Merge tag 'wireless-2025-05-06' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Johannes Berg says:

====================
Couple of fixes:
* iwlwifi: add two missing device entries
* cfg80211: fix a potential out-of-bounds access
* mac80211: fix format of TID to link mapping action frames

* tag 'wireless-2025-05-06' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:
wifi: iwlwifi: add support for Killer on MTL
wifi: mac80211: fix the type of status_code for negotiated TID to Link Mapping
wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation
====================

Link: https://patch.msgid.link/20250506203506.158818-3-johannes@sipsolutions.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski 11 months ago 9540984d 2e6259d8

+10 -8

4 changed files

expand all

drivers

net

wireless

intel

iwlwifi

pcie

drv.c

include

linux

ieee80211.h

net

mac80211

mlme.c

wireless

scan.c

drivers/net/wireless/intel/iwlwifi/pcie/drv.c

··· 588 588 IWL_DEV_INFO(0x7A70, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name), 589 589 IWL_DEV_INFO(0x7AF0, 0x1691, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690s_name), 590 590 IWL_DEV_INFO(0x7AF0, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name), 591 + IWL_DEV_INFO(0x7F70, 0x1691, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690s_name), 592 + IWL_DEV_INFO(0x7F70, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name), 591 593 592 594 IWL_DEV_INFO(0x271C, 0x0214, iwl9260_2ac_cfg, iwl9260_1_name), 593 595 IWL_DEV_INFO(0x7E40, 0x1691, iwl_cfg_ma, iwl_ax411_killer_1690s_name),

+1 -1

include/linux/ieee80211.h

··· 1526 1526 struct { 1527 1527 u8 action_code; 1528 1528 u8 dialog_token; 1529 - u8 status_code; 1529 + __le16 status_code; 1530 1530 u8 variable[]; 1531 1531 } __packed ttlm_res; 1532 1532 struct {

+6 -6

net/mac80211/mlme.c

··· 7675 7675 int hdr_len = offsetofend(struct ieee80211_mgmt, u.action.u.ttlm_res); 7676 7676 int ttlm_max_len = 2 + 1 + sizeof(struct ieee80211_ttlm_elem) + 1 + 7677 7677 2 * 2 * IEEE80211_TTLM_NUM_TIDS; 7678 + u16 status_code; 7678 7679 7679 7680 skb = dev_alloc_skb(local->tx_headroom + hdr_len + ttlm_max_len); 7680 7681 if (!skb) ··· 7698 7697 WARN_ON(1); 7699 7698 fallthrough; 7700 7699 case NEG_TTLM_RES_REJECT: 7701 - mgmt->u.action.u.ttlm_res.status_code = 7702 - WLAN_STATUS_DENIED_TID_TO_LINK_MAPPING; 7700 + status_code = WLAN_STATUS_DENIED_TID_TO_LINK_MAPPING; 7703 7701 break; 7704 7702 case NEG_TTLM_RES_ACCEPT: 7705 - mgmt->u.action.u.ttlm_res.status_code = WLAN_STATUS_SUCCESS; 7703 + status_code = WLAN_STATUS_SUCCESS; 7706 7704 break; 7707 7705 case NEG_TTLM_RES_SUGGEST_PREFERRED: 7708 - mgmt->u.action.u.ttlm_res.status_code = 7709 - WLAN_STATUS_PREF_TID_TO_LINK_MAPPING_SUGGESTED; 7706 + status_code = WLAN_STATUS_PREF_TID_TO_LINK_MAPPING_SUGGESTED; 7710 7707 ieee80211_neg_ttlm_add_suggested_map(skb, neg_ttlm); 7711 7708 break; 7712 7709 } 7713 7710 7711 + mgmt->u.action.u.ttlm_res.status_code = cpu_to_le16(status_code); 7714 7712 ieee80211_tx_skb(sdata, skb); 7715 7713 } 7716 7714 ··· 7875 7875 * This can be better implemented in the future, to handle request 7876 7876 * rejections. 7877 7877 */ 7878 - if (mgmt->u.action.u.ttlm_res.status_code != WLAN_STATUS_SUCCESS) 7878 + if (le16_to_cpu(mgmt->u.action.u.ttlm_res.status_code) != WLAN_STATUS_SUCCESS) 7879 7879 __ieee80211_disconnect(sdata); 7880 7880 } 7881 7881

+1 -1

net/wireless/scan.c

··· 2681 2681 /* Required length for first defragmentation */ 2682 2682 buf_len = mle->datalen - 1; 2683 2683 for_each_element(elem, mle->data + mle->datalen, 2684 - ielen - sizeof(*mle) + mle->datalen) { 2684 + ie + ielen - mle->data - mle->datalen) { 2685 2685 if (elem->id != WLAN_EID_FRAGMENT) 2686 2686 break; 2687 2687