From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 26 Aug 2025 07:15:18 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Tag: v5.4.297~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fba85a2b1da9566ab2187d7b71ca2268326b2114;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch
---

diff --git a/queue-5.15/series b/queue-5.15/series
index 7dc2570634..d91d0dad6f 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -641,3 +641,4 @@ alsa-usb-audio-use-correct-sub-type-for-uac3-feature.patch
 s390-hypfs-avoid-unnecessary-ioctl-registration-in-d.patch
 s390-hypfs-enable-limited-access-during-lockdown.patch
 netfilter-nf_reject-don-t-leak-dst-refcount-for-loop.patch
+wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch
diff --git a/queue-5.15/wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch b/queue-5.15/wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch
new file mode 100644
index 0000000000..983c555430
--- /dev/null
+++ b/queue-5.15/wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch
@@ -0,0 +1,62 @@
+From 16ee3ea8faef8ff042acc15867a6c458c573de61 Mon Sep 17 00:00:00 2001
+From: Mikhail Lobanov <m.lobanov@rosa.ru>
+Date: Mon, 17 Mar 2025 13:31:37 +0300
+Subject: wifi: mac80211: check basic rates validity in sta_link_apply_parameters
+
+From: Mikhail Lobanov <m.lobanov@rosa.ru>
+
+commit 16ee3ea8faef8ff042acc15867a6c458c573de61 upstream.
+
+When userspace sets supported rates for a new station via
+NL80211_CMD_NEW_STATION, it might send a list that's empty
+or contains only invalid values. Currently, we process these
+values in sta_link_apply_parameters() without checking the result of
+ieee80211_parse_bitrates(), which can lead to an empty rates bitmap.
+
+A similar issue was addressed for NL80211_CMD_SET_BSS in commit
+ce04abc3fcc6 ("wifi: mac80211: check basic rates validity").
+This patch applies the same approach in sta_link_apply_parameters()
+for NL80211_CMD_NEW_STATION, ensuring there is at least one valid
+rate by inspecting the result of ieee80211_parse_bitrates().
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: b95eb7f0eee4 ("wifi: cfg80211/mac80211: separate link params from station params")
+Signed-off-by: Mikhail Lobanov <m.lobanov@rosa.ru>
+Link: https://patch.msgid.link/20250317103139.17625-1-m.lobanov@rosa.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+[ Summary of conflict resolutions:
+  - Function ieee80211_parse_bitrates() takes channel width as its
+    first parameter in mainline kernel version. In v5.15 the function
+    takes the whole chandef struct as its first parameter.
+  - The same function takes link station parameters as its last
+    parameter, and in v5.15 they are in a struct called sta,
+    instead of a struct called link_sta. ]
+Signed-off-by: Hanne-Lotta MÃ¤enpÃ¤Ã¤ <hannelotta@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c |   13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1658,12 +1658,13 @@ static int sta_apply_parameters(struct i
+ 			return ret;
+ 	}
+ 
+-	if (params->supported_rates && params->supported_rates_len) {
+-		ieee80211_parse_bitrates(&sdata->vif.bss_conf.chandef,
+-					 sband, params->supported_rates,
+-					 params->supported_rates_len,
+-					 &sta->sta.supp_rates[sband->band]);
+-	}
++	if (params->supported_rates &&
++	    params->supported_rates_len &&
++	    !ieee80211_parse_bitrates(&sdata->vif.bss_conf.chandef,
++				      sband, params->supported_rates,
++				      params->supported_rates_len,
++				      &sta->sta.supp_rates[sband->band]))
++		return -EINVAL;
+ 
+ 	if (params->ht_capa)
+ 		ieee80211_ht_cap_ie_to_sta_ht_cap(sdata, sband,