From: Greg Kroah-Hartman Date: Fri, 9 May 2025 08:13:49 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v5.15.183~82 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ac112bb4f0dc940b0489705bb3c3bda151154164;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: arm64-dts-imx8mm-verdin-link-reg_usdhc2_vqmmc-to-usdhc2.patch can-mcan-m_can_class_unregister-fix-order-of-unregistration-calls.patch can-mcp251xfd-mcp251xfd_remove-fix-order-of-unregistration-calls.patch dm-add-missing-unlock-on-in-dm_keyslot_evict.patch firmware-arm_scmi-fix-timeout-checks-on-polling-path.patch ksmbd-fix-uaf-in-__close_file_table_ids.patch ksmbd-prevent-out-of-bounds-stream-writes-by-validating-pos.patch ksmbd-prevent-rename-with-empty-string.patch series wifi-cfg80211-fix-out-of-bounds-access-during-multi-link-element-defragmentation.patch --- diff --git a/queue-6.6/arm64-dts-imx8mm-verdin-link-reg_usdhc2_vqmmc-to-usdhc2.patch b/queue-6.6/arm64-dts-imx8mm-verdin-link-reg_usdhc2_vqmmc-to-usdhc2.patch new file mode 100644 index 0000000000..14434094c4 --- /dev/null +++ b/queue-6.6/arm64-dts-imx8mm-verdin-link-reg_usdhc2_vqmmc-to-usdhc2.patch @@ -0,0 +1,112 @@ +From 5591ce0069ddda97cdbbea596bed53e698f399c2 Mon Sep 17 00:00:00 2001 +From: Wojciech Dubowik +Date: Thu, 24 Apr 2025 11:59:14 +0200 +Subject: arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 + +From: Wojciech Dubowik + +commit 5591ce0069ddda97cdbbea596bed53e698f399c2 upstream. + +Define vqmmc regulator-gpio for usdhc2 with vin-supply +coming from LDO5. + +Without this definition LDO5 will be powered down, disabling +SD card after bootup. This has been introduced in commit +f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5"). + +Fixes: 6a57f224f734 ("arm64: dts: freescale: add initial support for verdin imx8m mini") +Fixes: f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5") +Tested-by: Manuel Traut +Reviewed-by: Philippe Schenker +Tested-by: Francesco Dolcini +Reviewed-by: Francesco Dolcini +Cc: stable@vger.kernel.org +Signed-off-by: Wojciech Dubowik +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 25 ++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi +@@ -148,6 +148,19 @@ + startup-delay-us = <20000>; + }; + ++ reg_usdhc2_vqmmc: regulator-usdhc2-vqmmc { ++ compatible = "regulator-gpio"; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&pinctrl_usdhc2_vsel>; ++ gpios = <&gpio1 4 GPIO_ACTIVE_HIGH>; ++ regulator-max-microvolt = <3300000>; ++ regulator-min-microvolt = <1800000>; ++ states = <1800000 0x1>, ++ <3300000 0x0>; ++ regulator-name = "PMIC_USDHC_VSELECT"; ++ vin-supply = <®_nvcc_sd>; ++ }; ++ + reserved-memory { + #address-cells = <2>; + #size-cells = <2>; +@@ -266,7 +279,7 @@ + "SODIMM_19", + "", + "", +- "", ++ "PMIC_USDHC_VSELECT", + "", + "", + "", +@@ -787,6 +800,7 @@ + pinctrl-2 = <&pinctrl_usdhc2_200mhz>, <&pinctrl_usdhc2_cd>; + pinctrl-3 = <&pinctrl_usdhc2_sleep>, <&pinctrl_usdhc2_cd_sleep>; + vmmc-supply = <®_usdhc2_vmmc>; ++ vqmmc-supply = <®_usdhc2_vqmmc>; + }; + + &wdog1 { +@@ -1209,13 +1223,17 @@ + ; /* SODIMM 76 */ + }; + ++ pinctrl_usdhc2_vsel: usdhc2vselgrp { ++ fsl,pins = ++ ; /* PMIC_USDHC_VSELECT */ ++ }; ++ + /* + * Note: Due to ERR050080 we use discrete external on-module