CVE-2024-56593

In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmfsdiodsglist_rw()

This patch fixes a NULL pointer dereference bug in brcmfmac that occurs when a high 'sdsgentryalign' value applies (e.g. 512) and a lot of queued SKBs are sent from the pkt queue.

The problem is the number of entries in the pre-allocated sgtable, it is nents = max(rxglomsize, txglomsize) + max(rxglomsize, txglomsize) >> 4 + 1. Given the default [rt]xglomsize=32 it's actually 35 which is too small. Worst case, the pkt queue can end up with 64 SKBs. This occurs when a new SKB is added for each original SKB if tailroom isn't enough to hold tailpad. At least one sg entry is needed for each SKB. So, eventually the "skbqueuewalk loop" in brcmfsdiodsglistrw may run out of sg entries. This makes sgnext return NULL and this causes the oops.

The patch sets nents to max(rxglomsize, txglomsize) * 2 to be able handle the worst-case. Btw. this requires only 64-35=29 * 16 (or 20 if CONFIGNEEDSGDMALENGTH) = 464 additional bytes of memory.