6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook kees@kernel.org
[ Upstream commit 3a0168626c138734490bc52c4105ce8e79d2f923 ]
Since adding __counted_by(n_channels) to struct cfg80211_scan_request, anything adding to the channels array must increment n_channels first. Move n_channels increment earlier.
Reported-by: John Rowley lkml@johnrowley.me Closes: https://lore.kernel.org/stable/1815535c709ba9d9.156c6a5c9cdf6e59.b249b6b6a5e... Fixes: aa4ec06c455d ("wifi: cfg80211: use __counted_by where appropriate") Signed-off-by: Kees Cook kees@kernel.org Reviewed-by: Gustavo A. R. Silva gustavoars@kernel.org Link: https://patch.msgid.link/20241230183610.work.680-kees@kernel.org Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Sasha Levin sashal@kernel.org --- net/wireless/scan.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c index d0aed41ded2f1..21bc057fd8c29 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -763,12 +763,11 @@ static void cfg80211_scan_req_add_chan(struct cfg80211_scan_request *request, } }
+ request->n_channels++; request->channels[n_channels] = chan; if (add_to_6ghz) request->scan_6ghz_params[request->n_6ghz_params].channel_idx = n_channels; - - request->n_channels++; }
static bool cfg80211_find_ssid_match(struct cfg80211_colocated_ap *ap,