6.1-stable patches

added patches:
	wifi-mac80211-check-basic-rates-validity.patch

diff --git a/queue-6.1/series b/queue-6.1/series
index e570b18f1e7954d976903a9134fee4467e74f5f3..5499e4218605714fedc6a13c51c086c69e159c8f 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -390,3 +390,4 @@ pci-dpc-fix-use-after-free-on-concurrent-dpc-and-hot-removal.patch
 io_uring-io-wq-limit-retrying-worker-initialisation.patch
 wifi-mac80211-allow-nss-change-only-up-to-capability.patch
 wifi-mac80211-track-capability-opmode-nss-separately.patch
+wifi-mac80211-check-basic-rates-validity.patch

diff --git a/queue-6.1/wifi-mac80211-check-basic-rates-validity.patch b/queue-6.1/wifi-mac80211-check-basic-rates-validity.patch
new file mode 100644 (file)
index 0000000..3d71ecf
--- /dev/null
+++ b/queue-6.1/wifi-mac80211-check-basic-rates-validity.patch
@@ -0,0 +1,63 @@
+From ce04abc3fcc62cd5640af981ebfd7c4dc3bded28 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 24 Feb 2023 10:52:19 +0100
+Subject: wifi: mac80211: check basic rates validity
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit ce04abc3fcc62cd5640af981ebfd7c4dc3bded28 upstream.
+
+When userspace sets basic rates, it might send us some rates
+list that's empty or consists of invalid values only. We're
+currently ignoring invalid values and then may end up with a
+rates bitmap that's empty, which later results in a warning.
+
+Reject the call if there were no valid rates.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Reported-by: syzbot+07bee335584b04e7c2f8@syzkaller.appspotmail.com
+Tested-by: syzbot+07bee335584b04e7c2f8@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=07bee335584b04e7c2f8
+Signed-off-by: Vincenzo Mezzela <vincenzo.mezzela@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c |   21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -2577,6 +2577,17 @@ static int ieee80211_change_bss(struct w
+       if (!sband)
+               return -EINVAL;
+ 
++      if (params->basic_rates) {
++              if (!ieee80211_parse_bitrates(sdata->vif.bss_conf.chandef.width,
++                                            wiphy->bands[sband->band],
++                                            params->basic_rates,
++                                            params->basic_rates_len,
++                                            &sdata->vif.bss_conf.basic_rates))
++                      return -EINVAL;
++              changed |= BSS_CHANGED_BASIC_RATES;
++              ieee80211_check_rate_mask(&sdata->deflink);
++      }
++
+       if (params->use_cts_prot >= 0) {
+               sdata->vif.bss_conf.use_cts_prot = params->use_cts_prot;
+               changed |= BSS_CHANGED_ERP_CTS_PROT;
+@@ -2600,16 +2611,6 @@ static int ieee80211_change_bss(struct w
+               changed |= BSS_CHANGED_ERP_SLOT;
+       }
+ 
+-      if (params->basic_rates) {
+-              ieee80211_parse_bitrates(sdata->vif.bss_conf.chandef.width,
+-                                       wiphy->bands[sband->band],
+-                                       params->basic_rates,
+-                                       params->basic_rates_len,
+-                                       &sdata->vif.bss_conf.basic_rates);
+-              changed |= BSS_CHANGED_BASIC_RATES;
+-              ieee80211_check_rate_mask(&sdata->deflink);
+-      }
+-
+       if (params->ap_isolate >= 0) {
+               if (params->ap_isolate)
+                       sdata->flags |= IEEE80211_SDATA_DONT_BRIDGE_PACKETS;