resistors pulling-up to the + * on-module +V3.3_1.8_SD (LDO5) rail and explicitly disable the internal pull-ups here. + */ + pinctrl_usdhc2: usdhc2grp { + fsl,pins = +- , + , /* SODIMM 78 */ + , /* SODIMM 74 */ + , /* SODIMM 80 */ +@@ -1226,7 +1244,6 @@ + + pinctrl_usdhc2_100mhz: usdhc2-100mhzgrp { + fsl,pins = +- , + , + , + , +@@ -1237,7 +1254,6 @@ + + pinctrl_usdhc2_200mhz: usdhc2-200mhzgrp { + fsl,pins = +- , + , + , + , +@@ -1249,7 +1265,6 @@ + /* Avoid backfeeding with removed card power */ + pinctrl_usdhc2_sleep: usdhc2slpgrp { + fsl,pins = +- , + , + , + , diff --git a/queue-6.6/can-mcan-m_can_class_unregister-fix-order-of-unregistration-calls.patch b/queue-6.6/can-mcan-m_can_class_unregister-fix-order-of-unregistration-calls.patch new file mode 100644 index 0000000000..595fac60c2 --- /dev/null +++ b/queue-6.6/can-mcan-m_can_class_unregister-fix-order-of-unregistration-calls.patch @@ -0,0 +1,45 @@ +From 0713a1b3276b98c7dafbeefef00d7bc3a9119a84 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Fri, 2 May 2025 16:13:46 +0200 +Subject: can: mcan: m_can_class_unregister(): fix order of unregistration calls + +From: Marc Kleine-Budde + +commit 0713a1b3276b98c7dafbeefef00d7bc3a9119a84 upstream. + +If a driver is removed, the driver framework invokes the driver's +remove callback. A CAN driver's remove function calls +unregister_candev(), which calls net_device_ops::ndo_stop further down +in the call stack for interfaces which are in the "up" state. + +The removal of the module causes a warning, as can_rx_offload_del() +deletes the NAPI, while it is still active, because the interface is +still up. + +To fix the warning, first unregister the network interface, which +calls net_device_ops::ndo_stop, which disables the NAPI, and then call +can_rx_offload_del(). + +Fixes: 1be37d3b0414 ("can: m_can: fix periph RX path: use rx-offload to ensure skbs are sent from softirq context") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250502-can-rx-offload-del-v1-3-59a9b131589d@pengutronix.de +Reviewed-by: Markus Schneider-Pargmann +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/m_can/m_can.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -2125,9 +2125,9 @@ EXPORT_SYMBOL_GPL(m_can_class_register); + + void m_can_class_unregister(struct m_can_classdev *cdev) + { ++ unregister_candev(cdev->net); + if (cdev->is_peripheral) + can_rx_offload_del(&cdev->offload); +- unregister_candev(cdev->net); + } + EXPORT_SYMBOL_GPL(m_can_class_unregister); + diff --git a/queue-6.6/can-mcp251xfd-mcp251xfd_remove-fix-order-of-unregistration-calls.patch b/queue-6.6/can-mcp251xfd-mcp251xfd_remove-fix-order-of-unregistration-calls.patch new file mode 100644 index 0000000000..4f5e6475e8 --- /dev/null +++ b/queue-6.6/can-mcp251xfd-mcp251xfd_remove-fix-order-of-unregistration-calls.patch @@ -0,0 +1,47 @@ +From 84f5eb833f53ae192baed4cfb8d9eaab43481fc9 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Fri, 2 May 2025 16:13:44 +0200 +Subject: can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls + +From: Marc Kleine-Budde + +commit 84f5eb833f53ae192baed4cfb8d9eaab43481fc9 upstream. + +If a driver is removed, the driver framework invokes the driver's +remove callback. A CAN driver's