x13/0x20
[  261.339359]  ? lock_acquired+0xef/0x3b0
[  261.339362]  ? sched_clock_noinstr+0x9/0x10
[  261.339367]  ? __cancel_work_timer+0x10d/0x1c0
[  261.339369]  ? __this_cpu_preempt_check+0x13/0x20
[  261.339373]  __cancel_work_timer+0x137/0x1c0
[  261.339377]  cancel_delayed_work_sync+0x13/0x20
[  261.339380]  rtllib_softmac_free+0x5b/0xd0 [rtllib]
[  261.339389]  free_rtllib+0x27/0x70 [rtllib]
[  261.339397]  _rtl92e_pci_disconnect+0xaf/0x140 [r8192e_pci]
[  261.339406]  pci_device_remove+0x39/0xb0
[  261.339410]  device_remove+0x46/0x70
[  261.339413]  device_release_driver_internal+0xb9/0x140
[  261.339417]  driver_detach+0x4d/0xa0
[  261.339420]  bus_remove_driver+0x6e/0xf0
[  261.339424]  driver_unregister+0x31/0x50
[  261.339427]  pci_unregister_driver+0x40/0x90
[  261.339431]  rtl8192_pci_driver_exit+0x10/0x380 [r8192e_pci]
[  261.339439]  __do_sys_delete_module.isra.0+0x187/0x2f0
[  261.339442]  ? syscall_enter_from_user_mode+0x21/0x60
[  261.339446]  ? lockdep_hardirqs_on+0x86/0x110
[  261.339450]  __x64_sys_delete_module+0x12/0x20
[  261.339454]  do_syscall_64+0x3b/0x90
[  261.339457]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[  261.339461] RIP: 0033:0x7f3b2132da6b
[  261.339464] Code: 73 01 c3 48 8b 0d 25 c4 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f5 c3 0c 00 f7 d8 64 89 01 48
[  261.339466] RSP: 002b:00007ffea140e858 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
[  261.339469] RAX: ffffffffffffffda RBX: 00005637c0086770 RCX: 00007f3b2132da6b
[  261.339471] RDX: 000000000000000a RSI: 0000000000000800 RDI: 00005637c00867d8
[  261.339473] RBP: 00007ffea140e8b8 R08: 0000000000000000 R09: 0000000000000000
[  261.339474] R10: 00007f3b213a9ac0 R11: 0000000000000206 R12: 00007ffea140ea90
[  261.339476] R13: 00007ffea140f7c0 R14: 00005637c00862a0 R15: 00005637c0086770
[  261.339480]  </TASK>
---
 drivers/staging/rtl8192e/rtllib_softmac.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/drivers/staging/rtl8192e/rtllib_softmac.c b/drivers/staging/rtl8192e/rtllib_softmac.c
index d3468b646ca8..c874468d075c 100644
--- a/drivers/staging/rtl8192e/rtllib_softmac.c
+++ b/drivers/staging/rtl8192e/rtllib_softmac.c
@@ -2461,7 +2461,6 @@ int rtllib_softmac_init(struct rtllib_device *ieee)
 
 void rtllib_softmac_free(struct rtllib_device *ieee)
 {
-	mutex_lock(&ieee->wx_mutex);
 	del_timer_sync(&ieee->associate_timer);
 
 	cancel_delayed_work_sync(&ieee->associate_retry_wq);
@@ -2477,7 +2476,6 @@ void rtllib_softmac_free(struct rtllib_device *ieee)
 
 	kfree(ieee->dot11d_info);
 	ieee->dot11d_info = NULL;
-	mutex_unlock(&ieee->wx_mutex);
 }
 
 static inline struct sk_buff *
-- 
2.42.0

[PATCH 3/4] staging: rtl8192e: Unlock mutex for one line in rtllib_stop_protocol()

[Philipp Hortmann]

The following command uses the mutex ieee->wx_mutex:
cancel_delayed_work_sync(&ieee->associate_retry_wq)
Therefore it cannot be canceled with ieee->wx_mutex locked.
rtllib_stop_protocol() is always called with ieee->wx_mutex locked so
according line can be unlocked.

