[RFC PATCH 0/2] staging: rtl8192u: Fix two crashing bugs
From: Philipp Hortmann
Date: Thu Oct 12 2023 - 02:03:07 EST
Question: Fix or remove rtl8192u?
I found a USB WLAN Stick with a rtl8192u. I got it last Saturday and
found out that the firmware is missing in my ubuntu 20.04. I found it on
the web and fixed it. When I started the driver my computer crashed. The
missing part was: priv->priv_wq = alloc_workqueue("priv_wq", 0, 0);
Fixing this the next error was a network = kzalloc(sizeof(*network),
GFP_KERNEL); in wrong context which leads to a crash of my computer.
Fixing this the next error is more depending on what I do with the stick.
When lucky the connection is build up and I can surf and download at maximum speed (12,5MB/s) several gigabytes.
But when I open the window to see other stations the computer crashes again. Find a possible dump at the end.
Hint from Arnd Bergmann on the 10/11/23:
https://lore.kernel.org/linux-staging/db98d9ac-7650-4a72-8eb9-4def1f17ea0d@xxxxxxxxxxxxxxxx/T/#t
I see the two bugs were introduced in 2016 by commit 1761a85c3bed3
("staging: rtl8192u: Remove create_workqueue()") and in 2021 by
commit 061e390b7c87f ("staging: rtl8192u: ieee80211_softmac: Move a
large data struct onto the heap"), so it's been broken for a while.
[ +0.043662] alg name:CCMP
[ +0.724234] rtl819xU 1-1.6:1.0 wlan0: ====================>rx ADDBAREQ from :9c:a2:f4:67:5d:c0
[ +0.000016] rtl819xU 1-1.6:1.0 wlan0: =====>to send ADDBARSP
[Oct10 00:42] BUG: kernel NULL pointer dereference, address: 00000000000001c0
[ +0.000008] #PF: supervisor read access in kernel mode
[ +0.000002] #PF: error_code(0x0000) - not-present page
[ +0.000002] PGD 0 P4D 0
[ +0.000004] Oops: 0000 [#1] PREEMPT SMP PTI
[ +0.000003] CPU: 0 PID: 1246 Comm: wpa_supplicant Tainted: G C OE 6.6.0-rc1+ #15
[ +0.000003] Hardware name: FUJITSU ESPRIMO P710/D3161-A1, BIOS V4.6.5.3 R1.16.0 for D3161-A1x 10/29/2012
[ +0.000002] RIP: 0010:__queue_work+0x38/0x610
[ +0.000005] Code: 89 fe 41 55 41 54 49 89 d4 53 48 89 f3 48 83 ec 18 8b 0d 43 23 ce 01 85 c9 74 0f 65 8b 05 c0 af ee 45 85 c0 0f 84 da 02 00 00 <f7> 83 c0 01 00 00 00 80 01 00 0f 85 eb 02 00 00 e8 33 d6 0a 00 31
[ +0.000003] RSP: 0018:ffffc90002e6bc28 EFLAGS: 00010046
[ +0.000002] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
[ +0.000002] RDX: ffff88817ff1a8d8 RSI: 0000000000000000 RDI: 0000000000002000
[ +0.000002] RBP: ffffc90002e6bc68 R08: 0000000000000000 R09: 0000000000000000
[ +0.000001] R10: ffffc90002e6bca0 R11: ffffffffc0fff3e2 R12: ffff88817ff1a8d8
[ +0.000002] R13: 0000000000000001 R14: 0000000000002000 R15: 0000000000000000
[ +0.000002] FS: 00007f9be4ad9140(0000) GS:ffff888215400000(0000) knlGS:0000000000000000
[ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ +0.000002] CR2: 00000000000001c0 CR3: 00000001127ce005 CR4: 00000000001706f0
[ +0.000002] Call Trace:
[ +0.000002] <TASK>
[ +0.000011] ? show_regs+0x68/0x70
[ +0.000005] ? __die_body+0x20/0x70
[ +0.000004] ? __die+0x2b/0x40
[ +0.000003] ? page_fault_oops+0x160/0x480
[ +0.000003] ? search_bpf_extables+0xad/0x160
[ +0.000004] ? __queue_work+0x38/0x610
[ +0.000002] ? search_exception_tables+0x5f/0x70
[ +0.000004] ? kernelmode_fixup_or_oops+0xa2/0x120
[ +0.000011] ? __bad_area_nosemaphore+0x197/0x250
[ +0.000003] ? up_read+0xc3/0x270
[ +0.000004] ? bad_area_nosemaphore+0x16/0x20
[ +0.000002] ? do_user_addr_fault+0x34d/0xa40
[ +0.000004] ? exc_page_fault+0x84/0x210
[ +0.000005] ? asm_exc_page_fault+0x27/0x30
[ +0.000006] ? ieee80211_wx_set_scan+0x22/0x80 [r8192u_usb]
[ +0.000022] ? __queue_work+0x38/0x610
[ +0.000003] ? debug_smp_processor_id+0x17/0x20
[ +0.000004] queue_work_on+0x7e/0x80
[ +0.000003] ieee80211_wx_set_scan+0x77/0x80 [r8192u_usb]
[ +0.000016] r8192_wx_set_scan+0x128/0x190 [r8192u_usb]
[ +0.000014] ioctl_standard_iw_point+0x2e6/0x390
[ +0.000004] ? __pfx_r8192_wx_set_scan+0x10/0x10 [r8192u_usb]
