On 11/7/2024 5:09 PM, N van Bolhuis wrote:
Op do 7 nov 2024 om 15:14 schreef Kalle Valo <kvalo@xxxxxxxxxx>:
nvbolhuis@xxxxxxxxx writes:
From: Norbert van Bolhuis <nvbolhuis@xxxxxxxxx>
This patch fixes a NULL pointer dereference bug in brcmfmac that occurs
when a high 'sd_sgentry_align' value applies (e.g. 512) and a lot of queued SKBs
are sent from the pkt queue.
The problem is the number of entries in the pre-allocated sgtable, it is
nents = max(rxglom_size, txglom_size) + max(rxglom_size, txglom_size) >> 4 + 1.
Given the default [rt]xglom_size=32 it's actually 35 which is too small.
Worst case, the pkt queue can end up with 64 SKBs. This occurs when a new SKB
is added for each original SKB if tailroom isn't enough to hold tail_pad.
At least one sg entry is needed for each SKB. So, eventually the "skb_queue_walk loop"
in brcmf_sdiod_sglist_rw may run out of sg entries. This makes sg_next return
NULL and this causes the oops.
The patch sets nents to max(rxglom_size, txglom_size) * 2 to be able handle
the worst-case.
Btw. this requires only 64-35=29 * 16 (or 20 if CONFIG_NEED_SG_DMA_LENGTH) = 464
additional bytes of memory.
Signed-off-by: Norbert van Bolhuis <nvbolhuis@xxxxxxxxx>
What changed from v1? Please include a list of changes after '--' line,
but no need to resend because of this.
Nothing changed, I just added the s-o-b.
Hoi Norbert,
Welkom in de wondere wereld van linux kernel development. De proces
beschrijving van Kalle is een goede referentie. Go with the flow.
Jouw naam klonk mij bekend in de oren al is de Lucent tijd al ver achter
ons. Mijn kamergenoot hier op kantoor, Hante Meuleman, kon zich jou ook
herinneren, maar dat is dan ook minder lang geleden.
Groeten,
Arend