From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 01/21] linux: Update to 5.15.85 Date: Thu, 29 Dec 2022 11:16:21 +0000 Message-ID: <8BCE9B6D-2187-4D10-8371-8CC4D99CC1DB@ipfire.org> In-Reply-To: <9c74dfa2-78c9-05a5-6623-410c86622d65@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6448368034313996429==" List-Id: --===============6448368034313996429== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, > On 29 Dec 2022, at 11:14, Peter M=C3=BCller wr= ote: >=20 > Hello Michael, >=20 >> Hello, >>=20 >>> On 26 Dec 2022, at 20:24, Peter M=C3=BCller = wrote: >>>=20 >>> Signed-off-by: Peter M=C3=BCller >>> --- >>> config/kernel/kernel.config.x86_64-ipfire | 5 +- >>> config/rootfiles/common/x86_64/linux | 16 +- >>> lfs/linux | 9 +- >>> .../linux-5.15-wifi-security-patches-1.patch | 50 - >>> .../linux-5.15-wifi-security-patches-10.patch | 98 -- >>> .../linux-5.15-wifi-security-patches-11.patch | 96 -- >>> .../linux-5.15-wifi-security-patches-12.patch | 1179 ----------------- >>> .../linux-5.15-wifi-security-patches-13.patch | 130 -- >>> .../linux-5.15-wifi-security-patches-14.patch | 107 -- >>> .../linux-5.15-wifi-security-patches-2.patch | 59 - >>> .../linux-5.15-wifi-security-patches-3.patch | 49 - >>> .../linux-5.15-wifi-security-patches-4.patch | 96 -- >>> .../linux-5.15-wifi-security-patches-5.patch | 56 - >>> .../linux-5.15-wifi-security-patches-6.patch | 39 - >>> .../linux-5.15-wifi-security-patches-7.patch | 60 - >>> .../linux-5.15-wifi-security-patches-8.patch | 94 -- >>> .../linux-5.15-wifi-security-patches-9.patch | 126 -- >>> 17 files changed, 10 insertions(+), 2259 deletions(-) >>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-1.p= atch >>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-10.= patch >>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-11.= patch >>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-12.= patch >>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-13.= patch >>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-14.= patch >>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-2.p= atch >>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-3.p= atch >>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-4.p= atch >>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-5.p= atch >>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-6.p= atch >>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-7.p= atch >>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-8.p= atch >>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-9.p= atch >>>=20 >>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/ke= rnel.config.x86_64-ipfire >>> index bb4655a99..b160322cf 100644 >>> --- a/config/kernel/kernel.config.x86_64-ipfire >>> +++ b/config/kernel/kernel.config.x86_64-ipfire >>> @@ -1,6 +1,6 @@ >>> # >>> # Automatically generated file; DO NOT EDIT. >>> -# Linux/x86 5.15.68-ipfire Kernel Configuration >>> +# Linux/x86 5.15.85-ipfire Kernel Configuration >>> # >>> CONFIG_CC_VERSION_TEXT=3D"gcc (GCC) 11.3.0" >>> CONFIG_CC_IS_GCC=3Dy >>> @@ -1036,6 +1036,7 @@ CONFIG_INET_ESP=3Dm >>> CONFIG_INET_ESP_OFFLOAD=3Dm >>> # CONFIG_INET_ESPINTCP is not set >>> CONFIG_INET_IPCOMP=3Dm >>> +CONFIG_INET_TABLE_PERTURB_ORDER=3D16 >>=20 >> Why didn=E2=80=99t this change in the other architecture=E2=80=99s configu= ration files? >>=20 >> This hardly looks like a architecture-dependent configuration option to me. >=20 > ah, this is because I only intended to update the ARM configuration files i= n one > go in this patchset (#21/21). If it's okay to you, I would like to merge th= is patch > for Core Update 173 nevertheless, and conduct the necessary config/rootfile= updates > for ARM manually. I don=E2=80=99t think it is generally a good idea to just update x86_64 and t= hen update the rest accordingly. We will always miss out on some things. -Michael >=20 > Thanks, and best regards, > Peter M=C3=BCller >=20 >>=20 >>> CONFIG_INET_XFRM_TUNNEL=3Dm >>> CONFIG_INET_TUNNEL=3Dm >>> CONFIG_INET_DIAG=3Dm >>> @@ -7393,6 +7394,8 @@ CONFIG_SYMBOLIC_ERRNAME=3Dy >>> CONFIG_DEBUG_BUGVERBOSE=3Dy >>> # end of printk and dmesg options >>>=20 >>> +CONFIG_AS_HAS_NON_CONST_LEB128=3Dy >>=20 >> This looks more arch-dependent. >>=20 >>> + >>> # >>> # Compile-time checks and compiler options >>> # >>> diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/comm= on/x86_64/linux >>> index 518230b39..d71fa4142 100644 >>> --- a/config/rootfiles/common/x86_64/linux >>> +++ b/config/rootfiles/common/x86_64/linux >>> @@ -6525,6 +6525,7 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/include/config/ASYNC_TX_DMA >>> #lib/modules/KVER-ipfire/build/include/config/ASYNC_XOR >>> #lib/modules/KVER-ipfire/build/include/config/AS_AVX512 >>> +#lib/modules/KVER-ipfire/build/include/config/AS_HAS_NON_CONST_LEB128 >>> #lib/modules/KVER-ipfire/build/include/config/AS_IS_GNU >>> #lib/modules/KVER-ipfire/build/include/config/AS_SHA1_NI >>> #lib/modules/KVER-ipfire/build/include/config/AS_SHA256_NI >>> @@ -6668,8 +6669,6 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/include/config/BITREVERSE >>> #lib/modules/KVER-ipfire/build/include/config/BLK_CGROUP >>> #lib/modules/KVER-ipfire/build/include/config/BLK_CGROUP_RWSTAT >>> -#lib/modules/KVER-ipfire/build/include/config/BLK_DEBUG_FS >>> -#lib/modules/KVER-ipfire/build/include/config/BLK_DEBUG_FS_ZONED >>> #lib/modules/KVER-ipfire/build/include/config/BLK_DEV >>> #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_3W_XXXX_RAID >>> #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_BSG >>> @@ -7089,8 +7088,6 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/include/config/DE2104X_DSL >>> #lib/modules/KVER-ipfire/build/include/config/DE4X5 >>> #lib/modules/KVER-ipfire/build/include/config/DEBUG_BUGVERBOSE >>> -#lib/modules/KVER-ipfire/build/include/config/DEBUG_FS >>> -#lib/modules/KVER-ipfire/build/include/config/DEBUG_FS_ALLOW_ALL >>> #lib/modules/KVER-ipfire/build/include/config/DEBUG_KERNEL >>> #lib/modules/KVER-ipfire/build/include/config/DEBUG_MISC >>> #lib/modules/KVER-ipfire/build/include/config/DEBUG_WX >>> @@ -7422,7 +7419,6 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/include/config/DW_XDATA_PCIE >>> #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_DEBUG >>> #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_DEBUG_CORE >>> -#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_EVENTS >>> #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE >>> #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_ARGS >>> #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_DIRECT_= CALLS >>> @@ -8024,6 +8020,7 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/include/config/INET_IPCOMP >>> #lib/modules/KVER-ipfire/build/include/config/INET_RAW_DIAG >>> #lib/modules/KVER-ipfire/build/include/config/INET_SCTP_DIAG >>> +#lib/modules/KVER-ipfire/build/include/config/INET_TABLE_PERTURB_ORDER >>> #lib/modules/KVER-ipfire/build/include/config/INET_TCP_DIAG >>> #lib/modules/KVER-ipfire/build/include/config/INET_TUNNEL >>> #lib/modules/KVER-ipfire/build/include/config/INET_UDP_DIAG >>> @@ -8424,7 +8421,6 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/include/config/LOCKUP_DETECTOR >>> #lib/modules/KVER-ipfire/build/include/config/LOCK_DEBUGGING_SUPPORT >>> #lib/modules/KVER-ipfire/build/include/config/LOCK_DOWN_KERNEL_FORCE_NONE >>> -#lib/modules/KVER-ipfire/build/include/config/LOCK_EVENT_COUNTS >>> #lib/modules/KVER-ipfire/build/include/config/LOCK_SPIN_ON_OWNER >>> #lib/modules/KVER-ipfire/build/include/config/LOGO >>> #lib/modules/KVER-ipfire/build/include/config/LOGO_LINUX_CLUT224 >>> @@ -9490,7 +9486,6 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/include/config/PRINTER >>> #lib/modules/KVER-ipfire/build/include/config/PRINTK >>> #lib/modules/KVER-ipfire/build/include/config/PRINTK_SAFE_LOG_BUF_SHIFT >>> -#lib/modules/KVER-ipfire/build/include/config/PROBE_EVENTS >>> #lib/modules/KVER-ipfire/build/include/config/PROC_EVENTS >>> #lib/modules/KVER-ipfire/build/include/config/PROC_FS >>> #lib/modules/KVER-ipfire/build/include/config/PROC_PAGE_MONITOR >>> @@ -9848,7 +9843,6 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/include/config/SCSI_SCAN_ASYNC >>> #lib/modules/KVER-ipfire/build/include/config/SCSI_SMARTPQI >>> #lib/modules/KVER-ipfire/build/include/config/SCSI_SNIC >>> -#lib/modules/KVER-ipfire/build/include/config/SCSI_SNIC_DEBUG_FS >>> #lib/modules/KVER-ipfire/build/include/config/SCSI_SPI_ATTRS >>> #lib/modules/KVER-ipfire/build/include/config/SCSI_SRP_ATTRS >>> #lib/modules/KVER-ipfire/build/include/config/SCSI_STEX >>> @@ -10385,7 +10379,6 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/include/config/SWIOTLB >>> #lib/modules/KVER-ipfire/build/include/config/SWIOTLB_XEN >>> #lib/modules/KVER-ipfire/build/include/config/SWPHY >>> -#lib/modules/KVER-ipfire/build/include/config/SW_SYNC >>> #lib/modules/KVER-ipfire/build/include/config/SXGBE_ETH >>> #lib/modules/KVER-ipfire/build/include/config/SYMBOLIC_ERRNAME >>> #lib/modules/KVER-ipfire/build/include/config/SYNCLINK_GT >>> @@ -10533,8 +10526,6 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/include/config/UNIX_DIAG >>> #lib/modules/KVER-ipfire/build/include/config/UNIX_SCM >>> #lib/modules/KVER-ipfire/build/include/config/UNWINDER_ORC >>> -#lib/modules/KVER-ipfire/build/include/config/UPROBES >>> -#lib/modules/KVER-ipfire/build/include/config/UPROBE_EVENTS >>> #lib/modules/KVER-ipfire/build/include/config/USB >>> #lib/modules/KVER-ipfire/build/include/config/USBIP_CORE >>> #lib/modules/KVER-ipfire/build/include/config/USBIP_HOST >>> @@ -11105,7 +11096,6 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/include/config/XEN_BLKDEV_BACKEND >>> #lib/modules/KVER-ipfire/build/include/config/XEN_BLKDEV_FRONTEND >>> #lib/modules/KVER-ipfire/build/include/config/XEN_COMPAT_XENFS >>> -#lib/modules/KVER-ipfire/build/include/config/XEN_DEBUG_FS >>> #lib/modules/KVER-ipfire/build/include/config/XEN_DEV_EVTCHN >>> #lib/modules/KVER-ipfire/build/include/config/XEN_DOM0 >>> #lib/modules/KVER-ipfire/build/include/config/XEN_EFI >>> @@ -16866,6 +16856,8 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/init >>> #lib/modules/KVER-ipfire/build/init/Kconfig >>> #lib/modules/KVER-ipfire/build/init/Makefile >>> +#lib/modules/KVER-ipfire/build/io_uring >>> +#lib/modules/KVER-ipfire/build/io_uring/Makefile >>> #lib/modules/KVER-ipfire/build/ipc >>> #lib/modules/KVER-ipfire/build/ipc/Makefile >>> #lib/modules/KVER-ipfire/build/kernel >>> diff --git a/lfs/linux b/lfs/linux >>> index b628307fd..59238049c 100644 >>> --- a/lfs/linux >>> +++ b/lfs/linux >>> @@ -24,7 +24,7 @@ >>>=20 >>> include Config >>>=20 >>> -VER =3D 5.15.71 >>> +VER =3D 5.15.85 >>> ARM_PATCHES =3D 5.15-ipfire5 >>>=20 >>> THISAPP =3D linux-$(VER) >>> @@ -78,7 +78,7 @@ objects =3D$(DL_FILE) \ >>> $(DL_FILE) =3D $(URL_IPFIRE)/$(DL_FILE) >>> arm-multi-patches-$(ARM_PATCHES).patch.xz =3D $(URL_IPFIRE)/arm-multi-pat= ches-$(ARM_PATCHES).patch.xz >>>=20 >>> -$(DL_FILE)_BLAKE2 =3D 77da2393a31b6c6fed7cdfef61a112ae49fcdfce96968daf8c= 7a690a6e65025c7238c1fe084d0bfda403dc56db877b6db99def12803e840cacf318da40327d7b >>> +$(DL_FILE)_BLAKE2 =3D 481cea334dee4146d72704ecb88f654bd38ca62a5a28540f36= 5a57f5cd522551c4b7f854c09380ec614098a9efa5dff4cef70c9cafe6277a410d3d2099eca1cc >>> arm-multi-patches-$(ARM_PATCHES).patch.xz_BLAKE2 =3D 58a70e757a9121a0aac8= 3604a37aa787ec7ac0ee4970c5a3ac3bcb2dbaca32b00089cae6c0da5cf2fe0a2e156427b5165= c6a86e0371a3e896f4c7cdd699c34a0 >>>=20 >>> install : $(TARGET) >>> @@ -146,11 +146,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>> # https://bugzilla.ipfire.org/show_bug.cgi?id=3D12889 >>> cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/devtmpfs-mount= -with-noexec-and-nosuid.patch >>>=20 >>> - # https://lists.ipfire.org/pipermail/development/2022-October/014562.ht= ml >>> - for i in $$(seq 1 14); do \ >>> - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15-w= ifi-security-patches-$$i.patch || exit 1; \ >>> - done >>> - >>> ifeq "$(BUILD_ARCH)" "armv6l" >>> # Apply Arm-multiarch kernel patches. >>> cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.x= z | patch -Np1 >>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-1.patch b= /src/patches/linux/linux-5.15-wifi-security-patches-1.patch >>> deleted file mode 100644 >>> index b646eea49..000000000 >>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-1.patch >>> +++ /dev/null >>> @@ -1,50 +0,0 @@ >>> -From 9a8ef2030510a9d6ce86fd535b8d10720230811f Mon Sep 17 00:00:00 2001 >>> -From: Johannes Berg >>> -Date: Wed, 28 Sep 2022 21:56:15 +0200 >>> -Subject: [PATCH] wifi: cfg80211: fix u8 overflow in >>> - cfg80211_update_notlisted_nontrans() >>> - >>> -commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream. >>> - >>> -In the copy code of the elements, we do the following calculation >>> -to reach the end of the MBSSID element: >>> - >>> - /* copy the IEs after MBSSID */ >>> - cpy_len =3D mbssid[1] + 2; >>> - >>> -This looks fine, however, cpy_len is a u8, the same as mbssid[1], >>> -so the addition of two can overflow. In this case the subsequent >>> -memcpy() will overflow the allocated buffer, since it copies 256 >>> -bytes too much due to the way the allocation and memcpy() sizes >>> -are calculated. >>> - >>> -Fix this by using size_t for the cpy_len variable. >>> - >>> -This fixes CVE-2022-41674. >>> - >>> -Reported-by: Soenke Huster >>> -Tested-by: Soenke Huster >>> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in= scanning") >>> -Reviewed-by: Kees Cook >>> -Signed-off-by: Johannes Berg >>> -Signed-off-by: Greg Kroah-Hartman >>> ---- >>> - net/wireless/scan.c | 2 +- >>> - 1 file changed, 1 insertion(+), 1 deletion(-) >>> - >>> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c >>> -index 1a8b76c9dd56..d9ab37a798f4 100644 >>> ---- a/net/wireless/scan.c >>> -+++ b/net/wireless/scan.c >>> -@@ -2238,7 +2238,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *w= iphy, >>> - size_t new_ie_len; >>> - struct cfg80211_bss_ies *new_ies; >>> - const struct cfg80211_bss_ies *old; >>> -- u8 cpy_len; >>> -+ size_t cpy_len; >>> -=20 >>> - lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock); >>> -=20 >>> ---=20 >>> -2.30.2 >>> - >>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-10.patch = b/src/patches/linux/linux-5.15-wifi-security-patches-10.patch >>> deleted file mode 100644 >>> index 51986afe7..000000000 >>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-10.patch >>> +++ /dev/null >>> @@ -1,98 +0,0 @@ >>> -From 21df3a583e8e03d8f74fa2eedbcd7a2b3f5cabc1 Mon Sep 17 00:00:00 2001 >>> -From: Johannes Berg >>> -Date: Thu, 13 Oct 2022 20:15:57 +0200 >>> -Subject: [PATCH] mac80211: move CRC into struct ieee802_11_elems >>> - >>> -commit c6e37ed498f958254b5459253199e816b6bfc52f upstream. >>> - >>> -We're currently returning this value, but to prepare for >>> -returning the allocated structure, move it into there. >>> - >>> -Link: https://lore.kernel.org/r/20210920154009.479b8ebf999d.If0d4ba75ee3= 8998dc3eeae25058aa748efcb2fc9(a)changeid >>> -Signed-off-by: Johannes Berg >>> -Cc: Felix Fietkau >>> -Signed-off-by: Greg Kroah-Hartman >>> ---- >>> - net/mac80211/ieee80211_i.h | 9 +++++---- >>> - net/mac80211/mlme.c | 9 +++++---- >>> - net/mac80211/util.c | 10 +++++----- >>> - 3 files changed, 15 insertions(+), 13 deletions(-) >>> - >>> -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h >>> -index 4bd55af184b2..5ea38ae65809 100644 >>> ---- a/net/mac80211/ieee80211_i.h >>> -+++ b/net/mac80211/ieee80211_i.h >>> -@@ -1532,6 +1532,7 @@ struct ieee80211_csa_ie { >>> - struct ieee802_11_elems { >>> - const u8 *ie_start; >>> - size_t total_len; >>> -+ u32 crc; >>> -=20 >>> - /* pointers to IEs */ >>> - const struct ieee80211_tdls_lnkie *lnk_id; >>> -@@ -2218,10 +2219,10 @@ static inline void ieee80211_tx_skb(struct ieee8= 0211_sub_if_data *sdata, >>> - ieee80211_tx_skb_tid(sdata, skb, 7); >>> - } >>> -=20 >>> --u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, >>> -- struct ieee802_11_elems *elems, >>> -- u64 filter, u32 crc, u8 *transmitter_bssid, >>> -- u8 *bss_bssid); >>> -+void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool actio= n, >>> -+ struct ieee802_11_elems *elems, >>> -+ u64 filter, u32 crc, u8 *transmitter_bssid, >>> -+ u8 *bss_bssid); >>> - static inline void ieee802_11_parse_elems(const u8 *start, size_t len, >>> - bool action, >>> - struct ieee802_11_elems *elems, >>> -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c >>> -index 1548f532dc1a..4414e82e71d1 100644 >>> ---- a/net/mac80211/mlme.c >>> -+++ b/net/mac80211/mlme.c >>> -@@ -4102,10 +4102,11 @@ static void ieee80211_rx_mgmt_beacon(struct ieee= 80211_sub_if_data *sdata, >>> - */ >>> - if (!ieee80211_is_s1g_beacon(hdr->frame_control)) >>> - ncrc =3D crc32_be(0, (void *)&mgmt->u.beacon.beacon_int, 4); >>> -- ncrc =3D ieee802_11_parse_elems_crc(variable, >>> -- len - baselen, false, &elems, >>> -- care_about_ies, ncrc, >>> -- mgmt->bssid, bssid); >>> -+ ieee802_11_parse_elems_crc(variable, >>> -+ len - baselen, false, &elems, >>> -+ care_about_ies, ncrc, >>> -+ mgmt->bssid, bssid); >>> -+ ncrc =3D elems.crc; >>> -=20 >>> - if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) && >>> - ieee80211_check_tim(elems.tim, elems.tim_len, bss_conf->aid)) { >>> -diff --git a/net/mac80211/util.c b/net/mac80211/util.c >>> -index 00543ea9c6b5..ceb6894381e4 100644 >>> ---- a/net/mac80211/util.c >>> -+++ b/net/mac80211/util.c >>> -@@ -1468,10 +1468,10 @@ static size_t ieee802_11_find_bssid_profile(cons= t u8 *start, size_t len, >>> - return found ? profile_len : 0; >>> - } >>> -=20 >>> --u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, >>> -- struct ieee802_11_elems *elems, >>> -- u64 filter, u32 crc, u8 *transmitter_bssid, >>> -- u8 *bss_bssid) >>> -+void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool actio= n, >>> -+ struct ieee802_11_elems *elems, >>> -+ u64 filter, u32 crc, u8 *transmitter_bssid, >>> -+ u8 *bss_bssid) >>> - { >>> - const struct element *non_inherit =3D NULL; >>> - u8 *nontransmitted_profile; >>> -@@ -1523,7 +1523,7 @@ u32 ieee802_11_parse_elems_crc(const u8 *start, si= ze_t len, bool action, >>> -=20 >>> - kfree(nontransmitted_profile); >>> -=20 >>> -- return crc; >>> -+ elems->crc =3D crc; >>> - } >>> -=20 >>> - void ieee80211_regulatory_limit_wmm_params(struct ieee80211_sub_if_data= *sdata, >>> ---=20 >>> -2.30.2 >>> - >>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-11.patch = b/src/patches/linux/linux-5.15-wifi-security-patches-11.patch >>> deleted file mode 100644 >>> index ae639c696..000000000 >>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-11.patch >>> +++ /dev/null >>> @@ -1,96 +0,0 @@ >>> -From 630060f1175676b9cb3a032767f20dbce93616c9 Mon Sep 17 00:00:00 2001 >>> -From: Johannes Berg >>> -Date: Thu, 13 Oct 2022 20:15:58 +0200 >>> -Subject: [PATCH] mac80211: mlme: find auth challenge directly >>> - >>> -commit 49a765d6785e99157ff5091cc37485732496864e upstream. >>> - >>> -There's no need to parse all elements etc. just to find the >>> -authentication challenge - use cfg80211_find_elem() instead. >>> -This also allows us to remove WLAN_EID_CHALLENGE handling >>> -from the element parsing entirely. >>> - >>> -Link: https://lore.kernel.org/r/20210920154009.45f9b3a15722.Ice3159ffad0= 3a007d6154cbf1fb3a8c48489e86f(a)changeid >>> -Signed-off-by: Johannes Berg >>> -Cc: Felix Fietkau >>> -Signed-off-by: Greg Kroah-Hartman >>> ---- >>> - net/mac80211/ieee80211_i.h | 2 -- >>> - net/mac80211/mlme.c | 11 ++++++----- >>> - net/mac80211/util.c | 4 ---- >>> - 3 files changed, 6 insertions(+), 11 deletions(-) >>> - >>> -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h >>> -index 5ea38ae65809..c5f0ff805010 100644 >>> ---- a/net/mac80211/ieee80211_i.h >>> -+++ b/net/mac80211/ieee80211_i.h >>> -@@ -1542,7 +1542,6 @@ struct ieee802_11_elems { >>> - const u8 *supp_rates; >>> - const u8 *ds_params; >>> - const struct ieee80211_tim_ie *tim; >>> -- const u8 *challenge; >>> - const u8 *rsn; >>> - const u8 *rsnx; >>> - const u8 *erp_info; >>> -@@ -1596,7 +1595,6 @@ struct ieee802_11_elems { >>> - u8 ssid_len; >>> - u8 supp_rates_len; >>> - u8 tim_len; >>> -- u8 challenge_len; >>> - u8 rsn_len; >>> - u8 rsnx_len; >>> - u8 ext_supp_rates_len; >>> -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c >>> -index 4414e82e71d1..548cd14c5503 100644 >>> ---- a/net/mac80211/mlme.c >>> -+++ b/net/mac80211/mlme.c >>> -@@ -2889,17 +2889,17 @@ static void ieee80211_auth_challenge(struct ieee= 80211_sub_if_data *sdata, >>> - { >>> - struct ieee80211_local *local =3D sdata->local; >>> - struct ieee80211_mgd_auth_data *auth_data =3D sdata->u.mgd.auth_data; >>> -+ const struct element *challenge; >>> - u8 *pos; >>> -- struct ieee802_11_elems elems; >>> - u32 tx_flags =3D 0; >>> - struct ieee80211_prep_tx_info info =3D { >>> - .subtype =3D IEEE80211_STYPE_AUTH, >>> - }; >>> -=20 >>> - pos =3D mgmt->u.auth.variable; >>> -- ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems, >>> -- mgmt->bssid, auth_data->bss->bssid); >>> -- if (!elems.challenge) >>> -+ challenge =3D cfg80211_find_elem(WLAN_EID_CHALLENGE, pos, >>> -+ len - (pos - (u8 *)mgmt)); >>> -+ if (!challenge) >>> - return; >>> - auth_data->expected_transaction =3D 4; >>> - drv_mgd_prepare_tx(sdata->local, sdata, &info); >>> -@@ -2907,7 +2907,8 @@ static void ieee80211_auth_challenge(struct ieee80= 211_sub_if_data *sdata, >>> - tx_flags =3D IEEE80211_TX_CTL_REQ_TX_STATUS | >>> - IEEE80211_TX_INTFL_MLME_CONN_TX; >>> - ieee80211_send_auth(sdata, 3, auth_data->algorithm, 0, >>> -- elems.challenge - 2, elems.challenge_len + 2, >>> -+ (void *)challenge, >>> -+ challenge->datalen + sizeof(*challenge), >>> - auth_data->bss->bssid, auth_data->bss->bssid, >>> - auth_data->key, auth_data->key_len, >>> - auth_data->key_idx, tx_flags); >>> -diff --git a/net/mac80211/util.c b/net/mac80211/util.c >>> -index ceb6894381e4..664c32b6db19 100644 >>> ---- a/net/mac80211/util.c >>> -+++ b/net/mac80211/util.c >>> -@@ -1117,10 +1117,6 @@ _ieee802_11_parse_elems_crc(const u8 *start, size= _t len, bool action, >>> - } else >>> - elem_parse_failed =3D true; >>> - break; >>> -- case WLAN_EID_CHALLENGE: >>> -- elems->challenge =3D pos; >>> -- elems->challenge_len =3D elen; >>> -- break; >>> - case WLAN_EID_VENDOR_SPECIFIC: >>> - if (elen >=3D 4 && pos[0] =3D=3D 0x00 && pos[1] =3D=3D 0x50 && >>> - pos[2] =3D=3D 0xf2) { >>> ---=20 >>> -2.30.2 >>> - >>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-12.patch = b/src/patches/linux/linux-5.15-wifi-security-patches-12.patch >>> deleted file mode 100644 >>> index 4dea89e4c..000000000 >>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-12.patch >>> +++ /dev/null >>> @@ -1,1179 +0,0 @@ >>> -From fee48f3bdd7516bb63da507213916227cf147211 Mon Sep 17 00:00:00 2001 >>> -From: Johannes Berg >>> -Date: Thu, 13 Oct 2022 20:15:59 +0200 >>> -Subject: [PATCH] mac80211: always allocate struct ieee802_11_elems >>> - >>> -As the 802.11 spec evolves, we need to parse more and more >>> -elements. This is causing the struct to grow, and we can no >>> -longer get away with putting it on the stack. >>> - >>> -Change the API to always dynamically allocate and return an >>> -allocated pointer that must be kfree()d later. >>> - >>> -As an alternative, I contemplated a scheme whereby we'd say >>> -in the code which elements we needed, e.g. >>> - >>> - DECLARE_ELEMENT_PARSER(elems, >>> - SUPPORTED_CHANNELS, >>> - CHANNEL_SWITCH, >>> - EXT(KEY_DELIVERY)); >>> - >>> - ieee802_11_parse_elems(..., &elems, ...); >>> - >>> -and while I think this is possible and will save us a lot >>> -since most individual places only care about a small subset >>> -of the elements, it ended up being a bit more work since a >>> -lot of places do the parsing and then pass the struct to >>> -other