wifi: mac80211: fix userspace_selectors corruption

Spotted during code review, the selectors need to be large
enough for a 128-bit bitmap, not a single unsigned long,
otherwise we have stack corruption.

We should also allow passing selectors from userspace, but
that should be a separate change.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20250308225541.8f1bcf96a504.Ibeb8970c82a30c97279a4cc4e68faca5df1813a5@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 426c0246fe1fed9e6b4eb47f66552cc724101f70..85ae6619767416d1b465c59822bce93e208c926e 100644 (file)
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -9914,8 +9914,6 @@ EXPORT_SYMBOL(ieee80211_disable_rssi_reports);
 
 static void ieee80211_ml_reconf_selectors(unsigned long *userspace_selectors)
 {
-       *userspace_selectors = 0;
-
        /* these selectors are mandatory for ML reconfiguration */
        set_bit(BSS_MEMBERSHIP_SELECTOR_SAE_H2E, userspace_selectors);
        set_bit(BSS_MEMBERSHIP_SELECTOR_HE_PHY, userspace_selectors);
@@ -9935,7 +9933,7 @@ void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata,
                                sdata->u.mgd.reconf.removed_links;
        u16 link_mask, valid_links;
        unsigned int link_id;
-       unsigned long userspace_selectors;
+       unsigned long userspace_selectors[BITS_TO_LONGS(128)] = {};
        size_t orig_len = len;
        u8 i, group_key_data_len;
        u8 *pos;
@@ -10043,7 +10041,7 @@ void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata,
        }
 
        ieee80211_vif_set_links(sdata, valid_links, sdata->vif.dormant_links);
-       ieee80211_ml_reconf_selectors(&userspace_selectors);
+       ieee80211_ml_reconf_selectors(userspace_selectors);
        link_mask = 0;
        for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
                struct cfg80211_bss *cbss = add_links_data->link[link_id].bss;
@@ -10089,7 +10087,7 @@ void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata,
                link->u.mgd.conn = add_links_data->link[link_id].conn;
                if (ieee80211_prep_channel(sdata, link, link_id, cbss,
                                           true, &link->u.mgd.conn,
-                                          &userspace_selectors)) {
+                                          userspace_selectors)) {
                        link_info(link, "mlo: reconf: prep_channel failed\n");
                        goto disconnect;
                }
@@ -10427,14 +10425,14 @@ int ieee80211_mgd_assoc_ml_reconf(struct ieee80211_sub_if_data *sdata,
         */
        if (added_links) {
                bool uapsd_supported;
-               unsigned long userspace_selectors;
+               unsigned long userspace_selectors[BITS_TO_LONGS(128)] = {};
 
                data = kzalloc(sizeof(*data), GFP_KERNEL);
                if (!data)
                        return -ENOMEM;
 
                uapsd_supported = true;
-               ieee80211_ml_reconf_selectors(&userspace_selectors);
+               ieee80211_ml_reconf_selectors(userspace_selectors);
                for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
                     link_id++) {
                        struct ieee80211_supported_band *sband;
@@ -10510,7 +10508,7 @@ int ieee80211_mgd_assoc_ml_reconf(struct ieee80211_sub_if_data *sdata,
                                                     data->link[link_id].bss,
                                                     true,
                                                     &data->link[link_id].conn,
-                                                    &userspace_selectors);
+                                                    userspace_selectors);
                        if (err)
                                goto err_free;
                }