From: Johannes Berg <johannes.berg@xxxxxxxxx>
commit 0941772342d59e48733131ac3a202fa1a4d832e9 upstream.
In nl80211, we always set the ssids of a scan request to
NULL when n_ssids==0 (passive scan). Drivers have relied
on this behaviour in the past, so we fixed it in 6 GHz
scan requests as well, and added a warning so we'd have
assurance the API would always be called that way.
syzbot found that wext doesn't ensure that, so we reach
the check and trigger the warning. Fix the wext code to
set the ssids pointer to NULL when there are none.
Reported-by: syzbot+cd6135193ba6bb9ad158@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: f7a8b10bfd61 ("wifi: cfg80211: fix 6 GHz scan request building")
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/wireless/scan.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -3492,8 +3492,10 @@ int cfg80211_wext_siwscan(struct net_dev
memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len);
creq->ssids[0].ssid_len = wreq->essid_len;
}
- if (wreq->scan_type == IW_SCAN_TYPE_PASSIVE)
+ if (wreq->scan_type == IW_SCAN_TYPE_PASSIVE) {
+ creq->ssids = NULL;
creq->n_ssids = 0;
+ }
}
for (i = 0; i < NUM_NL80211_BANDS; i++)
Patches currently in stable-queue which might be from johannes.berg@xxxxxxxxx are
queue-6.9/wifi-cfg80211-fix-6-ghz-scan-request-building.patch
queue-6.9/wifi-iwlwifi-mvm-remove-stale-sta-link-data-during-r.patch
queue-6.9/wifi-iwlwifi-mvm-d3-fix-wowlan-command-version-looku.patch
queue-6.9/wifi-mac80211-handle-tasklet-frames-before-stopping.patch
queue-6.9/wifi-iwlwifi-mvm-handle-bigtk-cipher-in-kek_kck-cmd.patch
queue-6.9/wifi-iwlwifi-mvm-fix-scan-abort-handling-with-hw-rfk.patch
queue-6.9/wifi-mac80211-fix-ubsan-noise-in-ieee80211_prep_hw_s.patch
queue-6.9/wifi-iwlwifi-mvm-don-t-wake-up-rx_sync_waitq-upon-rfkill.patch
queue-6.9/wifi-cfg80211-wext-set-ssids-null-for-passive-scans.patch
queue-6.9/wifi-mac80211-mesh-init-nonpeer_pm-to-active-by-defa.patch
queue-6.9/wifi-iwlwifi-properly-set-wiphy_flag_supports_ext_ke.patch
queue-6.9/wifi-iwlwifi-mvm-handle-ba-session-teardown-in-rf-ki.patch
queue-6.9/wifi-mac80211-apply-mcast-rate-only-if-interface-is-.patch
queue-6.9/wifi-mac80211-disable-softirqs-for-queued-frame-handling.patch
queue-6.9/wifi-cfg80211-wext-add-extra-siocsiwscan-data-check.patch
queue-6.9/wifi-iwlwifi-mvm-properly-set-6-ghz-channel-direct-p.patch
queue-6.9/wifi-mac80211-avoid-address-calculations-via-out-of-.patch
