From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 30 Jul 2024 14:24:29 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v6.1.103~17
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3c26628d60a7728c554fe118c9542489b23e56fa;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	wifi-mac80211-check-basic-rates-validity.patch
---

diff --git a/queue-6.1/series b/queue-6.1/series
index e570b18f1e7..5499e421860 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -390,3 +390,4 @@ pci-dpc-fix-use-after-free-on-concurrent-dpc-and-hot-removal.patch
 io_uring-io-wq-limit-retrying-worker-initialisation.patch
 wifi-mac80211-allow-nss-change-only-up-to-capability.patch
 wifi-mac80211-track-capability-opmode-nss-separately.patch
+wifi-mac80211-check-basic-rates-validity.patch
diff --git a/queue-6.1/wifi-mac80211-check-basic-rates-validity.patch b/queue-6.1/wifi-mac80211-check-basic-rates-validity.patch
new file mode 100644
index 00000000000..3d71ecf0971
--- /dev/null
+++ b/queue-6.1/wifi-mac80211-check-basic-rates-validity.patch
@@ -0,0 +1,63 @@
+From ce04abc3fcc62cd5640af981ebfd7c4dc3bded28 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 24 Feb 2023 10:52:19 +0100
+Subject: wifi: mac80211: check basic rates validity
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit ce04abc3fcc62cd5640af981ebfd7c4dc3bded28 upstream.
+
+When userspace sets basic rates, it might send us some rates
+list that's empty or consists of invalid values only. We're
+currently ignoring invalid values and then may end up with a
+rates bitmap that's empty, which later results in a warning.
+
+Reject the call if there were no valid rates.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Reported-by: syzbot+07bee335584b04e7c2f8@syzkaller.appspotmail.com
+Tested-by: syzbot+07bee335584b04e7c2f8@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=07bee335584b04e7c2f8
+Signed-off-by: Vincenzo Mezzela <vincenzo.mezzela@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c |   21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -2577,6 +2577,17 @@ static int ieee80211_change_bss(struct w
+ 	if (!sband)
+ 		return -EINVAL;
+ 
++	if (params->basic_rates) {
++		if (!ieee80211_parse_bitrates(sdata->vif.bss_conf.chandef.width,
++					      wiphy->bands[sband->band],
++					      params->basic_rates,
++					      params->basic_rates_len,
++					      &sdata->vif.bss_conf.basic_rates))
++			return -EINVAL;
++		changed |= BSS_CHANGED_BASIC_RATES;
++		ieee80211_check_rate_mask(&sdata->deflink);
++	}
++
+ 	if (params->use_cts_prot >= 0) {
+ 		sdata->vif.bss_conf.use_cts_prot = params->use_cts_prot;
+ 		changed |= BSS_CHANGED_ERP_CTS_PROT;
+@@ -2600,16 +2611,6 @@ static int ieee80211_change_bss(struct w
+ 		changed |= BSS_CHANGED_ERP_SLOT;
+ 	}
+ 
+-	if (params->basic_rates) {
+-		ieee80211_parse_bitrates(sdata->vif.bss_conf.chandef.width,
+-					 wiphy->bands[sband->band],
+-					 params->basic_rates,
+-					 params->basic_rates_len,
+-					 &sdata->vif.bss_conf.basic_rates);
+-		changed |= BSS_CHANGED_BASIC_RATES;
+-		ieee80211_check_rate_mask(&sdata->deflink);
+-	}
+-
+ 	if (params->ap_isolate >= 0) {
+ 		if (params->ap_isolate)
+ 			sdata->flags |= IEEE80211_SDATA_DONT_BRIDGE_PACKETS;