Comment 18 for bug 1836801

Upstream stable 4.4.181 had many brcmfmac updates. From the trace suspicious seems:

brcmfmac: revise handling events in receive path

    commit 9c349892ccc90c6de2baaa69cc78449f58082273 upstream.

which has a fixup upstream that sounds like the issue:

commit 31143e2933d1675c4c1ba6ce125cdd95870edd85
Author: Franky Lin <email address hidden>
Date: Thu Jun 2 02:00:27 2016 -0700

    brcmfmac: add eth_type_trans back for PCIe full dongle

    A regression was introduced in commit 9c349892ccc9 ("brcmfmac: revise
    handling events in receive path") which moves eth_type_trans() call
    to brcmf_rx_frame(). Msgbuf layer doesn't use brcmf_rx_frame() but invokes
    brcmf_netif_rx() directly. In such case the Ethernet header was not
    stripped out resulting in null pointer dereference in the networking
    stack.

    BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
    IP: [<ffffffff814c3ce6>] enqueue_to_backlog+0x56/0x260
    ...
    Fixes: 9c349892ccc9 ("brcmfmac: revise handling events in receive path")
    Reported-by: Rafal Milecki <email address hidden>
    Reported-by: Grey Christoforo <email address hidden>
    Reviewed-by: Pieter-Paul Giesberts <email address hidden>
    Reviewed-by: Arend Van Spriel <email address hidden>
    Reviewed-by: Hante Meuleman <email address hidden>
    Signed-off-by: Franky Lin <email address hidden>
    [<email address hidden>: rephrased the commit message]
    Signed-off-by: Arend van Spriel <email address hidden>
    Signed-off-by: Kalle Valo <email address hidden>