Signed-off-by: Philipp Hortmann <philipp.g.hortmann@gmail.com>
---
[  848.458088] ======================================================
[  848.458089] WARNING: possible circular locking dependency detected
[  848.458091] 6.6.0-rc1+ #15 Tainted: G         C OE
[  848.458102] ------------------------------------------------------
[  848.458103] kworker/0:9/346 is trying to acquire lock:
[  848.458104] ffff88817dc37aa0 (&ieee->wx_mutex){+.+.}-{4:4}, at: rtllib_associate_retry_wq+0x2d/0xb0 [rtllib]
[  848.458121]
               but task is already holding lock:
[  848.458122] ffffc900017cfe38 ((work_completion)(&(&ieee->associate_retry_wq)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x27f/0x580
[  848.458129]
               which lock already depends on the new lock.

[  848.458130]
               the existing dependency chain (in reverse order) is:
[  848.458131]
               -> #1 ((work_completion)(&(&ieee->associate_retry_wq)->work)){+.+.}-{0:0}:
[  848.458134]        __flush_work+0x6d/0x490
[  848.458137]        __cancel_work_timer+0x137/0x1c0
[  848.458140]        cancel_delayed_work_sync+0x13/0x20
[  848.458142]        rtllib_stop_protocol.part.0+0x49/0x120 [rtllib]
[  848.458151]        rtllib_stop_protocol+0x1c/0x30 [rtllib]
[  848.458159]        rtllib_wx_set_essid+0x12a/0x150 [rtllib]
[  848.458167]        _rtl92e_wx_set_essid+0x4e/0xa0 [r8192e_pci]
[  848.458176]        ioctl_standard_iw_point+0x2e6/0x390
[  848.458180]        ioctl_standard_call+0xaa/0xe0
[  848.458183]        wireless_process_ioctl+0x149/0x170
[  848.458185]        wext_handle_ioctl+0x9e/0x100
[  848.458188]        sock_ioctl+0x203/0x340
[  848.458192]        __x64_sys_ioctl+0x98/0xd0
[  848.458195]        do_syscall_64+0x3b/0x90
[  848.458198]        entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[  848.458202]
               -> #0 (&ieee->wx_mutex){+.+.}-{4:4}:
[  848.458206]        __lock_acquire+0x12e0/0x1de0
[  848.458209]        lock_acquire+0xdc/0x2c0
[  848.458212]        __mutex_lock+0x99/0xce0
[  848.458216]        mutex_lock_nested+0x1b/0x30
[  848.458219]        rtllib_associate_retry_wq+0x2d/0xb0 [rtllib]
[  848.458227]        process_scheduled_works+0x308/0x580
[  848.458229]        worker_thread+0x19b/0x360
[  848.458231]        kthread+0x116/0x150
[  848.458234]        ret_from_fork+0x3c/0x60
[  848.458237]        ret_from_fork_asm+0x1b/0x30
[  848.458242]
               other info that might help us debug this:

[  848.458243]  Possible unsafe locking scenario:

[  848.458244]        CPU0                    CPU1
[  848.458245]        ----                    ----
[  848.458246]   lock((work_completion)(&(&ieee->associate_retry_wq)->work));
[  848.458248]                                lock(&ieee->wx_mutex);
[  848.458250]                                lock((work_completion)(&(&ieee->associate_retry_wq)->work));
[  848.458252]   lock(&ieee->wx_mutex);
[  848.458254]
                *** DEADLOCK ***

