N van Bolhuis <nvbolhuis@xxxxxxxxx> writes: > Op do 7 nov 2024 om 15:14 schreef Kalle Valo <kvalo@xxxxxxxxxx>: > >> >> nvbolhuis@xxxxxxxxx writes: >> >> > From: Norbert van Bolhuis <nvbolhuis@xxxxxxxxx> >> > >> > This patch fixes a NULL pointer dereference bug in brcmfmac that occurs >> > when a high 'sd_sgentry_align' value applies (e.g. 512) and a lot of queued SKBs >> > are sent from the pkt queue. >> > >> > The problem is the number of entries in the pre-allocated sgtable, it is >> > nents = max(rxglom_size, txglom_size) + max(rxglom_size, txglom_size) >> 4 + 1. >> > Given the default [rt]xglom_size=32 it's actually 35 which is too small. >> > Worst case, the pkt queue can end up with 64 SKBs. This occurs when a new SKB >> > is added for each original SKB if tailroom isn't enough to hold tail_pad. >> > At least one sg entry is needed for each SKB. So, eventually the "skb_queue_walk loop" >> > in brcmf_sdiod_sglist_rw may run out of sg entries. This makes sg_next return >> > NULL and this causes the oops. >> > >> > The patch sets nents to max(rxglom_size, txglom_size) * 2 to be able handle >> > the worst-case. >> > Btw. this requires only 64-35=29 * 16 (or 20 if CONFIG_NEED_SG_DMA_LENGTH) = 464 >> > additional bytes of memory. >> > >> > Signed-off-by: Norbert van Bolhuis <nvbolhuis@xxxxxxxxx> >> >> What changed from v1? Please include a list of changes after '--' line, >> but no need to resend because of this. >> > > Nothing changed, I just added the s-o-b. That's still something you should mention in the changelog, but this mail is good enough this time. -- https://patchwork.kernel.org/project/linux-wireless/list/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