remove function calls +unregister_candev(), which calls net_device_ops::ndo_stop further down +in the call stack for interfaces which are in the "up" state. + +With the mcp251xfd driver the removal of the module causes the +following warning: + +| WARNING: CPU: 0 PID: 352 at net/core/dev.c:7342 __netif_napi_del_locked+0xc8/0xd8 + +as can_rx_offload_del() deletes the NAPI, while it is still active, +because the interface is still up. + +To fix the warning, first unregister the network interface, which +calls net_device_ops::ndo_stop, which disables the NAPI, and then call +can_rx_offload_del(). + +Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250502-can-rx-offload-del-v1-1-59a9b131589d@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c +@@ -2179,8 +2179,8 @@ static void mcp251xfd_remove(struct spi_ + struct mcp251xfd_priv *priv = spi_get_drvdata(spi); + struct net_device *ndev = priv->ndev; + +- can_rx_offload_del(&priv->offload); + mcp251xfd_unregister(priv); ++ can_rx_offload_del(&priv->offload); + spi->max_speed_hz = priv->spi_max_speed_hz_orig; + free_candev(ndev); + } diff --git a/queue-6.6/dm-add-missing-unlock-on-in-dm_keyslot_evict.patch b/queue-6.6/dm-add-missing-unlock-on-in-dm_keyslot_evict.patch new file mode 100644 index 0000000000..fa08189cae --- /dev/null +++ b/queue-6.6/dm-add-missing-unlock-on-in-dm_keyslot_evict.patch @@ -0,0 +1,40 @@ +From 650266ac4c7230c89bcd1307acf5c9c92cfa85e2 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 30 Apr 2025 11:05:54 +0300 +Subject: dm: add missing unlock on in dm_keyslot_evict() + +From: Dan Carpenter + +commit 650266ac4c7230c89bcd1307acf5c9c92cfa85e2 upstream. + +We need to call dm_put_live_table() even if dm_get_live_table() returns +NULL. + +Fixes: 9355a9eb21a5 ("dm: support key eviction from keyslot managers of underlying devices") +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Dan Carpenter +Signed-off-by: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-table.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -1242,7 +1242,7 @@ static int dm_keyslot_evict(struct blk_c + + t = dm_get_live_table(md, &srcu_idx); + if (!t) +- return 0; ++ goto put_live_table; + + for (unsigned int i = 0; i < t->num_targets; i++) { + struct dm_target *ti = dm_table_get_target(t, i); +@@ -1253,6 +1253,7 @@ static int dm_keyslot_evict(struct blk_c + (void *)key); + } + ++put_live_table: + dm_put_live_table(md, srcu_idx); + return 0; + } diff --git a/queue-6.6/firmware-arm_scmi-fix-timeout-checks-on-polling-path.patch b/queue-6.6/firmware-arm_scmi-fix-timeout-checks-on-polling-path.patch new file mode 100644 index 0000000000..037bdf31cc --- /dev/null +++ b/queue-6.6/firmware-arm_scmi-fix-timeout-checks-on-polling-path.patch @@ -0,0 +1,73 @@ +From c23c03bf1faa1e76be1eba35bad6da6a2a7c95ee Mon Sep 17 00:00:00 2001 +From: Cristian Marussi +Date: Mon, 10 Mar 2025 17:58:00 +0000 +Subject: firmware: arm_scmi: Fix timeout checks on polling path + +From: Cristian Marussi + +commit c23c03bf1faa1e76be1eba35bad6da6a2a7c95ee upstream. + +Polling mode transactions wait for a reply busy-looping without holding a +spinlock, but currently the timeout checks are based only on elapsed time: +as a result we could hit a false