CVE-2026-31552

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom<br /> <br /> Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom<br /> before skb_push"), wl1271_tx_allocate() and with it<br /> wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails.<br /> However, in wlcore_tx_work_locked(), a return value of -EAGAIN from<br /> wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being<br /> full. This causes the code to flush the buffer, put the skb back at the<br /> head of the queue, and immediately retry the same skb in a tight while<br /> loop.<br /> <br /> Because wlcore_tx_work_locked() holds wl-&gt;mutex, and the retry happens<br /> immediately with GFP_ATOMIC, this will result in an infinite loop and a<br /> CPU soft lockup. Return -ENOMEM instead so the packet is dropped and<br /> the loop terminates.<br /> <br /> The problem was found by an experimental code review agent based on<br /> gemini-3.1-pro while reviewing backports into v6.18.y.