[  848.458255] 2 locks held by kworker/0:9/346:
[  848.458257]  #0: ffff88810004f148 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x27f/0x580
[  848.458262]  #1: ffffc900017cfe38 ((work_completion)(&(&ieee->associate_retry_wq)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x27f/0x580
[  848.458266]
               stack backtrace:
[  848.458268] CPU: 0 PID: 346 Comm: kworker/0:9 Tainted: G         C OE      6.6.0-rc1+ #15
[  848.458270] Hardware name: FUJITSU ESPRIMO P710/D3161-A1, BIOS V4.6.5.3 R1.16.0 for D3161-A1x 10/29/2012
[  848.458272] Workqueue: events rtllib_associate_retry_wq [rtllib]
[  848.458281] Call Trace:
[  848.458283]  <TASK>
[  848.458285]  dump_stack_lvl+0x5c/0xa0
[  848.458288]  dump_stack+0x10/0x20
[  848.458291]  print_circular_bug.isra.0+0x300/0x440
[  848.458295]  check_noncircular+0x136/0x150
[  848.458298]  ? ret_from_fork_asm+0x1b/0x30
[  848.458302]  ? __kernel_text_address+0x12/0x40
[  848.458305]  __lock_acquire+0x12e0/0x1de0
[  848.458311]  lock_acquire+0xdc/0x2c0
[  848.458314]  ? rtllib_associate_retry_wq+0x2d/0xb0 [rtllib]
[  848.458324]  __mutex_lock+0x99/0xce0
[  848.458327]  ? rtllib_associate_retry_wq+0x2d/0xb0 [rtllib]
[  848.458336]  ? rtllib_associate_retry_wq+0x2d/0xb0 [rtllib]
[  848.458344]  ? __this_cpu_preempt_check+0x13/0x20
[  848.458348]  mutex_lock_nested+0x1b/0x30
[  848.458351]  ? mutex_lock_nested+0x1b/0x30
[  848.458354]  rtllib_associate_retry_wq+0x2d/0xb0 [rtllib]
[  848.458363]  process_scheduled_works+0x308/0x580
[  848.458368]  ? __pfx_worker_thread+0x10/0x10
[  848.458370]  worker_thread+0x19b/0x360
[  848.458373]  ? __pfx_worker_thread+0x10/0x10
[  848.458375]  kthread+0x116/0x150
[  848.458378]  ? __pfx_kthread+0x10/0x10
[  848.458381]  ret_from_fork+0x3c/0x60
[  848.458384]  ? __pfx_kthread+0x10/0x10
[  848.458387]  ret_from_fork_asm+0x1b/0x30
[  848.458392]  </TASK>
---
 drivers/staging/rtl8192e/rtllib_softmac.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/rtl8192e/rtllib_softmac.c b/drivers/staging/rtl8192e/rtllib_softmac.c
index c874468d075c..72d0225dfdf1 100644
--- a/drivers/staging/rtl8192e/rtllib_softmac.c
+++ b/drivers/staging/rtl8192e/rtllib_softmac.c
@@ -2307,7 +2307,9 @@ void rtllib_stop_protocol(struct rtllib_device *ieee, u8 shutdown)
 	}
 
 	del_timer_sync(&ieee->associate_timer);
+	mutex_unlock(&ieee->wx_mutex);
 	cancel_delayed_work_sync(&ieee->associate_retry_wq);
+	mutex_lock(&ieee->wx_mutex);
 	cancel_delayed_work_sync(&ieee->link_change_wq);
 	rtllib_stop_scan(ieee);
 
-- 
2.42.0

[PATCH 4/4] staging: rtl8192e: Resolve circular locking with rx_pkt_pending_timer

[Philipp Hortmann]

Resolve circular locking from reorder_spinlock with rx_pkt_pending_timer.

