CVE-2024-56593

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw()<br /> <br /> This patch fixes a NULL pointer dereference bug in brcmfmac that occurs<br /> when a high &amp;#39;sd_sgentry_align&amp;#39; value applies (e.g. 512) and a lot of queued SKBs<br /> are sent from the pkt queue.<br /> <br /> The problem is the number of entries in the pre-allocated sgtable, it is<br /> nents = max(rxglom_size, txglom_size) + max(rxglom_size, txglom_size) &gt;&gt; 4 + 1.<br /> Given the default [rt]xglom_size=32 it&amp;#39;s actually 35 which is too small.<br /> Worst case, the pkt queue can end up with 64 SKBs. This occurs when a new SKB<br /> is added for each original SKB if tailroom isn&amp;#39;t enough to hold tail_pad.<br /> At least one sg entry is needed for each SKB. So, eventually the "skb_queue_walk loop"<br /> in brcmf_sdiod_sglist_rw may run out of sg entries. This makes sg_next return<br /> NULL and this causes the oops.<br /> <br /> The patch sets nents to max(rxglom_size, txglom_size) * 2 to be able handle<br /> the worst-case.<br /> Btw. this requires only 64-35=29 * 16 (or 20 if CONFIG_NEED_SG_DMA_LENGTH) = 464<br /> additional bytes of memory.