which has a fixup upstream that sounds like the issue:
commit 31143e2933d1675c4c1ba6ce125cdd95870edd85
Author: Franky Lin <email address hidden>
Date: Thu Jun 2 02:00:27 2016 -0700
brcmfmac: add eth_type_trans back for PCIe full dongle
A regression was introduced in commit 9c349892ccc9 ("brcmfmac: revise
handling events in receive path") which moves eth_type_trans() call
to brcmf_rx_frame(). Msgbuf layer doesn't use brcmf_rx_frame() but invokes
brcmf_netif_rx() directly. In such case the Ethernet header was not
stripped out resulting in null pointer dereference in the networking
stack.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
IP: [<ffffffff814c3ce6>] enqueue_to_backlog+0x56/0x260
...
Fixes: 9c349892ccc9 ("brcmfmac: revise handling events in receive path")
Reported-by: Rafal Milecki <email address hidden>
Reported-by: Grey Christoforo <email address hidden>
Reviewed-by: Pieter-Paul Giesberts <email address hidden>
Reviewed-by: Arend Van Spriel <email address hidden>
Reviewed-by: Hante Meuleman <email address hidden>
Signed-off-by: Franky Lin <email address hidden>
[<email address hidden>: rephrased the commit message]
Signed-off-by: Arend van Spriel <email address hidden>
Signed-off-by: Kalle Valo <email address hidden>
Upstream stable 4.4.181 had many brcmfmac updates. From the trace suspicious seems:
brcmfmac: revise handling events in receive path
commit 9c349892ccc90c6 de2baaa69cc7844 9f58082273 upstream.
which has a fixup upstream that sounds like the issue:
commit 31143e2933d1675 c4c1ba6ce125cdd 95870edd85
Author: Franky Lin <email address hidden>
Date: Thu Jun 2 02:00:27 2016 -0700
brcmfmac: add eth_type_trans back for PCIe full dongle
A regression was introduced in commit 9c349892ccc9 ("brcmfmac: revise netif_rx( ) directly. In such case the Ethernet header was not
handling events in receive path") which moves eth_type_trans() call
to brcmf_rx_frame(). Msgbuf layer doesn't use brcmf_rx_frame() but invokes
brcmf_
stripped out resulting in null pointer dereference in the networking
stack.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000048 ce6>] enqueue_ to_backlog+ 0x56/0x260
IP: [<ffffffff814c3
...
Fixes: 9c349892ccc9 ("brcmfmac: revise handling events in receive path")
Reported-by: Rafal Milecki <email address hidden>
Reported-by: Grey Christoforo <email address hidden>
Reviewed-by: Pieter-Paul Giesberts <email address hidden>
Reviewed-by: Arend Van Spriel <email address hidden>
Reviewed-by: Hante Meuleman <email address hidden>
Signed-off-by: Franky Lin <email address hidden>
[<email address hidden>: rephrased the commit message]
Signed-off-by: Arend van Spriel <email address hidden>
Signed-off-by: Kalle Valo <email address hidden>