Signed-off-by: Philipp Hortmann <philipp.g.hortmann@gmail.com>
---
[ 4743.466837] ======================================================
[ 4743.466838] WARNING: possible circular locking dependency detected
[ 4743.466840] 6.6.0-rc1+ #15 Tainted: G         C OE
[ 4743.466842] ------------------------------------------------------
[ 4743.466843] Renderer/12378 is trying to acquire lock:
[ 4743.466845] ffff8882142f34d0 ((&rxts->rx_pkt_pending_timer)){+.-.}-{0:0}, at: __timer_delete_sync+0x31/0xc0
[ 4743.466857]
               but task is already holding lock:
[ 4743.466858] ffff8882142f0d48 (&ieee->reorder_spinlock){..-.}-{3:3}, at: rtllib_rx+0x1885/0x2280 [rtllib]
[ 4743.466873]
               which lock already depends on the new lock.

[ 4743.466875]
               the existing dependency chain (in reverse order) is:
[ 4743.466876]
               -> #1 (&ieee->reorder_spinlock){..-.}-{3:3}:
[ 4743.466880]        _raw_spin_lock_irqsave+0x53/0xa0
[ 4743.466884]        RxPktPendingTimeout+0x4b/0x220 [rtllib]
[ 4743.466894]        call_timer_fn+0xab/0x230
[ 4743.466897]        run_timer_softirq+0x4b2/0x570
[ 4743.466900]        __do_softirq+0xca/0x3b7
[ 4743.466903]        irq_exit_rcu+0xa0/0xe0
[ 4743.466907]        sysvec_apic_timer_interrupt+0xb0/0xd0
[ 4743.466910]        asm_sysvec_apic_timer_interrupt+0x1b/0x20
[ 4743.466913]        cpuidle_enter_state+0xfa/0x500
[ 4743.466916]        cpuidle_enter+0x2e/0x50
[ 4743.466919]        call_cpuidle+0x23/0x50
[ 4743.466922]        do_idle+0x21c/0x280
[ 4743.466924]        cpu_startup_entry+0x20/0x30
[ 4743.466926]        start_secondary+0x11a/0x140
[ 4743.466929]        secondary_startup_64_no_verify+0x17d/0x18b
[ 4743.466933]
               -> #0 ((&rxts->rx_pkt_pending_timer)){+.-.}-{0:0}:
[ 4743.466936]        __lock_acquire+0x12e0/0x1de0
[ 4743.466941]        lock_acquire+0xdc/0x2c0
[ 4743.466944]        __timer_delete_sync+0x52/0xc0
[ 4743.466947]        timer_delete_sync+0x10/0x20
[ 4743.466949]        rtllib_rx+0x1ab2/0x2280 [rtllib]
[ 4743.466958]        _rtl92e_irq_rx_tasklet+0x2d5/0x410 [r8192e_pci]
[ 4743.466967]        tasklet_action_common.isra.0+0x10a/0x290
[ 4743.466970]        tasklet_action+0x2d/0x40
[ 4743.466973]        __do_softirq+0xca/0x3b7
[ 4743.466976]        irq_exit_rcu+0xa0/0xe0
[ 4743.466979]        common_interrupt+0xc6/0xe0
[ 4743.466982]        asm_common_interrupt+0x27/0x40
[ 4743.466984]        preempt_count_add+0x13/0xc0
[ 4743.466988]        ww_mutex_lock_interruptible+0x3c/0x110
[ 4743.466992]        i915_gem_madvise_ioctl+0xe9/0x480 [i915]
[ 4743.467126]        drm_ioctl_kernel+0xc0/0x150 [drm]
[ 4743.467178]        drm_ioctl+0x2a9/0x510 [drm]
[ 4743.467216]        __x64_sys_ioctl+0x98/0xd0
[ 4743.467220]        do_syscall_64+0x3b/0x90
[ 4743.467223]        entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 4743.467228]
               other info that might help us debug this:

[ 4743.467229]  Possible unsafe locking scenario:

[ 4743.467230]        CPU0                    CPU1
[ 4743.467231]        ----                    ----
[ 4743.467233]   lock(&ieee->reorder_spinlock);
[ 4743.467235]                                lock((&rxts->rx_pkt_pending_timer));
[ 4743.467237]                                lock(&ieee->reorder_spinlock);
[ 4743.467240]   lock((&rxts->rx_pkt_pending_timer));
[ 4743.467242]
                *** DEADLOCK ***