functions, sometimes with multiple levels. >>> - >>> -Link: https://lore.kernel.org/r/20210920154009.26caff6b5998.I05ae58768e9= 90e611aee8eca8abefd9d7bc15e05(a)changeid >>> -Signed-off-by: Johannes Berg >>> -Cc: Felix Fietkau >>> -Signed-off-by: Greg Kroah-Hartman >>> ---- >>> - net/mac80211/agg-rx.c | 11 +-- >>> - net/mac80211/ibss.c | 25 +++--- >>> - net/mac80211/ieee80211_i.h | 22 ++--- >>> - net/mac80211/mesh.c | 85 ++++++++++-------- >>> - net/mac80211/mesh_hwmp.c | 44 +++++----- >>> - net/mac80211/mesh_plink.c | 11 +-- >>> - net/mac80211/mlme.c | 176 +++++++++++++++++++++---------------- >>> - net/mac80211/scan.c | 16 ++-- >>> - net/mac80211/tdls.c | 63 +++++++------ >>> - net/mac80211/util.c | 20 +++-- >>> - 10 files changed, 272 insertions(+), 201 deletions(-) >>> - >>> -diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c >>> -index e43176794149..ffa4f31f6c2b 100644 >>> ---- a/net/mac80211/agg-rx.c >>> -+++ b/net/mac80211/agg-rx.c >>> -@@ -478,7 +478,7 @@ void ieee80211_process_addba_request(struct ieee8021= 1_local *local, >>> - size_t len) >>> - { >>> - u16 capab, tid, timeout, ba_policy, buf_size, start_seq_num; >>> -- struct ieee802_11_elems elems =3D { }; >>> -+ struct ieee802_11_elems *elems =3D NULL; >>> - u8 dialog_token; >>> - int ies_len; >>> -=20 >>> -@@ -496,16 +496,17 @@ void ieee80211_process_addba_request(struct ieee80= 211_local *local, >>> - ies_len =3D len - offsetof(struct ieee80211_mgmt, >>> - u.action.u.addba_req.variable); >>> - if (ies_len) { >>> -- ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable, >>> -- ies_len, true, &elems, mgmt->bssid, NUL= L); >>> -- if (elems.parse_error) >>> -+ elems =3D ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable, >>> -+ ies_len, true, mgmt->bssid, NULL); >>> -+ if (!elems || elems->parse_error) >>> - return; >>> - } >>> -=20 >>> - __ieee80211_start_rx_ba_session(sta, dialog_token, timeout, >>> - start_seq_num, ba_policy, tid, >>> - buf_size, true, false, >>> -- elems.addba_ext_ie); >>> -+ elems ? elems->addba_ext_ie : NULL); >>> -+ kfree(elems); >>> - } >>> -=20 >>> - void ieee80211_manage_rx_ba_offl(struct ieee80211_vif *vif, >>> -diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c >>> -index 1e133ca58e78..4b721b48f86a 100644 >>> ---- a/net/mac80211/ibss.c >>> -+++ b/net/mac80211/ibss.c >>> -@@ -9,7 +9,7 @@ >>> - * Copyright 2009, Johannes Berg >>> - * Copyright 2013-2014 Intel Mobile Communications GmbH >>> - * Copyright(c) 2016 Intel Deutschland GmbH >>> -- * Copyright(c) 2018-2020 Intel Corporation >>> -+ * Copyright(c) 2018-2021 Intel Corporation >>> - */ >>> -=20 >>> - #include >>> -@@ -1593,7 +1593,7 @@ void ieee80211_rx_mgmt_probe_beacon(struct ieee802= 11_sub_if_data *sdata, >>> - struct ieee80211_rx_status *rx_status) >>> - { >>> - size_t baselen; >>> -- struct ieee802_11_elems elems; >>> -+ struct ieee802_11_elems *elems; >>> -=20 >>> - BUILD_BUG_ON(offsetof(typeof(mgmt->u.probe_resp), variable) !=3D >>> - offsetof(typeof(mgmt->u.beacon), variable)); >>> -@@ -1606,10 +1606,14 @@ void ieee80211_rx_mgmt_probe_beacon(struct ieee8= 0211_sub_if_data *sdata, >>> - if (baselen > len) >>> - return; >>> -=20 >>> -- ieee802_11_parse_elems(mgmt->u.probe_resp.variable, len - baselen, >>> -- false, &elems, mgmt->bssid, NULL); >>> -+ elems =3D ieee802_11_parse_elems(mgmt->u.probe_resp.variable, >>> -+ len - baselen, false, >>> -+ mgmt->bssid, NULL); >>> -=20 >>> -- ieee80211_rx_bss_info(sdata, mgmt, len, rx_status, &elems); >>> -+ if (elems) { >>> -+ ieee80211_rx_bss_info(sdata, mgmt, len, rx_status, elems); >>> -+ kfree(elems); >>> -+ } >>> - } >>> -=20 >>> - void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata, >>> -@@ -1618,7 +1622,7 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee8021= 1_sub_if_data *sdata, >>> - struct ieee80211_rx_status *rx_status; >>> - struct ieee80211_mgmt *mgmt; >>> - u16 fc; >>> -- struct ieee802_11_elems elems; >>> -+ struct ieee802_11_elems *elems; >>> - int ies_len; >>> -=20 >>> - rx_status =3D IEEE80211_SKB_RXCB(skb); >>> -@@ -1655,15 +1659,16 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80= 211_sub_if_data *sdata, >>> - if (ies_len < 0) >>> - break; >>> -=20 >>> -- ieee802_11_parse_elems( >>> -+ elems =3D ieee802_11_parse_elems( >>> - mgmt->u.action.u.chan_switch.variable, >>> -- ies_len, true, &elems, mgmt->bssid, NULL); >>> -+ ies_len, true, mgmt->bssid, NULL); >>> -=20 >>> -- if (elems.parse_error) >>> -+ if (!elems || elems->parse_error) >>> - break; >>> -=20 >>> - ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt, skb->len, >>> -- rx_status, &elems); >>> -+ rx_status, elems); >>> -+ kfree(elems); >>> - break; >>> - } >>> - } >>> -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h >>> -index c5f0ff805010..3633e49239c7 100644 >>> ---- a/net/mac80211/ieee80211_i.h >>> -+++ b/net/mac80211/ieee80211_i.h >>> -@@ -2217,18 +2217,18 @@ static inline void ieee80211_tx_skb(struct ieee8= 0211_sub_if_data *sdata, >>> - ieee80211_tx_skb_tid(sdata, skb, 7); >>> - } >>> -=20 >>> --void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool actio= n, >>> -- struct ieee802_11_elems *elems, >>> -- u64 filter, u32 crc, u8 *transmitter_bssid, >>> -- u8 *bss_bssid); >>> --static inline void ieee802_11_parse_elems(const u8 *start, size_t len, >>> -- bool action, >>> -- struct ieee802_11_elems *elems, >>> -- u8 *transmitter_bssid, >>> -- u8 *bss_bssid) >>> -+struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, si= ze_t len, >>> -+ bool action, >>> -+ u64 filter, u32 crc, >>> -+ const u8 *transmitter_bssid, >>> -+ const u8 *bss_bssid); >>> -+static inline struct ieee802_11_elems * >>> -+ieee802_11_parse_elems(const u8 *start, size_t len, bool action, >>> -+ const u8 *transmitter_bssid, >>> -+ const u8 *bss_bssid) >>> - { >>> -- ieee802_11_parse_elems_crc(start, len, action, elems, 0, 0, >>> -- transmitter_bssid, bss_bssid); >>> -+ return ieee802_11_parse_elems_crc(start, len, action, 0, 0, >>> -+ transmitter_bssid, bss_bssid); >>> - } >>> -=20 >>> -=20 >>> -diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c >>> -index 9f6414a68d71..6847fdf93439 100644 >>> ---- a/net/mac80211/mesh.c >>> -+++ b/net/mac80211/mesh.c >>> -@@ -1247,7 +1247,7 @@ ieee80211_mesh_rx_probe_req(struct ieee80211_sub_i= f_data *sdata, >>> - struct sk_buff *presp; >>> - struct beacon_data *bcn; >>> - struct ieee80211_mgmt *hdr; >>> -- struct ieee802_11_elems elems; >>> -+ struct ieee802_11_elems *elems; >>> - size_t baselen; >>> - u8 *pos; >>> -=20 >>> -@@ -1256,22 +1256,24 @@ ieee80211_mesh_rx_probe_req(struct ieee80211_sub= _if_data *sdata, >>> - if (baselen > len) >>> - return; >>> -=20 >>> -- ieee802_11_parse_elems(pos, len - baselen, false, &elems, mgmt->bssid, >>> -- NULL); >>> -- >>> -- if (!elems.mesh_id) >>> -+ elems =3D ieee802_11_parse_elems(pos, len - baselen, false, mgmt->bssi= d, >>> -+ NULL); >>> -+ if (!elems) >>> - return; >>> -=20 >>> -+ if (!elems->mesh_id) >>> -+ goto free; >>> -+ >>> - /* 802.11-2012 10.1.4.3.2 */ >>> - if ((!ether_addr_equal(mgmt->da, sdata->vif.addr) && >>> - !is_broadcast_ether_addr(mgmt->da)) || >>> -- elems.ssid_len !=3D 0) >>> -- return; >>> -+ elems->ssid_len !=3D 0) >>> -+ goto free; >>> -=20 >>> -- if (elems.mesh_id_len !=3D 0 && >>> -- (elems.mesh_id_len !=3D ifmsh->mesh_id_len || >>> -- memcmp(elems.mesh_id, ifmsh->mesh_id, ifmsh->mesh_id_len))) >>> -- return; >>> -+ if (elems->mesh_id_len !=3D 0 && >>> -+ (elems->mesh_id_len !=3D ifmsh->mesh_id_len || >>> -+ memcmp(elems->mesh_id, ifmsh->mesh_id, ifmsh->mesh_id_len))) >>> -+ goto free; >>> -=20 >>> - rcu_read_lock(); >>> - bcn =3D rcu_dereference(ifmsh->beacon); >>> -@@ -1295,6 +1297,8 @@ ieee80211_mesh_rx_probe_req(struct ieee80211_sub_i= f_data *sdata, >>> - ieee80211_tx_skb(sdata, presp); >>> - out: >>> - rcu_read_unlock(); >>> -+free: >>> -+ kfree(elems); >>> - } >>> -=20 >>> - static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *s= data, >>> -@@ -1305,7 +1309,7 @@ static void ieee80211_mesh_rx_bcn_presp(struct iee= e80211_sub_if_data *sdata, >>> - { >>> - struct ieee80211_local *local =3D sdata->local; >>> - struct ieee80211_if_mesh *ifmsh =3D &sdata->u.mesh; >>> -- struct ieee802_11_elems elems; >>> -+ struct ieee802_11_elems *elems; >>> - struct ieee80211_channel *channel; >>> - size_t baselen; >>> - int freq; >>> -@@ -1320,42 +1324,47 @@ static void ieee80211_mesh_rx_bcn_presp(struct i= eee80211_sub_if_data *sdata, >>> - if (baselen > len) >>> - return; >>> -=20 >>> -- ieee802_11_parse_elems(mgmt->u.probe_resp.variable, len - baselen, >>> -- false, &elems, mgmt->bssid, NULL); >>> -+ elems =3D ieee802_11_parse_elems(mgmt->u.probe_resp.variable, >>> -+ len - baselen, >>> -+ false, mgmt->bssid, NULL); >>> -+ if (!elems) >>> -+ return; >>> -=20 >>> - /* ignore non-mesh or secure / unsecure mismatch */ >>> -- if ((!elems.mesh_id || !elems.mesh_config) || >>> -- (elems.rsn && sdata->u.mesh.security =3D=3D IEEE80211_MESH_SEC_NONE= ) || >>> -- (!elems.rsn && sdata->u.mesh.security !=3D IEEE80211_MESH_SEC_NONE)) >>> -- return; >>> -+ if ((!elems->mesh_id || !elems->mesh_config) || >>> -+ (elems->rsn && sdata->u.mesh.security =3D=3D IEEE80211_MESH_SEC_NON= E) || >>> -+ (!elems->rsn && sdata->u.mesh.security !=3D IEEE80211_MESH_SEC_NONE= )) >>> -+ goto free; >>> -=20 >>> -- if (elems.ds_params) >>> -- freq =3D ieee80211_channel_to_frequency(elems.ds_params[0], band); >>> -+ if (elems->ds_params) >>> -+ freq =3D ieee80211_channel_to_frequency(elems->ds_params[0], band); >>> - else >>> - freq =3D rx_status->freq; >>> -=20 >>> - channel =3D ieee80211_get_channel(local->hw.wiphy, freq); >>> -=20 >>> - if (!channel || channel->flags & IEEE80211_CHAN_DISABLED) >>> -- return; >>> -+ goto free; >>> -=20 >>> -- if (mesh_matches_local(sdata, &elems)) { >>> -+ if (mesh_matches_local(sdata, elems)) { >>> - mpl_dbg(sdata, "rssi_threshold=3D%d,rx_status->signal=3D%d\n", >>> - sdata->u.mesh.mshcfg.rssi_threshold, rx_status->signal); >>> - if (!sdata->u.mesh.user_mpm || >>> - sdata->u.mesh.mshcfg.rssi_threshold =3D=3D 0 || >>> - sdata->u.mesh.mshcfg.rssi_threshold < rx_status->signal) >>> -- mesh_neighbour_update(sdata, mgmt->sa, &elems, >>> -+ mesh_neighbour_update(sdata, mgmt->sa, elems, >>> - rx_status); >>> -=20 >>> - if (ifmsh->csa_role !=3D IEEE80211_MESH_CSA_ROLE_INIT && >>> - !sdata->vif.csa_active) >>> -- ieee80211_mesh_process_chnswitch(sdata, &elems, true); >>> -+ ieee80211_mesh_process_chnswitch(sdata, elems, true); >>> - } >>> -=20 >>> - if (ifmsh->sync_ops) >>> - ifmsh->sync_ops->rx_bcn_presp(sdata, stype, mgmt, len, >>> -- elems.mesh_config, rx_status); >>> -+ elems->mesh_config, rx_status); >>> -+free: >>> -+ kfree(elems); >>> - } >>> -=20 >>> - int ieee80211_mesh_finish_csa(struct ieee80211_sub_if_data *sdata) >>> -@@ -1447,7 +1456,7 @@ static void mesh_rx_csa_frame(struct ieee80211_sub= _if_data *sdata, >>> - struct ieee80211_mgmt *mgmt, size_t len) >>> - { >>> - struct ieee80211_if_mesh *ifmsh =3D &sdata->u.mesh; >>> -- struct ieee802_11_elems elems; >>> -+ struct ieee802_11_elems *elems; >>> - u16 pre_value; >>> - bool fwd_csa =3D true; >>> - size_t baselen; >>> -@@ -1460,33 +1469,37 @@ static void mesh_rx_csa_frame(struct ieee80211_s= ub_if_data *sdata, >>> - pos =3D mgmt->u.action.u.chan_switch.variable; >>> - baselen =3D offsetof(struct ieee80211_mgmt, >>> - u.action.u.chan_switch.variable); >>> -- ieee802_11_parse_elems(pos, len - baselen, true, &elems, >>> -- mgmt->bssid, NULL); >>> -- >>> -- if (!mesh_matches_local(sdata, &elems)) >>> -+ elems =3D ieee802_11_parse_elems(pos, len - baselen, true, >>> -+ mgmt->bssid, NULL); >>> -+ if (!elems) >>> - return; >>> -=20 >>> -- ifmsh->chsw_ttl =3D elems.mesh_chansw_params_ie->mesh_ttl; >>> -+ if (!mesh_matches_local(sdata, elems)) >>> -+ goto free; >>> -+ >>> -+ ifmsh->chsw_ttl =3D elems->mesh_chansw_params_ie->mesh_ttl; >>> - if (!