[ +0.000014] ? sched_clock_noinstr+0x9/0x10
[ +0.000003] ? local_clock_noinstr+0x10/0xd0
[ +0.000004] ioctl_standard_call+0xaa/0xe0
[ +0.000003] ? netdev_name_node_lookup+0x65/0x90
[ +0.000003] ? __pfx_ioctl_private_call+0x10/0x10
[ +0.000003] ? __pfx_ioctl_standard_call+0x10/0x10
[ +0.000004] wireless_process_ioctl+0x149/0x170
[ +0.000004] wext_handle_ioctl+0x9e/0x100
[ +0.000005] sock_ioctl+0x203/0x340
[ +0.000005] ? syscall_enter_from_user_mode+0x21/0x60
[ +0.000004] __x64_sys_ioctl+0x98/0xd0
[ +0.000005] do_syscall_64+0x3b/0x90
[ +0.000004] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ +0.000003] RIP: 0033:0x7f9be47223ab
[ +0.000003] Code: 0f 1e fa 48 8b 05 e5 7a 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b5 7a 0d 00 f7 d8 64 89 01 48
[ +0.000002] RSP: 002b:00007ffdecbeeed8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ +0.000003] RAX: ffffffffffffffda RBX: 000055e97efd0580 RCX: 00007f9be47223ab
[ +0.000002] RDX: 00007ffdecbeeee0 RSI: 0000000000008b18 RDI: 0000000000000009
[ +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000010
[ +0.000002] R10: 00007ffdecbfa080 R11: 0000000000000246 R12: 000055e97efa4db0
[ +0.000001] R13: 0000000000000000 R14: 00007ffdecbeeee0 R15: 000055e97efa27c8
[ +0.000005] </TASK>
[ +0.000001] Modules linked in: ccm r8192u_usb(COE) cfg80211 lib80211 libarc4 xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c xt_addrtype iptable_filter bpfilter br_netfilter bridge stp llc overlay nls_iso8859_1 snd_hda_codec_hdmi snd_hda_codec_conexant snd_hda_codec_generic ledtrig_audio intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm crct10dif_pclmul ghash_clmulni_intel sha512_ssse3 snd_hda_intel sch5627 mei_hdcp snd_intel_dspcfg aesni_intel snd_intel_sdw_acpi crypto_simd binfmt_misc snd_hda_codec cryptd i915 snd_hda_core rapl sch56xx_common snd_hwdep intel_cstate joydev snd_pcm input_leds snd_seq_midi serio_raw snd_seq_midi_event at24 drm_buddy snd_rawmidi snd_seq ttm snd_seq_device drm_display_helper cec snd_timer rc_core drm_kms_helper snd mei_me i2c_algo_bit tpm_infineon soundcore mei mac_hid sch_fq_codel msr parport_pc ppdev lp parport drm ramoops reed_solomon
[ +0.000063] efi_pstore ip_tables x_tables autofs4 hid_generic usbhid hid i2c_i801 crc32_pclmul i2c_smbus ahci e1000e lpc_ich libahci xhci_pci xhci_pci_renesas video wmi
[ +0.000016] CR2: 00000000000001c0
[ +0.000003] ---[ end trace 0000000000000000 ]---
[ +0.000973] pstore: backend (efi_pstore) writing error (-5)
[ +0.000003] RIP: 0010:__queue_work+0x38/0x610
[ +0.000003] Code: 89 fe 41 55 41 54 49 89 d4 53 48 89 f3 48 83 ec 18 8b 0d 43 23 ce 01 85 c9 74 0f 65 8b 05 c0 af ee 45 85 c0 0f 84 da 02 00 00 <f7> 83 c0 01 00 00 00 80 01 00 0f 85 eb 02 00 00 e8 33 d6 0a 00 31
[ +0.000002] RSP: 0018:ffffc90002e6bc28 EFLAGS: 00010046
[ +0.000003] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
[ +0.000002] RDX: ffff88817ff1a8d8 RSI: 0000000000000000 RDI: 0000000000002000
[ +0.000001] RBP: ffffc90002e6bc68 R08: 0000000000000000 R09: 0000000000000000
[ +0.000002] R10: ffffc90002e6bca0 R11: ffffffffc0fff3e2 R12: ffff88817ff1a8d8
[ +0.000001] R13: 0000000000000001 R14: 0000000000002000 R15: 0000000000000000
[ +0.000002] FS: 00007f9be4ad9140(0000) GS:ffff888215400000(0000) knlGS:0000000000000000
[ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ +0.000002] CR2: 00000000000001c0 CR3: 00000001127ce005 CR4: 00000000001706f0
[ +0.000002] note: wpa_supplicant[1246] exited with irqs disabled
Philipp Hortmann (2):
staging: rtl8192u: Fix missing alloc_workqueue()
staging: rtl8192u: Fix sleeping kzalloc() called from invalid context
.../rtl8192u/ieee80211/ieee80211_softmac.c | 19 ++++++++-----------
drivers/staging/rtl8192u/r8192U.h | 1 +
drivers/staging/rtl8192u/r8192U_core.c | 12 ++++++++++++
3 files changed, 21 insertions(+), 11 deletions(-)
--
2.42.0