[ 4743.467243] 1 lock held by Renderer/12378:
[ 4743.467245]  #0: ffff8882142f0d48 (&ieee->reorder_spinlock){..-.}-{3:3}, at: rtllib_rx+0x1885/0x2280 [rtllib]
[ 4743.467258]
               stack backtrace:
[ 4743.467259] CPU: 2 PID: 12378 Comm: Renderer Tainted: G         C OE      6.6.0-rc1+ #15
[ 4743.467262] Hardware name: FUJITSU ESPRIMO P710/D3161-A1, BIOS V4.6.5.3 R1.16.0 for D3161-A1x 10/29/2012
[ 4743.467264] Call Trace:
[ 4743.467266]  <IRQ>
[ 4743.467268]  dump_stack_lvl+0x5c/0xa0
[ 4743.467272]  dump_stack+0x10/0x20
[ 4743.467275]  print_circular_bug.isra.0+0x300/0x440
[ 4743.467280]  check_noncircular+0x136/0x150
[ 4743.467284]  ? __lock_acquire+0x654/0x1de0
[ 4743.467289]  __lock_acquire+0x12e0/0x1de0
[ 4743.467295]  lock_acquire+0xdc/0x2c0
[ 4743.467298]  ? __timer_delete_sync+0x31/0xc0
[ 4743.467303]  ? rtllib_rx+0x1885/0x2280 [rtllib]
[ 4743.467311]  ? __this_cpu_preempt_check+0x13/0x20
[ 4743.467314]  ? lock_acquired+0xef/0x3b0
[ 4743.467318]  __timer_delete_sync+0x52/0xc0
[ 4743.467321]  ? __timer_delete_sync+0x31/0xc0
[ 4743.467324]  timer_delete_sync+0x10/0x20
[ 4743.467327]  rtllib_rx+0x1ab2/0x2280 [rtllib]
[ 4743.467335]  ? kmalloc_reserve+0x69/0x100
[ 4743.467342]  _rtl92e_irq_rx_tasklet+0x2d5/0x410 [r8192e_pci]
[ 4743.467351]  ? lockdep_hardirqs_on+0x86/0x110
[ 4743.467357]  tasklet_action_common.isra.0+0x10a/0x290
[ 4743.467361]  tasklet_action+0x2d/0x40
[ 4743.467364]  __do_softirq+0xca/0x3b7
[ 4743.467369]  irq_exit_rcu+0xa0/0xe0
[ 4743.467372]  common_interrupt+0xc6/0xe0
[ 4743.467375]  </IRQ>
[ 4743.467376]  <TASK>
[ 4743.467378]  asm_common_interrupt+0x27/0x40
[ 4743.467380] RIP: 0010:preempt_count_add+0x13/0xc0
[ 4743.467384] Code: 9d ec 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 8b 15 2c 58 ed 02 65 01 3d b5 de 2d 74 <48> 89 e5 53 89 fb 85 d2 75 11 65 8b 05 a4 de 2d 74 0f b6 c0 3d f4
[ 4743.467386] RSP: 0018:ffffc9000d293c80 EFLAGS: 00000282
[ 4743.467389] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888117520000
[ 4743.467391] RDX: 0000000000000000 RSI: ffffffff8d51376a RDI: 0000000000000001
[ 4743.467392] RBP: ffffc9000d293d40 R08: 000004506ca6e7cf R09: ffff88805bfcbd98
[ 4743.467394] R10: ffffc9000d293d58 R11: ffff8880336b80d8 R12: ffff88801ec7d640
[ 4743.467395] R13: ffff8880336b8000 R14: ffff888104828000 R15: 0000000000000000
[ 4743.467401]  ? __ww_mutex_lock.constprop.0+0xa1/0x13e0
[ 4743.467405]  ? __this_cpu_preempt_check+0x13/0x20
[ 4743.467407]  ? lock_is_held_type+0xf3/0x150
[ 4743.467411]  ? i915_gem_madvise_ioctl+0xe9/0x480 [i915]
