From: Johannes Berg johannes.berg@intel.com
[ Upstream commit 700014d3ad1fd6e55c8f9ffa817514d3fbb5286e ]
Spotted during code review, the selectors need to be large enough for a 128-bit bitmap, not a single unsigned long, otherwise we have stack corruption.
We should also allow passing selectors from userspace, but that should be a separate change.
Signed-off-by: Johannes Berg johannes.berg@intel.com Reviewed-by: Ilan Peer ilan.peer@intel.com Signed-off-by: Miri Korenblit miriam.rachel.korenblit@intel.com Link: https://patch.msgid.link/20250308225541.8f1bcf96a504.Ibeb8970c82a30c97279a4c... Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Sasha Levin sashal@kernel.org --- net/mac80211/mlme.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 64fa3fba244eb..4951e4fa7373a 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -9648,8 +9648,6 @@ EXPORT_SYMBOL(ieee80211_disable_rssi_reports);
static void ieee80211_ml_reconf_selectors(unsigned long *userspace_selectors) { - *userspace_selectors = 0; - /* these selectors are mandatory for ML reconfiguration */ set_bit(BSS_MEMBERSHIP_SELECTOR_SAE_H2E, userspace_selectors); set_bit(BSS_MEMBERSHIP_SELECTOR_HE_PHY, userspace_selectors); @@ -9669,7 +9667,7 @@ void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata, sdata->u.mgd.reconf.removed_links; u16 link_mask, valid_links; unsigned int link_id; - unsigned long userspace_selectors; + unsigned long userspace_selectors[BITS_TO_LONGS(128)] = {}; size_t orig_len = len; u8 i, group_key_data_len; u8 *pos; @@ -9777,7 +9775,7 @@ void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata, }
ieee80211_vif_set_links(sdata, valid_links, sdata->vif.dormant_links); - ieee80211_ml_reconf_selectors(&userspace_selectors); + ieee80211_ml_reconf_selectors(userspace_selectors); link_mask = 0; for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) { struct cfg80211_bss *cbss = add_links_data->link[link_id].bss; @@ -9823,7 +9821,7 @@ void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata, link->u.mgd.conn = add_links_data->link[link_id].conn; if (ieee80211_prep_channel(sdata, link, link_id, cbss, true, &link->u.mgd.conn, - &userspace_selectors)) { + userspace_selectors)) { link_info(link, "mlo: reconf: prep_channel failed\n"); goto disconnect; } @@ -10157,14 +10155,14 @@ int ieee80211_mgd_assoc_ml_reconf(struct ieee80211_sub_if_data *sdata, */ if (added_links) { bool uapsd_supported; - unsigned long userspace_selectors; + unsigned long userspace_selectors[BITS_TO_LONGS(128)] = {};
data = kzalloc(sizeof(*data), GFP_KERNEL); if (!data) return -ENOMEM;
uapsd_supported = true; - ieee80211_ml_reconf_selectors(&userspace_selectors); + ieee80211_ml_reconf_selectors(userspace_selectors); for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) { struct ieee80211_supported_band *sband; @@ -10240,7 +10238,7 @@ int ieee80211_mgd_assoc_ml_reconf(struct ieee80211_sub_if_data *sdata, data->link[link_id].bss, true, &data->link[link_id].conn, - &userspace_selectors); + userspace_selectors); if (err) goto err_free; }