positive whenever our busy-looping thread +is pre-empted and scheduled out for a time greater than the polling +timeout. + +Change the checks at the end of the busy-loop to make sure that the polling +wasn't indeed successful or an out-of-order reply caused the polling to be +forcibly terminated. + +Fixes: 31d2f803c19c ("firmware: arm_scmi: Add sync_cmds_completed_on_ret transport flag") +Reported-by: Huangjie +Closes: https://lore.kernel.org/arm-scmi/20250123083323.2363749-1-jackhuang021@gmail.com/ +Signed-off-by: Cristian Marussi +Cc: stable@vger.kernel.org # 5.18.x +Message-Id: <20250310175800.1444293-1-cristian.marussi@arm.com> +Signed-off-by: Sudeep Holla +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/arm_scmi/driver.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/firmware/arm_scmi/driver.c ++++ b/drivers/firmware/arm_scmi/driver.c +@@ -1017,7 +1017,8 @@ static void xfer_put(const struct scmi_p + } + + static bool scmi_xfer_done_no_timeout(struct scmi_chan_info *cinfo, +- struct scmi_xfer *xfer, ktime_t stop) ++ struct scmi_xfer *xfer, ktime_t stop, ++ bool *ooo) + { + struct scmi_info *info = handle_to_scmi_info(cinfo->handle); + +@@ -1026,7 +1027,7 @@ static bool scmi_xfer_done_no_timeout(st + * in case of out-of-order receptions of delayed responses + */ + return info->desc->ops->poll_done(cinfo, xfer) || +- try_wait_for_completion(&xfer->done) || ++ (*ooo = try_wait_for_completion(&xfer->done)) || + ktime_after(ktime_get(), stop); + } + +@@ -1042,15 +1043,17 @@ static int scmi_wait_for_reply(struct de + * itself to support synchronous commands replies. + */ + if (!desc->sync_cmds_completed_on_ret) { ++ bool ooo = false; ++ + /* + * Poll on xfer using transport provided .poll_done(); + * assumes no completion interrupt was available. + */ + ktime_t stop = ktime_add_ms(ktime_get(), timeout_ms); + +- spin_until_cond(scmi_xfer_done_no_timeout(cinfo, +- xfer, stop)); +- if (ktime_after(ktime_get(), stop)) { ++ spin_until_cond(scmi_xfer_done_no_timeout(cinfo, xfer, ++ stop, &ooo)); ++ if (!ooo && !info->desc->ops->poll_done(cinfo, xfer)) { + dev_err(dev, + "timed out in resp(caller: %pS) - polling\n", + (void *)_RET_IP_); diff --git a/queue-6.6/ksmbd-fix-uaf-in-__close_file_table_ids.patch b/queue-6.6/ksmbd-fix-uaf-in-__close_file_table_ids.patch new file mode 100644 index 0000000000..bd545cc24d --- /dev/null +++ b/queue-6.6/ksmbd-fix-uaf-in-__close_file_table_ids.patch @@ -0,0 +1,79 @@ +From 36991c1ccde2d5a521577c448ffe07fcccfe104d Mon Sep 17 00:00:00 2001 +From: Sean Heelan +Date: Tue, 6 May 2025 22:04:52 +0900 +Subject: ksmbd: Fix UAF in __close_file_table_ids + +From: Sean Heelan + +commit 36991c1ccde2d5a521577c448ffe07fcccfe104d upstream. + +A use-after-free is possible if one thread destroys the file +via __ksmbd_close_fd while another thread holds a reference to +it. The existing checks on fp->refcount are not sufficient to +prevent this. + +The fix takes ft->lock around the section which removes the +file from the file table. This prevents two threads acquiring the +same file pointer via __close_file_table_ids, as well as the other +functions which retrieve a file from the IDR and which already use +this same lock. + +Cc: stable@vger.kernel.org +Signed-off-by: Sean Heelan +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/vfs_cache.c | 33 ++++++++++++++++++++++++++------- + 1 file changed, 26 insertions(+), 7 deletions(-) + +--- a/fs/smb/server/vfs_cache.c ++++ b/fs/smb/server/vfs_cache.c +@@ -644,21 +644,40 @@ __close_file_table_ids(struct ksmbd_file + bool (*skip)(struct ksmbd_tree_connect *tcon, + struct ksmbd_file *fp)) + { +- unsigned int id; +- struct ksmbd_file *fp; +- int num = 0; ++ struct ksmbd_file *fp; ++ unsigned int id = 0; ++ int num = 0; + +- idr_for_each_entry(ft->idr, fp, id) { +- if (skip(tcon, fp)) ++ while (1) { ++ write_lock(&ft->lock); ++ fp = idr_get_next(ft->idr, &id); ++ if (!fp) { ++ write_unlock(&ft->lock); ++ break; ++ } ++ ++ if (skip(tcon, fp) || ++ !atomic_dec_and_test(&fp->refcount)) { ++ id++; ++ write_unlock(&ft->lock); + continue; ++ } + + set_close_state_blocked_works(fp); ++ idr_remove(ft->idr, fp->volatile_id); ++ fp->volatile_id = KSMBD_NO_FID; ++ write_unlock(&ft->lock); ++ ++ down_write(&fp->f_ci->m_lock); ++ list_del_init(&fp->node); ++ up_write(&fp->f_ci->m_lock); + +- if (!atomic_dec_and_test(&fp->refcount)) +- continue; + __ksmbd_close_fd(ft, fp); ++ + num++; ++ id++; + } ++ + return num; + } + diff --git a/queue-6.6/ksmbd-prevent-out-of-bounds-stream-writes-by-validating-pos.patch b/queue-6.6/ksmbd-prevent-out-of-bounds-stream-writes-by-validating-pos.patch new file mode 100644 index 0000000000..3adfc3e525 --- /dev/null +++ b/queue-6.6/ksmbd-prevent-out-of-bounds-stream-writes-by-validating-pos.patch @@ -0,0 +1,42 @@ +From 0ca6df4f40cf4c32487944aaf48319cb6c25accc Mon Sep 17 00:00:00 2001 +From: Norbert Szetei +Date: Fri, 2 May 2025 08:21:58 +0900 +Subject: ksmbd: prevent out-of-bounds stream writes by validating *pos + +From: Norbert Szetei + +commit 0ca6df4f40cf4c32487944aaf48319cb6c25accc upstream. + +ksmbd_vfs_stream_write() did not validate whether the write offset +(*pos) was within the bounds of the existing stream data length (v_len). +If *pos was greater than or equal to v_len, this could lead to an +out-of-bounds memory write. + +This patch adds a check to ensure *pos is less than v_len before +proceeding. If the condition fails, -EINVAL is returned. + +Cc: stable@vger.kernel.org +Signed-off-by: Norbert Szetei +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/vfs.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/smb/server/vfs.c ++++ b/fs/smb/server/vfs.c +@@ -443,6 +443,13 @@ static int ksmbd_vfs_stream_write(struct + goto out; + } + ++ if (v_len <= *pos) { ++ pr_err("stream write position %lld is out of bounds (stream length: %zd)\n", ++ *pos, v_len); ++ err = -EINVAL; ++ goto out; ++ } ++ + if (v_len < size) { + wbuf = kvzalloc(size, GFP_KERNEL); + if (!wbuf) { diff --git a/queue-6.6/ksmbd-prevent-rename-with-empty-string.patch b/queue-6.6/ksmbd-prevent-rename-with-empty-string.patch new file mode 100644 index 0000000000..f7662c608a --- /dev/null +++ b/queue-6.6/ksmbd-prevent-rename-with-empty-string.patch @@ -0,0 +1,38 @@ +From 53e3e5babc0963a92d856a5ec0ce92c59f54bc12 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Wed, 30 Apr 2025 11:18:28 +0900 +Subject: ksmbd: prevent rename with empty string + +From: Namjae Jeon + +commit 