Patch "wifi: mac80211: check defragmentation succeeded" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 22 Dec 2023 17:58:24 -0500

This is a note to let you know that I've just added the patch titled

    wifi: mac80211: check defragmentation succeeded

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wifi-mac80211-check-defragmentation-succeeded.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit cea2dde262894559c1151f0dd3d1595b5e6637d8
Author: Johannes Berg <johannes.berg@xxxxxxxxx>
Date:   Mon Dec 11 09:05:30 2023 +0200

    wifi: mac80211: check defragmentation succeeded
    
    [ Upstream commit 98849ba2aa9db46e62720fb686a9d63ed9887806 ]
    
    We need to check that cfg80211_defragment_element()
    didn't return an error, since it can fail due to bad
    input, and we didn't catch that before.
    
    Fixes: 8eb8dd2ffbbb ("wifi: mac80211: Support link removal using Reconfiguration ML element")
    Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
    Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@xxxxxxxxx>
    Link: https://msgid.link/20231211085121.8595a6b67fc0.I1225edd8f98355e007f96502e358e476c7971d8c@changeid
    Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 0c9198997482b..73f8df03d159c 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -5805,7 +5805,7 @@ static void ieee80211_ml_reconfiguration(struct ieee80211_sub_if_data *sdata,
 {
 	const struct ieee80211_multi_link_elem *ml;
 	const struct element *sub;
-	size_t ml_len;
+	ssize_t ml_len;
 	unsigned long removed_links = 0;
 	u16 link_removal_timeout[IEEE80211_MLD_MAX_NUM_LINKS] = {};
 	u8 link_id;
@@ -5821,6 +5821,8 @@ static void ieee80211_ml_reconfiguration(struct ieee80211_sub_if_data *sdata,
 					     elems->scratch + elems->scratch_len -
 					     elems->scratch_pos,
 					     WLAN_EID_FRAGMENT);
+	if (ml_len < 0)
+		return;
 
 	elems->ml_reconf = (const void *)elems->scratch_pos;
 	elems->ml_reconf_len = ml_len;







