wifi: mac80211: ignore reserved bits in reconfiguration status

The Link ID Info field in the Reconfiguration Status Duple subfield of
the Reconfiguration Response frame only uses the lower four bits for the
link ID. The upper bits are reserved and should therefore be ignored.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260325215404.ab5ccf4bc62e.I9aef8f4fb6f1b06671bb6cf0e2bd4ec6e4c8bda4@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index 52db36120314e3bd8bbf54e9714c87dd3c20d152..b5d649db123febbabb13a0a2f0af4ec148ddbc91 100644 (file)
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -1194,6 +1194,13 @@ struct ieee80211_mgmt {
 
 #define IEEE80211_MIN_ACTION_SIZE(type)        offsetofend(struct ieee80211_mgmt, u.action.type)
 
+/* Link Reconfiguration Status Duple field */
+struct ieee80211_ml_reconf_status {
+       u8 info;
+       __le16 status;
+} __packed;
+
+#define IEEE80211_ML_RECONF_LINK_ID_MASK       0xf
 
 /* Management MIC information element (IEEE 802.11w) for CMAC */
 struct ieee80211_mmie {

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 173a60360a45487cd8aaebb4b95b1270212d3fb9..7fc5616cb2446c141a36346ec0001620f209d739 100644 (file)
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -10459,8 +10459,8 @@ void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata,
        pos = mgmt->u.action.ml_reconf_resp.variable;
        len -= offsetofend(typeof(*mgmt), u.action.ml_reconf_resp);
 
-       /* each status duple is 3 octets */
-       if (len < mgmt->u.action.ml_reconf_resp.count * 3) {
+       if (len < mgmt->u.action.ml_reconf_resp.count *
+                               sizeof(struct ieee80211_ml_reconf_status)) {
                sdata_info(sdata,
                           "mlo: reconf: unexpected len=%zu, count=%u\n",
                           len, mgmt->u.action.ml_reconf_resp.count);
@@ -10469,9 +10469,11 @@ void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata,
 
        link_mask = sta_changed_links;
        for (i = 0; i < mgmt->u.action.ml_reconf_resp.count; i++) {
-               u16 status = get_unaligned_le16(pos + 1);
+               struct ieee80211_ml_reconf_status *reconf_status = (void *)pos;
+               u16 status = le16_to_cpu(reconf_status->status);
 
-               link_id = *pos;
+               link_id = u8_get_bits(reconf_status->info,
+                                     IEEE80211_ML_RECONF_LINK_ID_MASK);
 
                if (!(link_mask & BIT(link_id))) {
                        sdata_info(sdata,
@@ -10506,8 +10508,8 @@ void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata,
                        sdata->u.mgd.reconf.added_links &= ~BIT(link_id);
                }
 
-               pos += 3;
-               len -= 3;
+               pos += sizeof(*reconf_status);
+               len -= sizeof(*reconf_status);
        }
 
        if (link_mask) {