--ifmsh->chsw_ttl) >>> - fwd_csa =3D false; >>> -=20 >>> -- pre_value =3D le16_to_cpu(elems.mesh_chansw_params_ie->mesh_pre_value); >>> -+ pre_value =3D le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value= ); >>> - if (ifmsh->pre_value >=3D pre_value) >>> -- return; >>> -+ goto free; >>> -=20 >>> - ifmsh->pre_value =3D pre_value; >>> -=20 >>> - if (!sdata->vif.csa_active && >>> -- !ieee80211_mesh_process_chnswitch(sdata, &elems, false)) { >>> -+ !ieee80211_mesh_process_chnswitch(sdata, elems, false)) { >>> - mcsa_dbg(sdata, "Failed to process CSA action frame"); >>> -- return; >>> -+ goto free; >>> - } >>> -=20 >>> - /* forward or re-broadcast the CSA frame */ >>> - if (fwd_csa) { >>> -- if (mesh_fwd_csa_frame(sdata, mgmt, len, &elems) < 0) >>> -+ if (mesh_fwd_csa_frame(sdata, mgmt, len, elems) < 0) >>> - mcsa_dbg(sdata, "Failed to forward the CSA frame"); >>> - } >>> -+free: >>> -+ kfree(elems); >>> - } >>> -=20 >>> - static void ieee80211_mesh_rx_mgmt_action(struct ieee80211_sub_if_data = *sdata, >>> -diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c >>> -index a05b615deb51..44a6fdb6efbd 100644 >>> ---- a/net/mac80211/mesh_hwmp.c >>> -+++ b/net/mac80211/mesh_hwmp.c >>> -@@ -1,7 +1,7 @@ >>> - // SPDX-License-Identifier: GPL-2.0-only >>> - /* >>> - * Copyright (c) 2008, 2009 open80211s Ltd. >>> -- * Copyright (C) 2019 Intel Corporation >>> -+ * Copyright (C) 2019, 2021 Intel Corporation >>> - * Author: Luis Carlos Cobo >>> - */ >>> -=20 >>> -@@ -908,7 +908,7 @@ static void hwmp_rann_frame_process(struct ieee80211= _sub_if_data *sdata, >>> - void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata, >>> - struct ieee80211_mgmt *mgmt, size_t len) >>> - { >>> -- struct ieee802_11_elems elems; >>> -+ struct ieee802_11_elems *elems; >>> - size_t baselen; >>> - u32 path_metric; >>> - struct sta_info *sta; >>> -@@ -926,37 +926,41 @@ void mesh_rx_path_sel_frame(struct ieee80211_sub_i= f_data *sdata, >>> - rcu_read_unlock(); >>> -=20 >>> - baselen =3D (u8 *) mgmt->u.action.u.mesh_action.variable - (u8 *) mgmt; >>> -- ieee802_11_parse_elems(mgmt->u.action.u.mesh_action.variable, >>> -- len - baselen, false, &elems, mgmt->bssid, NULL); >>> -+ elems =3D ieee802_11_parse_elems(mgmt->u.action.u.mesh_action.variable, >>> -+ len - baselen, false, mgmt->bssid, NULL); >>> -+ if (!elems) >>> -+ return; >>> -=20 >>> -- if (elems.preq) { >>> -- if (elems.preq_len !=3D 37) >>> -+ if (elems->preq) { >>> -+ if (elems->preq_len !=3D 37) >>> - /* Right now we support just 1 destination and no AE */ >>> -- return; >>> -- path_metric =3D hwmp_route_info_get(sdata, mgmt, elems.preq, >>> -+ goto free; >>> -+ path_metric =3D hwmp_route_info_get(sdata, mgmt, elems->preq, >>> - MPATH_PREQ); >>> - if (path_metric) >>> -- hwmp_preq_frame_process(sdata, mgmt, elems.preq, >>> -+ hwmp_preq_frame_process(sdata, mgmt, elems->preq, >>> - path_metric); >>> - } >>> -- if (elems.prep) { >>> -- if (elems.prep_len !=3D 31) >>> -+ if (elems->prep) { >>> -+ if (elems->prep_len !=3D 31) >>> - /* Right now we support no AE */ >>> -- return; >>> -- path_metric =3D hwmp_route_info_get(sdata, mgmt, elems.prep, >>> -+ goto free; >>> -+ path_metric =3D hwmp_route_info_get(sdata, mgmt, elems->prep, >>> - MPATH_PREP); >>> - if (path_metric) >>> -- hwmp_prep_frame_process(sdata, mgmt, elems.prep, >>> -+ hwmp_prep_frame_process(sdata, mgmt, elems->prep, >>> - path_metric); >>> - } >>> -- if (elems.perr) { >>> -- if (elems.perr_len !=3D 15) >>> -+ if (elems->perr) { >>> -+ if (elems->perr_len !=3D 15) >>> - /* Right now we support only one destination per PERR */ >>> -- return; >>> -- hwmp_perr_frame_process(sdata, mgmt, elems.perr); >>> -+ goto free; >>> -+ hwmp_perr_frame_process(sdata, mgmt, elems->perr); >>> - } >>> -- if (elems.rann) >>> -- hwmp_rann_frame_process(sdata, mgmt, elems.rann); >>> -+ if (elems->rann) >>> -+ hwmp_rann_frame_process(sdata, mgmt, elems->rann); >>> -+free: >>> -+ kfree(elems); >>> - } >>> -=20 >>> - /** >>> -diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c >>> -index a6915847d78a..a829470dd59e 100644 >>> ---- a/net/mac80211/mesh_plink.c >>> -+++ b/net/mac80211/mesh_plink.c >>> -@@ -1,7 +1,7 @@ >>> - // SPDX-License-Identifier: GPL-2.0-only >>> - /* >>> - * Copyright (c) 2008, 2009 open80211s Ltd. >>> -- * Copyright (C) 2019 Intel Corporation >>> -+ * Copyright (C) 2019, 2021 Intel Corporation >>> - * Author: Luis Carlos Cobo >>> - */ >>> - #include >>> -@@ -1200,7 +1200,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_d= ata *sdata, >>> - struct ieee80211_mgmt *mgmt, size_t len, >>> - struct ieee80211_rx_status *rx_status) >>> - { >>> -- struct ieee802_11_elems elems; >>> -+ struct ieee802_11_elems *elems; >>> - size_t baselen; >>> - u8 *baseaddr; >>> -=20 >>> -@@ -1228,7 +1228,8 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_d= ata *sdata, >>> - if (baselen > len) >>> - return; >>> - } >>> -- ieee802_11_parse_elems(baseaddr, len - baselen, true, &elems, >>> -- mgmt->bssid, NULL); >>> -- mesh_process_plink_frame(sdata, mgmt, &elems, rx_status); >>> -+ elems =3D ieee802_11_parse_elems(baseaddr, len - baselen, true, >>> -+ mgmt->bssid, NULL); >>> -+ mesh_process_plink_frame(sdata, mgmt, elems, rx_status); >>> -+ kfree(elems); >>> - } >>> -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c >>> -index 548cd14c5503..45efa1d1c550 100644 >>> ---- a/net/mac80211/mlme.c >>> -+++ b/net/mac80211/mlme.c >>> -@@ -3317,8 +3317,11 @@ static bool ieee80211_assoc_success(struct ieee80= 211_sub_if_data *sdata, >>> - aid =3D 0; /* TODO */ >>> - } >>> - capab_info =3D le16_to_cpu(mgmt->u.assoc_resp.capab_info); >>> -- ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, elems, >>> -- mgmt->bssid, assoc_data->bss->bssid); >>> -+ elems =3D ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, >>> -+ mgmt->bssid, assoc_data->bss->bssid); >>> -+ >>> -+ if (!elems) >>> -+ return false; >>> -=20 >>> - if (elems->aid_resp) >>> - aid =3D le16_to_cpu(elems->aid_resp->aid); >>> -@@ -3340,7 +3343,8 @@ static bool ieee80211_assoc_success(struct ieee802= 11_sub_if_data *sdata, >>> -=20 >>> - if (!is_s1g && !elems->supp_rates) { >>> - sdata_info(sdata, "no SuppRates element in AssocResp\n"); >>> -- return false; >>> -+ ret =3D false; >>> -+ goto out; >>> - } >>> -=20 >>> - sdata->vif.bss_conf.aid =3D aid; >>> -@@ -3362,7 +3366,7 @@ static bool ieee80211_assoc_success(struct ieee802= 11_sub_if_data *sdata, >>> - (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT) && >>> - (!elems->vht_cap_elem || !elems->vht_operation)))) { >>> - const struct cfg80211_bss_ies *ies; >>> -- struct ieee802_11_elems bss_elems; >>> -+ struct ieee802_11_elems *bss_elems; >>> -=20 >>> - rcu_read_lock(); >>> - ies =3D rcu_dereference(cbss->ies); >>> -@@ -3373,13 +3377,17 @@ static bool ieee80211_assoc_success(struct ieee8= 0211_sub_if_data *sdata, >>> - if (!bss_ies) >>> - return false; >>> -=20 >>> -- ieee802_11_parse_elems(bss_ies->data, bss_ies->len, >>> -- false, &bss_elems, >>> -- mgmt->bssid, >>> -- assoc_data->bss->bssid); >>> -+ bss_elems =3D ieee802_11_parse_elems(bss_ies->data, bss_ies->len, >>> -+ false, mgmt->bssid, >>> -+ assoc_data->bss->bssid); >>> -+ if (!bss_elems) { >>> -+ ret =3D false; >>> -+ goto out; >>> -+ } >>> -+ >>> - if (assoc_data->wmm && >>> -- !elems->wmm_param && bss_elems.wmm_param) { >>> -- elems->wmm_param =3D bss_elems.wmm_param; >>> -+ !elems->wmm_param && bss_elems->wmm_param) { >>> -+ elems->wmm_param =3D bss_elems->wmm_param; >>> - sdata_info(sdata, >>> - "AP bug: WMM param missing from AssocResp\n"); >>> - } >>> -@@ -3388,30 +3396,32 @@ static bool ieee80211_assoc_success(struct ieee8= 0211_sub_if_data *sdata, >>> - * Also check if we requested HT/VHT, otherwise the AP doesn't >>> - * have to include the IEs in the (re)association response. >>> - */ >>> -- if (!elems->ht_cap_elem && bss_elems.ht_cap_elem && >>> -+ if (!elems->ht_cap_elem && bss_elems->ht_cap_elem && >>> - !(ifmgd->flags & IEEE80211_STA_DISABLE_HT)) { >>> -- elems->ht_cap_elem =3D bss_elems.ht_cap_elem; >>> -+ elems->ht_cap_elem =3D bss_elems->ht_cap_elem; >>> - sdata_info(sdata, >>> - "AP bug: HT capability missing from AssocResp\n"); >>> - } >>> -- if (!elems->ht_operation && bss_elems.ht_operation && >>> -+ if (!elems->ht_operation && bss_elems->ht_operation && >>> - !(ifmgd->flags & IEEE80211_STA_DISABLE_HT)) { >>> -- elems->ht_operation =3D bss_elems.ht_operation; >>> -+ elems->ht_operation =3D bss_elems->ht_operation; >>> - sdata_info(sdata, >>> - "AP bug: HT operation missing from AssocResp\n"); >>> - } >>> -- if (!elems->vht_cap_elem && bss_elems.vht_cap_elem && >>> -+ if (!elems->vht_cap_elem && bss_elems->vht_cap_elem && >>> - !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) { >>> -- elems->vht_cap_elem =3D bss_elems.vht_cap_elem; >>> -+ elems->vht_cap_elem =3D bss_elems->vht_cap_elem; >>> - sdata_info(sdata, >>> - "AP bug: VHT capa missing from AssocResp\n"); >>> - } >>> -- if (!elems->vht_operation && bss_elems.vht_operation && >>> -+ if (!elems->vht_operation && bss_elems->vht_operation && >>> - !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) { >>> -- elems->vht_operation =3D bss_elems.vht_operation; >>> -+ elems->vht_operation =3D bss_elems->vht_operation; >>> - sdata_info(sdata, >>> - "AP bug: VHT operation missing from AssocResp\n"); >>> - } >>> -+ >>> -+ kfree(bss_elems); >>> - } >>> -=20 >>> - /* >>> -@@ -3662,6 +3672,7 @@ static bool ieee80211_assoc_success(struct ieee802= 11_sub_if_data *sdata, >>> -=20 >>> - ret =3D true; >>> - out: >>> -+ kfree(elems); >>> - kfree(bss_ies); >>> - return ret; >>> - } >>> -@@ -3673,7 +3684,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ie= ee80211_sub_if_data *sdata, >>> - struct ieee80211_if_managed *ifmgd =3D &sdata->u.mgd; >>> - struct ieee80211_mgd_assoc_data *assoc_data =3D ifmgd->assoc_data; >>> - u16 capab_info, status_code, aid; >>> -- struct ieee802_11_elems elems; >>> -+ struct ieee802_11_elems *elems; >>> - int ac, uapsd_queues =3D -1; >>> - u8 *pos; >>> - bool reassoc; >>> -@@ -3730,14 +3741,16 @@ static void ieee80211_rx_mgmt_assoc_resp(struct = ieee80211_sub_if_data *sdata, >>> - fils_decrypt_assoc_resp(sdata, (u8 *)mgmt, &len, assoc_data) < 0) >>> - return; >>> -=20 >>> -- ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems, >>> -- mgmt->bssid, assoc_data->bss->bssid); >>> -+ elems =3D ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, >>> -+ mgmt->bssid, assoc_data->bss->bssid); >>> -+ if (!elems) >>> -+ goto notify_driver; >>> -=20 >>> - if (status_code =3D=3D WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY && >>> -- elems.timeout_int && >>> -- elems.timeout_int->type =3D=3D WLAN_TIMEOUT_ASSOC_COMEBACK) { >>> -+ elems->timeout_int && >>> -+ elems->timeout_int->type =3D=3D WLAN_TIMEOUT_ASSOC_COMEBACK) { >>> - u32 tu, ms; >>> -- tu =3D le32_to_cpu(elems.timeout_int->value); >>> -+ tu =3D le32_to_cpu(elems->timeout_int->value); >>> - ms =3D tu * 1024 / 1000; >>> - sdata_info(sdata, >>> - "%pM rejected association temporarily; comeback duration %u TU (%u ms= )\n", >>> -@@ -3757,7 +3770,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ie= ee80211_sub_if_data *sdata, >>> - event.u.mlme.reason =3D status_code; >>> - drv_event_callback(sdata->local, sdata, &event); >>> - } else { >>> -- if (!ieee80211_assoc_success(sdata, cbss, mgmt, len, &elems)) { >>> -+ if (!ieee80211_assoc_success(sdata, cbss, mgmt, len, elems)) { >>> - /* oops -- internal error -- send timeout for now */ >>> - ieee80211_destroy_assoc_data(sdata, false, false); >>> - cfg80211_assoc_timeout(sdata->dev, cbss); >>> -@@ -3787,6 +3800,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ie= ee80211_sub_if_data *sdata, >>> - ifmgd->assoc_req_ies, ifmgd->assoc_req_ies_len); >>> - notify_driver: >>> - drv_mgd_complete_tx(sdata->local, sdata, &info); >>> -+ kfree(elems); >>> - } >>> -=20 >>> - static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata, >>> -@@ -3991,7 +4005,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80= 