[ 4743.467529]  ww_mutex_lock_interruptible+0x3c/0x110
[ 4743.467533]  ? ww_mutex_lock_interruptible+0x3c/0x110
[ 4743.467537]  i915_gem_madvise_ioctl+0xe9/0x480 [i915]
[ 4743.467649]  ? __pfx_i915_gem_madvise_ioctl+0x10/0x10 [i915]
[ 4743.467760]  drm_ioctl_kernel+0xc0/0x150 [drm]
[ 4743.467805]  ? __might_fault+0x7b/0x90
[ 4743.467809]  drm_ioctl+0x2a9/0x510 [drm]
[ 4743.467846]  ? __pfx_i915_gem_madvise_ioctl+0x10/0x10 [i915]
[ 4743.467962]  ? __fget_files+0xce/0x190
[ 4743.467968]  __x64_sys_ioctl+0x98/0xd0
[ 4743.467984]  do_syscall_64+0x3b/0x90
[ 4743.467987]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 4743.467992] RIP: 0033:0x7f01d2dcf3ab
[ 4743.467994] Code: 0f 1e fa 48 8b 05 e5 7a 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b5 7a 0d 00 f7 d8 64 89 01 48
[ 4743.467997] RSP: 002b:00007f01badfce58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 4743.467999] RAX: ffffffffffffffda RBX: 00007f01badfcec4 RCX: 00007f01d2dcf3ab
[ 4743.468001] RDX: 00007f01badfcec4 RSI: 00000000c00c6466 RDI: 0000000000000024
[ 4743.468002] RBP: 00000000c00c6466 R08: 00007f01bb1fd048 R09: 0000000000000103
[ 4743.468004] R10: 00007ffd919ca080 R11: 0000000000000246 R12: 00007f01744a5e20
[ 4743.468006] R13: 0000000000000024 R14: 00007f01744a5e98 R15: 00007f01bb1fd000
[ 4743.468010]  </TASK>
---
 drivers/staging/rtl8192e/rtllib_rx.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/staging/rtl8192e/rtllib_rx.c b/drivers/staging/rtl8192e/rtllib_rx.c
index 456dd05e291d..a7b6f837024d 100644
--- a/drivers/staging/rtl8192e/rtllib_rx.c
+++ b/drivers/staging/rtl8192e/rtllib_rx.c
@@ -693,8 +693,10 @@ static void RxReorderIndicatePacket(struct rtllib_device *ieee,
 	 * Rx buffering.
 	 */
 	if (index > 0) {
+		spin_unlock_irqrestore(&ieee->reorder_spinlock, flags);
 		if (timer_pending(&ts->rx_pkt_pending_timer))
 			del_timer_sync(&ts->rx_pkt_pending_timer);
+		spin_lock_irqsave(&ieee->reorder_spinlock, flags);
 		ts->rx_timeout_indicate_seq = 0xffff;
 
 		if (index > REORDER_WIN_SIZE) {
@@ -712,8 +714,10 @@ static void RxReorderIndicatePacket(struct rtllib_device *ieee,
 	if (bPktInBuf && ts->rx_timeout_indicate_seq == 0xffff) {
 		netdev_dbg(ieee->dev, "%s(): SET rx timeout timer\n", __func__);
 		ts->rx_timeout_indicate_seq = ts->rx_indicate_seq;
+		spin_unlock_irqrestore(&ieee->reorder_spinlock, flags);
 		mod_timer(&ts->rx_pkt_pending_timer, jiffies +
 			  msecs_to_jiffies(ht_info->rx_reorder_pending_time));
+		spin_lock_irqsave(&ieee->reorder_spinlock, flags);
 	}
 	spin_unlock_irqrestore(&(ieee->reorder_spinlock), flags);
 }
-- 
2.42.0