From: Johannes Berg <johannes.berg@xxxxxxxxx>
Spotted during code review, the selectors need to be large
enough for a 128-bit bitmap, not a single unsigned long,
otherwise we have stack corruption.
We should also allow passing selectors from userspace, but
that should be a separate change.
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Reviewed-by: Ilan Peer <ilan.peer@xxxxxxxxx>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@xxxxxxxxx>
---
net/mac80211/mlme.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 426c0246fe1f..85ae66197674 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -9914,8 +9914,6 @@ EXPORT_SYMBOL(ieee80211_disable_rssi_reports);
static void ieee80211_ml_reconf_selectors(unsigned long *userspace_selectors)
{
- *userspace_selectors = 0;
-
/* these selectors are mandatory for ML reconfiguration */
set_bit(BSS_MEMBERSHIP_SELECTOR_SAE_H2E, userspace_selectors);
set_bit(BSS_MEMBERSHIP_SELECTOR_HE_PHY, userspace_selectors);
@@ -9935,7 +9933,7 @@ void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata,
sdata->u.mgd.reconf.removed_links;
u16 link_mask, valid_links;
unsigned int link_id;
- unsigned long userspace_selectors;
+ unsigned long userspace_selectors[BITS_TO_LONGS(128)] = {};
size_t orig_len = len;
u8 i, group_key_data_len;
u8 *pos;
@@ -10043,7 +10041,7 @@ void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata,
}
ieee80211_vif_set_links(sdata, valid_links, sdata->vif.dormant_links);
- ieee80211_ml_reconf_selectors(&userspace_selectors);
+ ieee80211_ml_reconf_selectors(userspace_selectors);
link_mask = 0;
for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
struct cfg80211_bss *cbss = add_links_data->link[link_id].bss;
@@ -10089,7 +10087,7 @@ void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata,
link->u.mgd.conn = add_links_data->link[link_id].conn;
if (ieee80211_prep_channel(sdata, link, link_id, cbss,
true, &link->u.mgd.conn,
- &userspace_selectors)) {
+ userspace_selectors)) {
link_info(link, "mlo: reconf: prep_channel failed\n");
goto disconnect;
}
@@ -10427,14 +10425,14 @@ int ieee80211_mgd_assoc_ml_reconf(struct ieee80211_sub_if_data *sdata,
*/
if (added_links) {
bool uapsd_supported;
- unsigned long userspace_selectors;
+ unsigned long userspace_selectors[BITS_TO_LONGS(128)] = {};
data = kzalloc(sizeof(*data), GFP_KERNEL);
if (!data)
return -ENOMEM;
uapsd_supported = true;
- ieee80211_ml_reconf_selectors(&userspace_selectors);
+ ieee80211_ml_reconf_selectors(userspace_selectors);
for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
link_id++) {
struct ieee80211_supported_band *sband;
@@ -10510,7 +10508,7 @@ int ieee80211_mgd_assoc_ml_reconf(struct ieee80211_sub_if_data *sdata,
data->link[link_id].bss,
true,
&data->link[link_id].conn,
- &userspace_selectors);
+ userspace_selectors);
if (err)
goto err_free;
}
--
2.34.1