211_sub_if_data *sdata, >>> - struct ieee80211_bss_conf *bss_conf =3D &sdata->vif.bss_conf; >>> - struct ieee80211_mgmt *mgmt =3D (void *) hdr; >>> - size_t baselen; >>> -- struct ieee802_11_elems elems; >>> -+ struct ieee802_11_elems *elems; >>> - struct ieee80211_local *local =3D sdata->local; >>> - struct ieee80211_chanctx_conf *chanctx_conf; >>> - struct ieee80211_channel *chan; >>> -@@ -4037,15 +4051,16 @@ static void ieee80211_rx_mgmt_beacon(struct ieee= 80211_sub_if_data *sdata, >>> -=20 >>> - if (ifmgd->assoc_data && ifmgd->assoc_data->need_beacon && >>> - ieee80211_rx_our_beacon(bssid, ifmgd->assoc_data->bss)) { >>> -- ieee802_11_parse_elems(variable, >>> -- len - baselen, false, &elems, >>> -- bssid, >>> -- ifmgd->assoc_data->bss->bssid); >>> -+ elems =3D ieee802_11_parse_elems(variable, len - baselen, false, >>> -+ bssid, >>> -+ ifmgd->assoc_data->bss->bssid); >>> -+ if (!elems) >>> -+ return; >>> -=20 >>> - ieee80211_rx_bss_info(sdata, mgmt, len, rx_status); >>> -=20 >>> -- if (elems.dtim_period) >>> -- ifmgd->dtim_period =3D elems.dtim_period; >>> -+ if (elems->dtim_period) >>> -+ ifmgd->dtim_period =3D elems->dtim_period; >>> - ifmgd->have_beacon =3D true; >>> - ifmgd->assoc_data->need_beacon =3D false; >>> - if (ieee80211_hw_check(&local->hw, TIMING_BEACON_ONLY)) { >>> -@@ -4053,17 +4068,17 @@ static void ieee80211_rx_mgmt_beacon(struct ieee= 80211_sub_if_data *sdata, >>> - le64_to_cpu(mgmt->u.beacon.timestamp); >>> - sdata->vif.bss_conf.sync_device_ts =3D >>> - rx_status->device_timestamp; >>> -- sdata->vif.bss_conf.sync_dtim_count =3D elems.dtim_count; >>> -+ sdata->vif.bss_conf.sync_dtim_count =3D elems->dtim_count; >>> - } >>> -=20 >>> -- if (elems.mbssid_config_ie) >>> -+ if (elems->mbssid_config_ie) >>> - bss_conf->profile_periodicity =3D >>> -- elems.mbssid_config_ie->profile_periodicity; >>> -+ elems->mbssid_config_ie->profile_periodicity; >>> - else >>> - bss_conf->profile_periodicity =3D 0; >>> -=20 >>> -- if (elems.ext_capab_len >=3D 11 && >>> -- (elems.ext_capab[10] & WLAN_EXT_CAPA11_EMA_SUPPORT)) >>> -+ if (elems->ext_capab_len >=3D 11 && >>> -+ (elems->ext_capab[10] & WLAN_EXT_CAPA11_EMA_SUPPORT)) >>> - bss_conf->ema_ap =3D true; >>> - else >>> - bss_conf->ema_ap =3D false; >>> -@@ -4072,6 +4087,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80= 211_sub_if_data *sdata, >>> - ifmgd->assoc_data->timeout =3D jiffies; >>> - ifmgd->assoc_data->timeout_started =3D true; >>> - run_again(sdata, ifmgd->assoc_data->timeout); >>> -+ kfree(elems); >>> - return; >>> - } >>> -=20 >>> -@@ -4103,14 +4119,15 @@ static void ieee80211_rx_mgmt_beacon(struct ieee= 80211_sub_if_data *sdata, >>> - */ >>> - if (!ieee80211_is_s1g_beacon(hdr->frame_control)) >>> - ncrc =3D crc32_be(0, (void *)&mgmt->u.beacon.beacon_int, 4); >>> -- ieee802_11_parse_elems_crc(variable, >>> -- len - baselen, false, &elems, >>> -- care_about_ies, ncrc, >>> -- mgmt->bssid, bssid); >>> -- ncrc =3D elems.crc; >>> -+ elems =3D ieee802_11_parse_elems_crc(variable, len - baselen, >>> -+ false, care_about_ies, ncrc, >>> -+ mgmt->bssid, bssid); >>> -+ if (!elems) >>> -+ return; >>> -+ ncrc =3D elems->crc; >>> -=20 >>> - if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) && >>> -- ieee80211_check_tim(elems.tim, elems.tim_len, bss_conf->aid)) { >>> -+ ieee80211_check_tim(elems->tim, elems->tim_len, bss_conf->aid)) { >>> - if (local->hw.conf.dynamic_ps_timeout > 0) { >>> - if (local->hw.conf.flags & IEEE80211_CONF_PS) { >>> - local->hw.conf.flags &=3D ~IEEE80211_CONF_PS; >>> -@@ -4180,12 +4197,12 @@ static void ieee80211_rx_mgmt_beacon(struct ieee= 80211_sub_if_data *sdata, >>> - le64_to_cpu(mgmt->u.beacon.timestamp); >>> - sdata->vif.bss_conf.sync_device_ts =3D >>> - rx_status->device_timestamp; >>> -- sdata->vif.bss_conf.sync_dtim_count =3D elems.dtim_count; >>> -+ sdata->vif.bss_conf.sync_dtim_count =3D elems->dtim_count; >>> - } >>> -=20 >>> - if ((ncrc =3D=3D ifmgd->beacon_crc && ifmgd->beacon_crc_valid) || >>> - ieee80211_is_s1g_short_beacon(mgmt->frame_control)) >>> -- return; >>> -+ goto free; >>> - ifmgd->beacon_crc =3D ncrc; >>> - ifmgd->beacon_crc_valid =3D true; >>> -=20 >>> -@@ -4193,12 +4210,12 @@ static void ieee80211_rx_mgmt_beacon(struct ieee= 80211_sub_if_data *sdata, >>> -=20 >>> - ieee80211_sta_process_chanswitch(sdata, rx_status->mactime, >>> - rx_status->device_timestamp, >>> -- &elems, true); >>> -+ elems, true); >>> -=20 >>> - if (!(ifmgd->flags & IEEE80211_STA_DISABLE_WMM) && >>> -- ieee80211_sta_wmm_params(local, sdata, elems.wmm_param, >>> -- elems.wmm_param_len, >>> -- elems.mu_edca_param_set)) >>> -+ ieee80211_sta_wmm_params(local, sdata, elems->wmm_param, >>> -+ elems->wmm_param_len, >>> -+ elems->mu_edca_param_set)) >>> - changed |=3D BSS_CHANGED_QOS; >>> -=20 >>> - /* >>> -@@ -4207,7 +4224,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80= 211_sub_if_data *sdata, >>> - */ >>> - if (!ifmgd->have_beacon) { >>> - /* a few bogus AP send dtim_period =3D 0 or no TIM IE */ >>> -- bss_conf->dtim_period =3D elems.dtim_period ?: 1; >>> -+ bss_conf->dtim_period =3D elems->dtim_period ?: 1; >>> -=20 >>> - changed |=3D BSS_CHANGED_BEACON_INFO; >>> - ifmgd->have_beacon =3D true; >>> -@@ -4219,9 +4236,9 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80= 211_sub_if_data *sdata, >>> - ieee80211_recalc_ps_vif(sdata); >>> - } >>> -=20 >>> -- if (elems.erp_info) { >>> -+ if (elems->erp_info) { >>> - erp_valid =3D true; >>> -- erp_value =3D elems.erp_info[0]; >>> -+ erp_value =3D elems->erp_info[0]; >>> - } else { >>> - erp_valid =3D false; >>> - } >>> -@@ -4234,12 +4251,12 @@ static void ieee80211_rx_mgmt_beacon(struct ieee= 80211_sub_if_data *sdata, >>> - mutex_lock(&local->sta_mtx); >>> - sta =3D sta_info_get(sdata, bssid); >>> -=20 >>> -- changed |=3D ieee80211_recalc_twt_req(sdata, sta, &elems); >>> -+ changed |=3D ieee80211_recalc_twt_req(sdata, sta, elems); >>> -=20 >>> -- if (ieee80211_config_bw(sdata, sta, elems.ht_cap_elem, >>> -- elems.vht_cap_elem, elems.ht_operation, >>> -- elems.vht_operation, elems.he_operation, >>> -- elems.s1g_oper, bssid, &changed)) { >>> -+ if (ieee80211_config_bw(sdata, sta, elems->ht_cap_elem, >>> -+ elems->vht_cap_elem, elems->ht_operation, >>> -+ elems->vht_operation, elems->he_operation, >>> -+ elems->s1g_oper, bssid, &changed)) { >>> - mutex_unlock(&local->sta_mtx); >>> - sdata_info(sdata, >>> - "failed to follow AP %pM bandwidth change, disconnect\n", >>> -@@ -4251,21 +4268,23 @@ static void ieee80211_rx_mgmt_beacon(struct ieee= 80211_sub_if_data *sdata, >>> - sizeof(deauth_buf), true, >>> - WLAN_REASON_DEAUTH_LEAVING, >>> - false); >>> -- return; >>> -+ goto free; >>> - } >>> -=20 >>> -- if (sta && elems.opmode_notif) >>> -- ieee80211_vht_handle_opmode(sdata, sta, *elems.opmode_notif, >>> -+ if (sta && elems->opmode_notif) >>> -+ ieee80211_vht_handle_opmode(sdata, sta, *elems->opmode_notif, >>> - rx_status->band); >>> - mutex_unlock(&local->sta_mtx); >>> -=20 >>> - changed |=3D ieee80211_handle_pwr_constr(sdata, chan, mgmt, >>> -- elems.country_elem, >>> -- elems.country_elem_len, >>> -- elems.pwr_constr_elem, >>> -- elems.cisco_dtpc_elem); >>> -+ elems->country_elem, >>> -+ elems->country_elem_len, >>> -+ elems->pwr_constr_elem, >>> -+ elems->cisco_dtpc_elem); >>> -=20 >>> - ieee80211_bss_info_change_notify(sdata, changed); >>> -+free: >>> -+ kfree(elems); >>> - } >>> -=20 >>> - void ieee80211_sta_rx_queued_ext(struct ieee80211_sub_if_data *sdata, >>> -@@ -4294,7 +4313,6 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211= _sub_if_data *sdata, >>> - struct ieee80211_rx_status *rx_status; >>> - struct ieee80211_mgmt *mgmt; >>> - u16 fc; >>> -- struct ieee802_11_elems elems; >>> - int ies_len; >>> -=20 >>> - rx_status =3D (struct ieee80211_rx_status *) skb->cb; >>> -@@ -4326,6 +4344,8 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211= _sub_if_data *sdata, >>> - break; >>> - case IEEE80211_STYPE_ACTION: >>> - if (mgmt->u.action.category =3D=3D WLAN_CATEGORY_SPECTRUM_MGMT) { >>> -+ struct ieee802_11_elems *elems; >>> -+ >>> - ies_len =3D skb->len - >>> - offsetof(struct ieee80211_mgmt, >>> - u.action.u.chan_switch.variable); >>> -@@ -4334,18 +4354,21 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee802= 11_sub_if_data *sdata, >>> - break; >>> -=20 >>> - /* CSA IE cannot be overridden, no need for BSSID */ >>> -- ieee802_11_parse_elems( >>> -- mgmt->u.action.u.chan_switch.variable, >>> -- ies_len, true, &elems, mgmt->bssid, NULL); >>> -+ elems =3D ieee802_11_parse_elems( >>> -+ mgmt->u.action.u.chan_switch.variable, >>> -+ ies_len, true, mgmt->bssid, NULL); >>> -=20 >>> -- if (elems.parse_error) >>> -+ if (!elems || elems->parse_error) >>> - break; >>> -=20 >>> - ieee80211_sta_process_chanswitch(sdata, >>> - rx_status->mactime, >>> - rx_status->device_timestamp, >>> -- &elems, false); >>> -+ elems, false); >>> -+ kfree(elems); >>> - } else if (mgmt->u.action.category =3D=3D WLAN_CATEGORY_PUBLIC) { >>> -+ struct ieee802_11_elems *elems; >>> -+ >>> - ies_len =3D skb->len - >>> - offsetof(struct ieee80211_mgmt, >>> - u.action.u.ext_chan_switch.variable); >>> -@@ -4357,21 +4380,22 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee802= 11_sub_if_data *sdata, >>> - * extended CSA IE can't be overridden, no need for >>> - * BSSID >>> - */ >>> -- ieee802_11_parse_elems( >>> -- mgmt->u.action.u.ext_chan_switch.variable, >>> -- ies_len, true, &elems, mgmt->bssid, NULL); >>> -+ elems =3D ieee802_11_parse_elems( >>> -+ mgmt->u.action.u.ext_chan_switch.variable, >>> -+ ies_len, true, mgmt->bssid, NULL); >>> -=20 >>> -- if (elems.parse_error) >>> -+ if (!elems || elems->parse_error) >>> - break; >>> -=20 >>> - /* for the handling code pretend this was also an IE */ >>> -- elems.ext_chansw_ie =3D >>> -+ elems->ext_chansw_ie =3D >>> - &mgmt->u.action.u.ext_chan_switch.data; >>> -=20 >>> - ieee80211_sta_process_chanswitch(sdata, >>> - rx_status->mactime, >>> - rx_status->device_timestamp, >>> -- &elems, false); >>> -+ elems, false); >>> -+ kfree(elems); >>> - } >>> - break; >>> - } >>> -diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c >>> -index d6afaacaf7ef..e692a2487eb5 100644 >>> ---- a/net/mac80211/scan.c >>> -+++ b/net/mac80211/scan.c >>> -@@ -9,7 +9,7 @@ >>> - * Copyright 2007, Michael Wu >>> - * Copyright 2013-2015 Intel Mobile Communications GmbH >>> - * Copyright 2016-2017 Intel Deutschland GmbH >>> -- * Copyright (C) 2018-2020 Intel Corporation >>> -+ * Copyright (C) 2018-2021 Intel Corporation >>> - */ >>> -=20 >>> - #include >>> -@@ -155,7 +155,7 @@ ieee80211_bss_info_update(struct ieee80211_local *lo= cal, >>> - }; >>> - bool signal_valid; >>> - struct ieee80211_sub_if_data *scan_sdata; >>> -- struct ieee802_11_elems elems; >>> -+ struct ieee802_11_elems *elems; >>> - size_t baselen; >>> - u8 *elements; >>> -=20 >>> -@@ -209,8 +209,10 @@ ieee80211_bss_info_update(struct ieee80211_local *l= ocal, >>> - if (baselen > len) >>> - return NULL; >>> -=20 >>> -- ieee802_11_parse_elems(elements, len - baselen, false, &elems, >>> -- mgmt->bssid, cbss->bssid); >>> -+ elems =3D ieee802_11_parse_elems(elements, len - baselen, false, >>> -+ mgmt->bssid, cbss->bssid); >>> -+ if (!elems) >>> -+ return NULL; >>> -=20 >>> - /* In case the signal is invalid update the status */ >>> - signal_valid =3D channel =3D=3D cbss->channel; >>> -@@ -218,15 +220,17 @@ ieee80211_bss_info_update(struct ieee80211_local *= local, >>> - rx_status->flag |=3D RX_FLAG_NO_SIGNAL_VAL; >>> -=20 >>> - bss =3D (void *)cbss->priv; >>> -- ieee80211_update_bss_from_elems(local, bss, &elems, rx_status, beacon); >>> -+ ieee80211_update_bss_from_elems(local, bss, elems, rx_status, beacon); >>> -=20 >>> - list_for_each_entry(non_tx_cbss, &cbss->nontrans_list, nontrans_list) { >>> - non_tx_bss =3D (void *)non_tx_cbss->priv; >>> -=20 >>> -- ieee80211_update_bss_from_elems(local, non_tx_bss, &elems, >>> -+ ieee80211_update_bss_from_elems(local, non_tx_bss, elems, >>> - rx_status, beacon); >>> - } >>> -=20 >>> -+ kfree(elems); >>> -+ >>> - return bss; >>> - } >>> -=20 >>> -diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c >>> -index 45e532ad1215..137be9ec94af 100644 >>> ---- a/net/mac80211/tdls.c >>> -+++ b/net/mac80211/tdls.c >>> -@@ -6,7 +6,7 @@ >>> - * Copyright 2014, Intel Corporation >>> - * Copyright 2014 Intel Mobile Communications GmbH >>> - * Copyright 2015 - 2016 Intel Deutschland GmbH >>> -- * Copyright (C) 2019 Intel Corporation >>> -+ * Copyright (C) 2019, 2021 Intel Corporation >>> - */ >>> -=20 >>> - #include >>> -@@ -1684,7 +1684,7 @@ ieee80211_process_tdls_channel_switch_resp(struct = ieee80211_sub_if_data *sdata, >>> - struct sk_buff *skb) >>> - { >>> - struct ieee80211_local *local =3D sdata->local; >>> -- struct ieee802_11_elems elems; >>> -+ struct ieee802_11_elems *elems =3D NULL; >>> - struct sta_info *sta; >>> - struct ieee80211_tdls_data *tf =3D (void *)skb->data; >>> - bool local_initiator; >>> -@@ -1718,16 +1718,20 @@ ieee80211_process_tdls_channel_switch_resp(struc= t ieee80211_sub_if_data *sdata, >>> - goto call_drv; >>> - } >>> -=20 >>> -- ieee802_11_parse_elems(tf->u.chan_switch_resp.variable, >>> -- skb->len - baselen, false, &elems, >>> -- NULL, NULL); >>> -- if (elems.parse_error) { >>> -+ elems =3D ieee802_11_parse_elems(tf->u.chan_switch_resp.variable, >>> -+ skb->len - baselen, false, NULL, NULL); >>> -+ if (!elems) { >>> -+ ret =3D -ENOMEM; >>> -+ goto out; >>> -+ } >>> -+ >>> -+ if (elems->parse_error) { >>> - tdls_dbg(sdata, "Invalid IEs in TDLS channel switch resp\n"); >>> - ret =3D -EINVAL; >>> - goto out; >>> - } >>> -=20 >>> -- if (!elems.ch_sw_timing || !elems.lnk_id) { >>> -+ if (!elems->ch_sw_timing || !elems->lnk_id) { >>> - tdls_dbg(sdata, "TDLS channel switch resp - missing IEs\n"); >>> - ret =3D -EINVAL; >>> - goto out; >>> -@@ -1735,15 +1739,15 @@ ieee80211_process_tdls_channel_switch_resp(struc= t ieee80211_sub_if_data *sdata, >>> -=20 >>> - /* validate the initiator is set correctly */ >>> - local_initiator =3D >>> -- !memcmp(elems.lnk_id->init_sta, sdata->vif.addr, ETH_ALEN); >>> -+ !memcmp(elems->lnk_id->init_sta, sdata->vif.addr, ETH_ALEN); >>> - if (local_initiator =3D=3D sta->sta.tdls_initiator) { >>> - tdls_dbg(sdata, "TDLS chan switch invalid lnk-id initiator\n"); >>> - ret =3D -EINVAL; >>> - goto out; >>> - } >>> -=20 >>> -- params.switch_time =3D le16_to_cpu(elems.ch_sw_timing->switch_time); >>> -- params.switch_timeout =3D le16_to_cpu(elems.ch_sw_timing->switch_timeo= ut); >>> -+ params.switch_time =3D le16_to_cpu(elems->ch_sw_timing->switch_time); >>> -+ params.switch_timeout =3D le16_to_cpu(elems->ch_sw_timing->switch_time= out); >>> -=20 >>> - params.tmpl_skb =3D >>> - ieee80211_tdls_ch_sw_resp_tmpl_get(sta, ¶ms.ch_sw_tm_ie); >>> -@@ -1763,6 +1767,7 @@ call_drv: >>> - out: >>> - mutex_unlock(&local->sta_mtx); >>> - dev_kfree_skb_any(params.tmpl_skb); >>> -+ kfree(elems); >>> - return ret; >>> - } >>> -=20 >>> -@@ -1771,7 +1776,7 @@ ieee80211_process_tdls_channel_switch_req(struct i= eee80211_sub_if_data *sdata, >>> - struct sk_buff *skb) >>> - { >>> - struct ieee80211_local *local =3D sdata->local; >>> -- struct ieee802_11_elems elems; >>> -+ struct ieee802_11_elems *elems; >>> - struct cfg80211_chan_def chandef; >>> - struct ieee80211_channel *chan; >>> - enum nl80211_channel_type chan_type; >>> -@@ -1831,22 +1836,27 @@ ieee80211_process_tdls_channel_switch_req(struct= ieee80211_sub_if_data *sdata, >>> - return -EINVAL; >>> - } >>> -=20 >>> -- ieee802_11_parse_elems(tf->u.chan_switch_req.variable, >>> -- skb->len - baselen, false, &elems, NULL, NULL); >>> -- if (elems.parse_error) { >>> -+ elems =3D ieee802_11_parse_elems(tf->u.chan_switch_req.variable, >>> -+ skb->len - baselen, false, NULL, NULL); >>> -+ if (!elems) >>> -+ return -ENOMEM; >>> -+ >>> -+ if (elems->parse_error) { >>> - tdls_dbg(sdata, "Invalid IEs in TDLS channel switch req\n"); >>> -- return -EINVAL; >>> -+ ret =3D -EINVAL; >>> -+ goto free; >>> - } >>> -=20 >>> -- if (!elems.ch_sw_timing || !elems.lnk_id) { >>> -+ if (!elems->ch_sw_timing || !elems->lnk_id) { >>> - tdls_dbg(sdata, "TDLS channel switch req - missing IEs\n"); >>> -- return -EINVAL; >>> -+ ret =3D -EINVAL; >>> -+ goto free; >>> - } >>> -=20 >>> -- if (!elems.sec_chan_offs) { >>> -+ if (!elems->sec_chan_offs) { >>> - chan_type =3D NL80211_CHAN_HT20; >>> - } else { >>> -- switch (elems.sec_chan_offs->sec_chan_offs) { >>> -+ switch (elems->sec_chan_offs->sec_chan_offs) { >>> - case IEEE80211_HT_PARAM_CHA_SEC_ABOVE: >>> - chan_type =3D NL80211_CHAN_HT40PLUS; >>> - break; >>> -@@ -1865,7 +1875,8 @@ ieee80211_process_tdls_channel_switch_req(struct i= eee80211_sub_if_data *sdata, >>> - if (!cfg80211_reg_can_beacon_relax(sdata->local->hw.wiphy, &chandef, >>> - sdata->wdev.iftype)) { >>> - tdls_dbg(sdata, "TDLS chan switch to forbidden channel\n"); >>> -- return -EINVAL; >>> -+ ret =3D -EINVAL; >>> -+ goto free; >>> - } >>> -=20 >>> - mutex_lock(&local->sta_mtx); >>> -@@ -1881,7 +1892,7 @@ ieee80211_process_tdls_channel_switch_req(struct i= eee80211_sub_if_data *sdata, >>> -=20 >>> - /* validate the initiator is set correctly */ >>> - local_initiator =3D >>> -- !memcmp(elems.lnk_id->init_sta, sdata->vif.addr, ETH_ALEN); >>> -+ !memcmp(elems->lnk_id->init_sta, sdata->vif.addr, ETH_ALEN); >>> - if (local_initiator =3D=3D sta->sta.tdls_initiator) { >>> - tdls_dbg(sdata, "TDLS chan switch invalid lnk-id initiator\n"); >>> - ret =3D -EINVAL; >>> -@@ -1889,16 +1900,16 @@ ieee80211_process_tdls_channel_switch_req(struct= ieee80211_sub_if_data *sdata, >>> - } >>> -=20 >>> - /* peer should have known better */ >>> -- if (!sta->sta.ht_cap.ht_supported && elems.sec_chan_offs && >>> -- elems.sec_chan_offs->sec_chan_offs) { >>> -+ if (!sta->sta.ht_cap.ht_supported && elems->sec_chan_offs && >>> -+ elems->sec_chan_offs->sec_chan_offs) { >>> - tdls_dbg(sdata, "TDLS chan switch - wide chan unsupported\n"); >>> - ret =3D -ENOTSUPP; >>> - goto out; >>> - } >>> -=20 >>> - params.chandef =3D &chandef; >>> -- params.switch_time =3D le16_to_cpu(elems.ch_sw_timing->switch_time); >>> -- params.switch_timeout =3D le16_to_cpu(elems.ch_sw_timing->switch_timeo= ut); >>> -+ params.switch_time =3D le16_to_cpu(elems->ch_sw_timing->switch_time); >>> -+ params.switch_timeout =3D le16_to_cpu(elems->ch_sw_timing->switch_time= out); >>> -=20 >>> - params.tmpl_skb =3D >>> - ieee80211_tdls_ch_sw_resp_tmpl_get(sta, >>> -@@ -1917,6 +1928,8 @@ ieee80211_process_tdls_channel_switch_req(struct i= eee80211_sub_if_data *sdata, >>> - out: >>> - mutex_unlock(&local->sta_mtx); >>> - dev_kfree_skb_any(params.tmpl_skb); >>> -+free: >>> -+ kfree(elems); >>> - return ret; >>> - } >>> -=20 >>> -diff --git a/net/mac80211/util.c b/net/mac80211/util.c >>> -index 664c32b6db19..2ac61e68b6b4 100644 >>> ---- a/net/mac80211/util.c >>> -+++ b/net/mac80211/util.c >>> -@@ -1396,8 +1396,8 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_= t len, bool action, >>> -=20 >>> - static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len, >>> - struct ieee802_11_elems *elems, >>> -- u8 *transmitter_bssid, >>> -- u8 *bss_bssid, >>> -+ const u8 *transmitter_bssid, >>> -+ const u8 *bss_bssid, >>> - u8 *nontransmitted_profile) >>> - { >>> - const struct element *elem, *sub; >>> -@@ -1464,16 +1464,20 @@ static size_t ieee802_11_find_bssid_profile(cons= t u8 *start, size_t len, >>> - return found ? profile_len : 0; >>> - } >>> -=20 >>> --void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool actio= n, >>> -- struct ieee802_11_elems *elems, >>> -- u64 filter, u32 crc, u8 *transmitter_bssid, >>> -- u8 *bss_bssid) >>> -+struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, si= ze_t len, >>> -+ bool action, u64 filter, >>> -+ u32 crc, >>> -+ const u8 *transmitter_bssid, >>> -+ const u8 *bss_bssid) >>> - { >>> -+ struct ieee802_11_elems *elems; >>> - const struct element *non_inherit =3D NULL; >>> - u8 *nontransmitted_profile; >>> - int nontransmitted_profile_len =3D 0; >>> -=20 >>> -- memset(elems, 0, sizeof(*elems)); >>> -+ elems =3D kzalloc(sizeof(*elems), GFP_ATOMIC); >>> -+ if (!elems) >>> -+ return NULL; >>> - elems->ie_start =3D start; >>> - elems->total_len =3D len; >>> -=20 >>> -@@ -1520,6 +1524,8 @@ void ieee802_11_parse_elems_crc(const u8 *start, s= ize_t len, bool action, >>> - kfree(nontransmitted_profile); >>> -=20 >>> - elems->crc =3D crc; >>> -+ >>> -+ return elems; >>> - } >>> -=20 >>> - void ieee80211_regulatory_limit_wmm_params(struct ieee80211_sub_if_data= *sdata, >>> ---=20 >>> -2.30.2 >>> - >>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-13.patch = b/src/patches/linux/linux-5.15-wifi-security-patches-13.patch >>> deleted file mode 100644 >>> index 1d167c19a..000000000 >>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-13.patch >>> +++ /dev/null >>> @@ -1,130 +0,0 @@ >>> -From 7d998f6b7365d50a9905bf57fd28b41c7ebe8e9d Mon Sep 17 00:00:00 2001 >>> -From: Johannes Berg >>> -Date: Thu, 13 Oct 2022 20:16:00 +0200 >>> -Subject: [PATCH] mac80211: fix memory leaks with element parsing >>> - >>> -commit 8223ac199a3849257e86ec27865dc63f034b1cf1 upstream. >>> - >>> -My previous commit 5d24828d05f3 ("mac80211: always allocate >>> -struct ieee802_11_elems") had a few bugs and leaked the new >>> -allocated struct in a few error cases, fix that. >>> - >>> -Fixes: 5d24828d05f3 ("mac80211: always allocate struct ieee802_11_elems") >>> -Signed-off-by: Johannes Berg >>> -Link: https://lore.kernel.org/r/20211001211108.9839928e42e0.Ib81ca187d3d= 3af7ed1bfeac2e00d08a4637c8025(a)changeid >>> -Signed-off-by: Johannes Berg >>> -Cc: Felix Fietkau >>> -Signed-off-by: Greg Kroah-Hartman >>> ---- >>> - net/mac80211/agg-rx.c | 3 ++- >>> - net/mac80211/ibss.c | 10 +++++----- >>> - net/mac80211/mlme.c | 36 ++++++++++++++++++------------------ >>> - 3 files changed, 25 insertions(+), 24 deletions(-) >>> - >>> -diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c >>> -index ffa4f31f6c2b..0d2bab9d351c 100644 >>> ---- a/net/mac80211/agg-rx.c >>> -+++ b/net/mac80211/agg-rx.c >>> -@@ -499,13 +499,14 @@ void ieee80211_process_addba_request(struct ieee80= 211_local *local, >>> - elems =3D ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable, >>> - ies_len, true, mgmt->bssid, NULL); >>> - if (!elems || elems->parse_error) >>> -- return; >>> -+ goto free; >>> - } >>> -=20 >>> - __ieee80211_start_rx_ba_session(sta, dialog_token, timeout, >>> - start_seq_num, ba_policy, tid, >>> - buf_size, true, false, >>> - elems ? elems->addba_ext_ie : NULL); >>> -+free: >>> - kfree(elems); >>> - } >>> -=20 >>> -diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c >>> -index 4b721b48f86a..48e0260f3424 100644 >>> ---- a/net/mac80211/ibss.c >>> -+++ b/net/mac80211/ibss.c >>> -@@ -1663,11 +1663,11 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80= 211_sub_if_data *sdata, >>> - mgmt->u.action.u.chan_switch.variable, >>> - ies_len, true, mgmt->bssid, NULL); >>> -=20 >>> -- if (!elems || elems->parse_error) >>> -- break; >>> -- >>> -- ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt, skb->len, >>> -- rx_status, elems); >>> -+ if (elems && !elems->parse_error) >>> -+ ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt, >>> -+ skb->len, >>> -+ rx_status, >>> -+ elems); >>> - kfree(elems); >>> - break; >>> - } >>> -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c >>> -index 45efa1d1c550..cc6d38a2e6d5 100644 >>> ---- a/net/mac80211/mlme.c >>> -+++ b/net/mac80211/mlme.c >>> -@@ -3374,8 +3374,10 @@ static bool ieee80211_assoc_success(struct ieee80= 211_sub_if_data *sdata, >>> - bss_ies =3D kmemdup(ies, sizeof(*ies) + ies->len, >>> - GFP_ATOMIC); >>> - rcu_read_unlock(); >>> -- if (!bss_ies) >>> -- return false; >>> -+ if (!bss_ies) { >>> -+ ret =3D false; >>> -+ goto out; >>> -+ } >>> -=20 >>> - bss_elems =3D ieee802_11_parse_elems(bss_ies->data, bss_ies->len, >>> - false, mgmt->bssid, >>> -@@ -4358,13 +4360,11 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee802= 11_sub_if_data *sdata, >>> - mgmt->u.action.u.chan_switch.variable, >>> - ies_len, true, mgmt->bssid, NULL); >>> -=20 >>> -- if (!elems || elems->parse_error) >>> -- break; >>> -- >>> -- ieee80211_sta_process_chanswitch(sdata, >>> -- rx_status->mactime, >>> -- rx_status->device_timestamp, >>> -- elems, false); >>> -+ if (elems && !elems->parse_error) >>> -+ ieee80211_sta_process_chanswitch(sdata, >>> -+ rx_status->mactime, >>> -+ rx_status->device_timestamp, >>> -+ elems, false); >>> - kfree(elems); >>> - } else if (mgmt->u.action.category =3D=3D WLAN_CATEGORY_PUBLIC) { >>> - struct ieee802_11_elems *elems; >>> -@@ -4384,17 +4384,17 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee802= 11_sub_if_data *sdata, >>> - mgmt->u.action.u.ext_chan_switch.variable, >>> - ies_len, true, mgmt->bssid, NULL); >>> -=20 >>> -- if (!elems || elems->parse_error) >>> -- break; >>> -+ if (elems && !elems->parse_error) { >>> -+ /* for the handling code pretend it was an IE */ >>> -+ elems->ext_chansw_ie =3D >>> -+ &mgmt->u.action.u.ext_chan_switch.data; >>> -=20 >>> -- /* for the handling code pretend this was also an IE */ >>> -- elems->ext_chansw_ie =3D >>> -- &mgmt->u.action.u.ext_chan_switch.data; >>> -+ ieee80211_sta_process_chanswitch(sdata, >>> -+ rx_status->mactime, >>> -+ rx_status->device_timestamp, >>> -+ elems, false); >>> -+ } >>> -=20 >>> -- ieee80211_sta_process_chanswitch(sdata, >>> -- rx_status->mactime, >>> -- rx_status->device_timestamp, >>> -- elems, false); >>> - kfree(elems); >>> - } >>> - break; >>> ---=20 >>> -2.30.2 >>> - >>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-14.patch = b/src/patches/linux/linux-5.15-wifi-security-patches-14.patch >>> deleted file mode 100644 >>> index f0ccc0b6a..000000000 >>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-14.patch >>> +++ /dev/null >>> @@ -1,107 +0,0 @@ >>> -From de124365a7d2deed22cf706583930f28d537ff0f Mon Sep 17 00:00:00 2001 >>> -From: Johannes Berg >>> -Date: Thu, 13 Oct 2022 20:16:01 +0200 >>> -Subject: [PATCH] wifi: mac80211: fix MBSSID parsing use-after-free >>> - >>> -commit ff05d4b45dd89b922578dac497dcabf57cf771c6 >>> - >>> -When we parse a multi-BSSID element, we might point some >>> -element pointers into the allocated nontransmitted_profile. >>> -However, we free this before returning, causing UAF when the >>> -relevant pointers in the parsed elements are accessed. >>> - >>> -Fix this by not allocating the scratch buffer separately but >>> -as part of the returned structure instead, that way, there >>> -are no lifetime issues with it. >>> - >>> -The scratch buffer introduction as part of the returned data >>> -here is taken from MLO feature work done by Ilan. >>> - >>> -This fixes CVE-2022-42719. >>> - >>> -Fixes: 5023b14cf4df ("mac80211: support profile split between elements") >>> -Co-developed-by: Ilan Peer >>> -Signed-off-by: Ilan Peer >>> -Reviewed-by: Kees Cook >>> -Signed-off-by: Johannes Berg >>> -Cc: Felix Fietkau >>> -Signed-off-by: Greg Kroah-Hartman >>> ---- >>> - net/mac80211/ieee80211_i.h | 8 ++++++++ >>> - net/mac80211/util.c | 29 ++++++++++++++--------------- >>> - 2 files changed, 22 insertions(+), 15 deletions(-) >>> - >>> -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h >>> -index 3633e49239c7..21549a440b38 100644 >>> ---- a/net/mac80211/ieee80211_i.h >>> -+++ b/net/mac80211/ieee80211_i.h >>> -@@ -1613,6 +1613,14 @@ struct ieee802_11_elems { >>> -=20 >>> - /* whether a parse error occurred while retrieving these elements */ >>> - bool parse_error; >>> -+ >>> -+ /* >>> -+ * scratch buffer that can be used for various element parsing related >>> -+ * tasks, e.g., element de-fragmentation etc. >>> -+ */ >>> -+ size_t scratch_len; >>> -+ u8 *scratch_pos; >>> -+ u8 scratch[]; >>> - }; >>> -=20 >>> - static inline struct ieee80211_local *hw_to_local( >>> -diff --git a/net/mac80211/util.c b/net/mac80211/util.c >>> -index 2ac61e68b6b4..354badd32793 100644 >>> ---- a/net/mac80211/util.c >>> -+++ b/net/mac80211/util.c >>> -@@ -1475,24 +1475,25 @@ struct ieee802_11_elems *ieee802_11_parse_elems_= crc(const u8 *start, size_t len, >>> - u8 *nontransmitted_profile; >>> - int nontransmitted_profile_len =3D 0; >>> -=20 >>> -- elems =3D kzalloc(sizeof(*elems), GFP_ATOMIC); >>> -+ elems =3D kzalloc(sizeof(*elems) + len, GFP_ATOMIC); >>> - if (!elems) >>> - return NULL; >>> - elems->ie_start =3D start; >>> - elems->total_len =3D len; >>> -=20 >>> -- nontransmitted_profile =3D kmalloc(len, GFP_ATOMIC); >>> -- if (nontransmitted_profile) { >>> -- nontransmitted_profile_len =3D >>> -- ieee802_11_find_bssid_profile(start, len, elems, >>> -- transmitter_bssid, >>> -- bss_bssid, >>> -- nontransmitted_profile); >>> -- non_inherit =3D >>> -- cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, >>> -- nontransmitted_profile, >>> -- nontransmitted_profile_len); >>> -- } >>> -+ elems->scratch_len =3D len; >>> -+ elems->scratch_pos =3D elems->scratch; >>> -+ >>> -+ nontransmitted_profile =3D elems->scratch_pos; >>> -+ nontransmitted_profile_len =3D >>> -+ ieee802_11_find_bssid_profile(start, len, elems, >>> -+ transmitter_bssid, >>> -+ bss_bssid, >>> -+ nontransmitted_profile); >>> -+ non_inherit =3D >>> -+ cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, >>> -+ nontransmitted_profile, >>> -+ nontransmitted_profile_len); >>> -=20 >>> - crc =3D _ieee802_11_parse_elems_crc(start, len, action, elems, filter, >>> - crc, non_inherit); >>> -@@ -1521,8 +1522,6 @@ struct ieee802_11_elems *ieee802_11_parse_elems_cr= c(const u8 *start, size_t len, >>> - offsetofend(struct ieee80211_bssid_index, dtim_count)) >>> - elems->dtim_count =3D elems->bssid_index->dtim_count; >>> -=20 >>> -- kfree(nontransmitted_profile); >>> -- >>> - elems->crc =3D crc; >>> -=20 >>> - return elems; >>> ---=20 >>> -2.30.2 >>> - >>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-2.patch b= /src/patches/linux/linux-5.15-wifi-security-patches-2.patch >>> deleted file mode 100644 >>> index d2a04e717..000000000 >>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-2.patch >>> +++ /dev/null >>> @@ -1,59 +0,0 @@ >>> -From 0a861bd25dad508e492c48169509d8c6b9246895 Mon Sep 17 00:00:00 2001 >>> -From: Johannes Berg >>> -Date: Wed, 28 Sep 2022 22:01:37 +0200 >>> -Subject: [PATCH] wifi: cfg80211/mac80211: reject bad MBSSID elements >>> - >>> -commit 8f033d2becc24aa6bfd2a5c104407963560caabc upstream. >>> - >>> -Per spec, the maximum value for the MaxBSSID ('n') indicator is 8, >>> -and the minimum is 1 since a multiple BSSID set with just one BSSID >>> -doesn't make sense (the # of BSSIDs is limited by 2^n). >>> - >>> -Limit this in the parsing in both cfg80211 and mac80211, rejecting >>> -any elements with an invalid value. >>> - >>> -This fixes potentially bad shifts in the processing of these inside >>> -the cfg80211_gen_new_bssid() function later. >>> - >>> -I found this during the investigation of CVE-2022-41674 fixed by the >>> -previous patch. >>> - >>> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in= scanning") >>> -Fixes: 78ac51f81532 ("mac80211: support multi-bssid") >>> -Reviewed-by: Kees Cook >>> -Signed-off-by: Johannes Berg >>> -Signed-off-by: Greg Kroah-Hartman >>> ---- >>> - net/mac80211/util.c | 2 ++ >>> - net/wireless/scan.c | 2 ++ >>> - 2 files changed, 4 insertions(+) >>> - >>> -diff --git a/net/mac80211/util.c b/net/mac80211/util.c >>> -index be1911d8089f..00543ea9c6b5 100644 >>> ---- a/net/mac80211/util.c >>> -+++ b/net/mac80211/util.c >>> -@@ -1414,6 +1414,8 @@ static size_t ieee802_11_find_bssid_profile(const = u8 *start, size_t len, >>> - for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) { >>> - if (elem->datalen < 2) >>> - continue; >>> -+ if (elem->data[0] < 1 || elem->data[0] > 8) >>> -+ continue; >>> -=20 >>> - for_each_element(sub, elem->data + 1, elem->datalen - 1) { >>> - u8 new_bssid[ETH_ALEN]; >>> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c >>> -index d9ab37a798f4..84c642eae4d8 100644 >>> ---- a/net/wireless/scan.c >>> -+++ b/net/wireless/scan.c >>> -@@ -2103,6 +2103,8 @@ static void cfg80211_parse_mbssid_data(struct wiph= y *wiphy, >>> - for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) { >>> - if (elem->datalen < 4) >>> - continue; >>> -+ if (elem->data[0] < 1 || (int)elem->data[0] > 8) >>> -+ continue; >>> - for_each_element(sub, elem->data + 1, elem->datalen - 1) { >>> - u8 profile_len; >>> -=20 >>> ---=20 >>> -2.30.2 >>> - >>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-3.patch b= /src/patches/linux/linux-5.15-wifi-security-patches-3.patch >>> deleted file mode 100644 >>> index 60be08214..000000000 >>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-3.patch >>> +++ /dev/null >>> @@ -1,49 +0,0 @@ >>> -From 9e99ca59ed3976921f8891c103d503b6da3e78af Mon Sep 17 00:00:00 2001 >>> -From: Johannes Berg >>> -Date: Thu, 29 Sep 2022 21:50:44 +0200 >>> -Subject: [PATCH] wifi: cfg80211: ensure length byte is present before ac= cess >>> - >>> -commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream. >>> - >>> -When iterating the elements here, ensure the length byte is >>> -present before checking it to see if the entire element will >>> -fit into the buffer. >>> - >>> -Longer term, we should rewrite this code using the type-safe >>> -element iteration macros that check all of this. >>> - >>> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in= scanning") >>> -Reported-by: Soenke Huster >>> -Signed-off-by: Johannes Berg >>> -Signed-off-by: Greg Kroah-Hartman >>> ---- >>> - net/wireless/scan.c | 6 ++++-- >>> - 1 file changed, 4 insertions(+), 2 deletions(-) >>> - >>> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c >>> -index 84c642eae4d8..04c9b78b3fec 100644 >>> ---- a/net/wireless/scan.c >>> -+++ b/net/wireless/scan.c >>> -@@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size= _t ielen, >>> - tmp_old =3D cfg80211_find_ie(WLAN_EID_SSID, ie, ielen); >>> - tmp_old =3D (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie; >>> -=20 >>> -- while (tmp_old + tmp_old[1] + 2 - ie <=3D ielen) { >>> -+ while (tmp_old + 2 - ie <=3D ielen && >>> -+ tmp_old + tmp_old[1] + 2 - ie <=3D ielen) { >>> - if (tmp_old[0] =3D=3D 0) { >>> - tmp_old++; >>> - continue; >>> -@@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size= _t ielen, >>> - * copied to new ie, skip ssid, capability, bssid-index ie >>> - */ >>> - tmp_new =3D sub_copy; >>> -- while (tmp_new + tmp_new[1] + 2 - sub_copy <=3D subie_len) { >>> -+ while (tmp_new + 2 - sub_copy <=3D subie_len && >>> -+ tmp_new + tmp_new[1] + 2 - sub_copy <=3D subie_len) { >>> - if (!