53e3e5babc0963a92d856a5ec0ce92c59f54bc12 upstream. + +Client can send empty newname string to ksmbd server. +It will cause a kernel oops from d_alloc. +This patch return the error when attempting to rename +a file or directory with an empty new name string. + +Cc: stable@vger.kernel.org +Reported-by: Norbert Szetei +Tested-by: Norbert Szetei +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -632,6 +632,11 @@ smb2_get_name(const char *src, const int + return name; + } + ++ if (*name == '\0') { ++ kfree(name); ++ return ERR_PTR(-EINVAL); ++ } ++ + if (*name == '\\') { + pr_err("not allow directory name included leading slash\n"); + kfree(name); diff --git a/queue-6.6/series b/queue-6.6/series new file mode 100644 index 0000000000..b622f12fc0 --- /dev/null +++ b/queue-6.6/series @@ -0,0 +1,9 @@ +dm-add-missing-unlock-on-in-dm_keyslot_evict.patch +arm64-dts-imx8mm-verdin-link-reg_usdhc2_vqmmc-to-usdhc2.patch +firmware-arm_scmi-fix-timeout-checks-on-polling-path.patch +can-mcan-m_can_class_unregister-fix-order-of-unregistration-calls.patch +wifi-cfg80211-fix-out-of-bounds-access-during-multi-link-element-defragmentation.patch +can-mcp251xfd-mcp251xfd_remove-fix-order-of-unregistration-calls.patch +ksmbd-prevent-rename-with-empty-string.patch +ksmbd-prevent-out-of-bounds-stream-writes-by-validating-pos.patch +ksmbd-fix-uaf-in-__close_file_table_ids.patch diff --git a/queue-6.6/wifi-cfg80211-fix-out-of-bounds-access-during-multi-link-element-defragmentation.patch b/queue-6.6/wifi-cfg80211-fix-out-of-bounds-access-during-multi-link-element-defragmentation.patch new file mode 100644 index 0000000000..2da5367d89 --- /dev/null +++ b/queue-6.6/wifi-cfg80211-fix-out-of-bounds-access-during-multi-link-element-defragmentation.patch @@ -0,0 +1,40 @@ +From 023c1f2f0609218103cbcb48e0104b144d4a16dc Mon Sep 17 00:00:00 2001 +From: Veerendranath Jakkam +Date: Thu, 24 Apr 2025 18:01:42 +0530 +Subject: wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation + +From: Veerendranath Jakkam + +commit 023c1f2f0609218103cbcb48e0104b144d4a16dc upstream. + +Currently during the multi-link element defragmentation process, the +multi-link element length added to the total IEs length when calculating +the length of remaining IEs after the multi-link element in +cfg80211_defrag_mle(). This could lead to out-of-bounds access if the +multi-link element or its corresponding fragment elements are the last +elements in the IEs buffer. + +To address this issue, correctly calculate the remaining IEs length by +deducting the multi-link element end offset from total IEs end offset. + +Cc: stable@vger.kernel.org +Fixes: 2481b5da9c6b ("wifi: cfg80211: handle BSS data contained in ML probe responses") +Signed-off-by: Veerendranath Jakkam +Link: https://patch.msgid.link/20250424-fix_mle_defragmentation_oob_access-v1-1-84412a1743fa@quicinc.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -2511,7 +2511,7 @@ cfg80211_defrag_mle(const struct element + /* Required length for first defragmentation */ + buf_len = mle->datalen - 1; + for_each_element(elem, mle->data + mle->datalen, +- ielen - sizeof(*mle) + mle->datalen) { ++ ie + ielen - mle->data - mle->datalen) { + if (elem->id != WLAN_EID_FRAGMENT) + break; +