--- /dev/null
+From 16ee3ea8faef8ff042acc15867a6c458c573de61 Mon Sep 17 00:00:00 2001
+From: Mikhail Lobanov <m.lobanov@rosa.ru>
+Date: Mon, 17 Mar 2025 13:31:37 +0300
+Subject: wifi: mac80211: check basic rates validity in sta_link_apply_parameters
+
+From: Mikhail Lobanov <m.lobanov@rosa.ru>
+
+commit 16ee3ea8faef8ff042acc15867a6c458c573de61 upstream.
+
+When userspace sets supported rates for a new station via
+NL80211_CMD_NEW_STATION, it might send a list that's empty
+or contains only invalid values. Currently, we process these
+values in sta_link_apply_parameters() without checking the result of
+ieee80211_parse_bitrates(), which can lead to an empty rates bitmap.
+
+A similar issue was addressed for NL80211_CMD_SET_BSS in commit
+ce04abc3fcc6 ("wifi: mac80211: check basic rates validity").
+This patch applies the same approach in sta_link_apply_parameters()
+for NL80211_CMD_NEW_STATION, ensuring there is at least one valid
+rate by inspecting the result of ieee80211_parse_bitrates().
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: b95eb7f0eee4 ("wifi: cfg80211/mac80211: separate link params from station params")
+Signed-off-by: Mikhail Lobanov <m.lobanov@rosa.ru>
+Link: https://patch.msgid.link/20250317103139.17625-1-m.lobanov@rosa.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+[ Summary of conflict resolutions:
+ - Function ieee80211_parse_bitrates() takes channel width as its
+ first parameter in mainline kernel version. In v5.15 the function
+ takes the whole chandef struct as its first parameter.
+ - The same function takes link station parameters as its last
+ parameter, and in v5.15 they are in a struct called sta,
+ instead of a struct called link_sta. ]
+Signed-off-by: Hanne-Lotta Mäenpää <hannelotta@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1658,12 +1658,13 @@ static int sta_apply_parameters(struct i
+ return ret;
+ }
+
+- if (params->supported_rates && params->supported_rates_len) {
+- ieee80211_parse_bitrates(&sdata->vif.bss_conf.chandef,
+- sband, params->supported_rates,
+- params->supported_rates_len,
+- &sta->sta.supp_rates[sband->band]);
+- }
++ if (params->supported_rates &&
++ params->supported_rates_len &&
++ !ieee80211_parse_bitrates(&sdata->vif.bss_conf.chandef,
++ sband, params->supported_rates,
++ params->supported_rates_len,
++ &sta->sta.supp_rates[sband->band]))
++ return -EINVAL;
+
+ if (params->ht_capa)
+ ieee80211_ht_cap_ie_to_sta_ht_cap(sdata, sband,
projects / thirdparty / kernel / stable-queue.git / commitdiff