(tmp_new[0] =3D=3D WLAN_EID_NON_TX_BSSID_CAP || >>> - tmp_new[0] =3D=3D WLAN_EID_SSID)) { >>> - memcpy(pos, tmp_new, tmp_new[1] + 2); >>> ---=20 >>> -2.30.2 >>> - >>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-4.patch b= /src/patches/linux/linux-5.15-wifi-security-patches-4.patch >>> deleted file mode 100644 >>> index bd2439041..000000000 >>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-4.patch >>> +++ /dev/null >>> @@ -1,96 +0,0 @@ >>> -From bfe29873454f38eb1a511a76144ad1a4848ca176 Mon Sep 17 00:00:00 2001 >>> -From: Johannes Berg >>> -Date: Fri, 30 Sep 2022 23:44:23 +0200 >>> -Subject: [PATCH] wifi: cfg80211: fix BSS refcounting bugs >>> -MIME-Version: 1.0 >>> -Content-Type: text/plain; charset=3Dutf8 >>> -Content-Transfer-Encoding: 8bit >>> - >>> -commit 0b7808818cb9df6680f98996b8e9a439fa7bcc2f upstream. >>> - >>> -There are multiple refcounting bugs related to multi-BSSID: >>> - - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then >>> - the bss pointer is overwritten before checking for the >>> - transmitted BSS, which is clearly wrong. Fix this by using >>> - the bss_from_pub() macro. >>> - >>> - - In cfg80211_bss_update() we copy the transmitted_bss pointer >>> - from tmp into new, but then if we release new, we'll unref >>> - it erroneously. We already set the pointer and ref it, but >>> - need to NULL it since it was copied from the tmp data. >>> - >>> - - In cfg80211_inform_single_bss_data(), if adding to the non- >>> - transmitted list fails, we unlink the BSS and yet still we >>> - return it, but this results in returning an entry without >>> - a reference. We shouldn't return it anyway if it was broken >>> - enough to not get added there. >>> - >>> -This fixes CVE-2022-42720. >>> - >>> -Reported-by: S=C3=83=C2=B6nke Huster >>> -Tested-by: S=C3=83=C2=B6nke Huster >>> -Fixes: a3584f56de1c ("cfg80211: Properly track transmitting and non-tran= smitting BSS") >>> -Signed-off-by: Johannes Berg >>> -Signed-off-by: Greg Kroah-Hartman >>> ---- >>> - net/wireless/scan.c | 27 ++++++++++++++------------- >>> - 1 file changed, 14 insertions(+), 13 deletions(-) >>> - >>> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c >>> -index 04c9b78b3fec..2e576714e989 100644 >>> ---- a/net/wireless/scan.c >>> -+++ b/net/wireless/scan.c >>> -@@ -143,18 +143,12 @@ static inline void bss_ref_get(struct cfg80211_reg= istered_device *rdev, >>> - lockdep_assert_held(&rdev->bss_lock); >>> -=20 >>> - bss->refcount++; >>> -- if (bss->pub.hidden_beacon_bss) { >>> -- bss =3D container_of(bss->pub.hidden_beacon_bss, >>> -- struct cfg80211_internal_bss, >>> -- pub); >>> -- bss->refcount++; >>> -- } >>> -- if (bss->pub.transmitted_bss) { >>> -- bss =3D container_of(bss->pub.transmitted_bss, >>> -- struct cfg80211_internal_bss, >>> -- pub); >>> -- bss->refcount++; >>> -- } >>> -+ >>> -+ if (bss->pub.hidden_beacon_bss) >>> -+ bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++; >>> -+ >>> -+ if (bss->pub.transmitted_bss) >>> -+ bss_from_pub(bss->pub.transmitted_bss)->refcount++; >>> - } >>> -=20 >>> - static inline void bss_ref_put(struct cfg80211_registered_device *rdev, >>> -@@ -1743,6 +1737,8 @@ cfg80211_bss_update(struct cfg80211_registered_dev= ice *rdev, >>> - new->refcount =3D 1; >>> - INIT_LIST_HEAD(&new->hidden_list); >>> - INIT_LIST_HEAD(&new->pub.nontrans_list); >>> -+ /* we'll set this later if it was non-NULL */ >>> -+ new->pub.transmitted_bss =3D NULL; >>> -=20 >>> - if (rcu_access_pointer(tmp->pub.proberesp_ies)) { >>> - hidden =3D rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN); >>> -@@ -1983,10 +1979,15 @@ cfg80211_inform_single_bss_data(struct wiphy *wi= phy, >>> - spin_lock_bh(&rdev->bss_lock); >>> - if (cfg80211_add_nontrans_list(non_tx_data->tx_bss, >>> - &res->pub)) { >>> -- if (__cfg80211_unlink_bss(rdev, res)) >>> -+ if (__cfg80211_unlink_bss(rdev, res)) { >>> - rdev->bss_generation++; >>> -+ res =3D NULL; >>> -+ } >>> - } >>> - spin_unlock_bh(&rdev->bss_lock); >>> -+ >>> -+ if (!res) >>> -+ return NULL; >>> - } >>> -=20 >>> - trace_cfg80211_return_bss(&res->pub); >>> ---=20 >>> -2.30.2 >>> - >>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-5.patch b= /src/patches/linux/linux-5.15-wifi-security-patches-5.patch >>> deleted file mode 100644 >>> index c0c4dadd3..000000000 >>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-5.patch >>> +++ /dev/null >>> @@ -1,56 +0,0 @@ >>> -From 0a8ee682e4f992eccce226b012bba600bb2251e2 Mon Sep 17 00:00:00 2001 >>> -From: Johannes Berg >>> -Date: Sat, 1 Oct 2022 00:01:44 +0200 >>> -Subject: [PATCH] wifi: cfg80211: avoid nontransmitted BSS list corruption >>> -MIME-Version: 1.0 >>> -Content-Type: text/plain; charset=3Dutf8 >>> -Content-Transfer-Encoding: 8bit >>> - >>> -commit bcca852027e5878aec911a347407ecc88d6fff7f upstream. >>> - >>> -If a non-transmitted BSS shares enough information (both >>> -SSID and BSSID!) with another non-transmitted BSS of a >>> -different AP, then we can find and update it, and then >>> -try to add it to the non-transmitted BSS list. We do a >>> -search for it on the transmitted BSS, but if it's not >>> -there (but belongs to another transmitted BSS), the list >>> -gets corrupted. >>> - >>> -Since this is an erroneous situation, simply fail the >>> -list insertion in this case and free the non-transmitted >>> -BSS. >>> - >>> -This fixes CVE-2022-42721. >>> - >>> -Reported-by: S=C3=83=C2=B6nke Huster >>> -Tested-by: S=C3=83=C2=B6nke Huster >>> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in= scanning") >>> -Signed-off-by: Johannes Berg >>> -Signed-off-by: Greg Kroah-Hartman >>> ---- >>> - net/wireless/scan.c | 9 +++++++++ >>> - 1 file changed, 9 insertions(+) >>> - >>> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c >>> -index 2e576714e989..a21baf7b3612 100644 >>> ---- a/net/wireless/scan.c >>> -+++ b/net/wireless/scan.c >>> -@@ -425,6 +425,15 @@ cfg80211_add_nontrans_list(struct cfg80211_bss *tra= ns_bss, >>> -=20 >>> - rcu_read_unlock(); >>> -=20 >>> -+ /* >>> -+ * This is a bit weird - it's not on the list, but already on another >>> -+ * one! The only way that could happen is if there's some BSSID/SSID >>> -+ * shared by multiple APs in their multi-BSSID profiles, potentially >>> -+ * with hidden SSID mixed in ... ignore it. >>> -+ */ >>> -+ if (!list_empty(&nontrans_bss->nontrans_list)) >>> -+ return -EINVAL; >>> -+ >>> - /* add to the list */ >>> - list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list); >>> - return 0; >>> ---=20 >>> -2.30.2 >>> - >>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-6.patch b= /src/patches/linux/linux-5.15-wifi-security-patches-6.patch >>> deleted file mode 100644 >>> index caa380de8..000000000 >>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-6.patch >>> +++ /dev/null >>> @@ -1,39 +0,0 @@ >>> -From fff244e9171b2ca692469d41c68b36607bd73ab0 Mon Sep 17 00:00:00 2001 >>> -From: Johannes Berg >>> -Date: Wed, 5 Oct 2022 15:10:09 +0200 >>> -Subject: [PATCH] wifi: mac80211_hwsim: avoid mac80211 warning on bad rate >>> -MIME-Version: 1.0 >>> -Content-Type: text/plain; charset=3Dutf8 >>> -Content-Transfer-Encoding: 8bit >>> - >>> -commit 1833b6f46d7e2830251a063935ab464256defe22 upstream. >>> - >>> -If the tool on the other side (e.g. wmediumd) gets confused >>> -about the rate, we hit a warning in mac80211. Silence that >>> -by effectively duplicating the check here and dropping the >>> -frame silently (in mac80211 it's dropped with the warning). >>> - >>> -Reported-by: S=C3=83=C2=B6nke Huster >>> -Tested-by: S=C3=83=C2=B6nke Huster >>> -Signed-off-by: Johannes Berg >>> -Signed-off-by: Greg Kroah-Hartman >>> ---- >>> - drivers/net/wireless/mac80211_hwsim.c | 2 ++ >>> - 1 file changed, 2 insertions(+) >>> - >>> -diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireles= s/mac80211_hwsim.c >>> -index 52a2574b7d13..b228567b2a73 100644 >>> ---- a/drivers/net/wireless/mac80211_hwsim.c >>> -+++ b/drivers/net/wireless/mac80211_hwsim.c >>> -@@ -3749,6 +3749,8 @@ static int hwsim_cloned_frame_received_nl(struct s= k_buff *skb_2, >>> -=20 >>> - rx_status.band =3D channel->band; >>> - rx_status.rate_idx =3D nla_get_u32(info->attrs[HWSIM_ATTR_RX_RATE]); >>> -+ if (rx_status.rate_idx >=3D data2->hw->wiphy->bands[rx_status.band]->n= _bitrates) >>> -+ goto out; >>> - rx_status.signal =3D nla_get_u32(info->attrs[HWSIM_ATTR_SIGNAL]); >>> -=20 >>> - hdr =3D (void *)skb->data; >>> ---=20 >>> -2.30.2 >>> - >>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-7.patch b= /src/patches/linux/linux-5.15-wifi-security-patches-7.patch >>> deleted file mode 100644 >>> index b5cb2ad12..000000000 >>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-7.patch >>> +++ /dev/null >>> @@ -1,60 +0,0 @@ >>> -From 93a3a32554079432b49cf87f326607b2a2fab4f2 Mon Sep 17 00:00:00 2001 >>> -From: Johannes Berg >>> -Date: Wed, 5 Oct 2022 21:24:10 +0200 >>> -Subject: [PATCH] wifi: mac80211: fix crash in beacon protection for P2P-= device >>> -MIME-Version: 1.0 >>> -Content-Type: text/plain; charset=3Dutf8 >>> -Content-Transfer-Encoding: 8bit >>> - >>> -commit b2d03cabe2b2e150ff5a381731ea0355459be09f upstream. >>> - >>> -If beacon protection is active but the beacon cannot be >>> -decrypted or is otherwise malformed, we call the cfg80211 >>> -API to report this to userspace, but that uses a netdev >>> -pointer, which isn't present for P2P-Device. Fix this to >>> -call it only conditionally to ensure cfg80211 won't crash >>> -in the case of P2P-Device. >>> - >>> -This fixes CVE-2022-42722. >>> - >>> -Reported-by: S=C3=83=C2=B6nke Huster >>> -Fixes: 9eaf183af741 ("mac80211: Report beacon protection failures to use= r space") >>> -Signed-off-by: Johannes Berg >>> -Signed-off-by: Greg Kroah-Hartman >>> ---- >>> - net/mac80211/rx.c | 12 +++++++----- >>> - 1 file changed, 7 insertions(+), 5 deletions(-) >>> - >>> -diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c >>> -index 743e97ba352c..175ead6b19cb 100644 >>> ---- a/net/mac80211/rx.c >>> -+++ b/net/mac80211/rx.c >>> -@@ -1982,10 +1982,11 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data = *rx) >>> -=20 >>> - if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS || >>> - mmie_keyidx >=3D NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS + >>> -- NUM_DEFAULT_BEACON_KEYS) { >>> -- cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, >>> -- skb->data, >>> -- skb->len); >>> -+ NUM_DEFAULT_BEACON_KEYS) { >>> -+ if (rx->sdata->dev) >>> -+ cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, >>> -+ skb->data, >>> -+ skb->len); >>> - return RX_DROP_MONITOR; /* unexpected BIP keyidx */ >>> - } >>> -=20 >>> -@@ -2133,7 +2134,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *r= x) >>> - /* either the frame has been decrypted or will be dropped */ >>> - status->flag |=3D RX_FLAG_DECRYPTED; >>> -=20 >>> -- if (unlikely(ieee80211_is_beacon(fc) && result =3D=3D RX_DROP_UNUSABLE= )) >>> -+ if (unlikely(ieee80211_is_beacon(fc) && result =3D=3D RX_DROP_UNUSABLE= && >>> -+ rx->sdata->dev)) >>> - cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, >>> - skb->data, skb->len); >>> -=20 >>> ---=20 >>> -2.30.2 >>> - >>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-8.patch b= /src/patches/linux/linux-5.15-wifi-security-patches-8.patch >>> deleted file mode 100644 >>> index 8099f3a72..000000000 >>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-8.patch >>> +++ /dev/null >>> @@ -1,94 +0,0 @@ >>> -From d15bb1f6dabe1d2a4155958111bea47db72b599c Mon Sep 17 00:00:00 2001 >>> -From: Johannes Berg >>> -Date: Wed, 5 Oct 2022 23:11:43 +0200 >>> -Subject: [PATCH] wifi: cfg80211: update hidden BSSes to avoid WARN_ON >>> -MIME-Version: 1.0 >>> -Content-Type: text/plain; charset=3Dutf8 >>> -Content-Transfer-Encoding: 8bit >>> - >>> -commit c90b93b5b782891ebfda49d4e5da36632fefd5d1 upstream. >>> - >>> -When updating beacon elements in a non-transmitted BSS, >>> -also update the hidden sub-entries to the same beacon >>> -elements, so that a future update through other paths >>> -won't trigger a WARN_ON(). >>> - >>> -The warning is triggered because the beacon elements in >>> -the hidden BSSes that are children of the BSS should >>> -always be the same as in the parent. >>> - >>> -Reported-by: S=C3=83=C2=B6nke Huster >>> -Tested-by: S=C3=83=C2=B6nke Huster >>> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in= scanning") >>> -Signed-off-by: Johannes Berg >>> -Signed-off-by: Greg Kroah-Hartman >>> ---- >>> - net/wireless/scan.c | 31 ++++++++++++++++++++----------- >>> - 1 file changed, 20 insertions(+), 11 deletions(-) >>> - >>> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c >>> -index a21baf7b3612..f0de22a6caf7 100644 >>> ---- a/net/wireless/scan.c >>> -+++ b/net/wireless/scan.c >>> -@@ -1609,6 +1609,23 @@ struct cfg80211_non_tx_bss { >>> - u8 bssid_index; >>> - }; >>> -=20 >>> -+static void cfg80211_update_hidden_bsses(struct cfg80211_internal_bss *= known, >>> -+ const struct cfg80211_bss_ies *new_ies, >>> -+ const struct cfg80211_bss_ies *old_ies) >>> -+{ >>> -+ struct cfg80211_internal_bss *bss; >>> -+ >>> -+ /* Assign beacon IEs to all sub entries */ >>> -+ list_for_each_entry(bss, &known->hidden_list, hidden_list) { >>> -+ const struct cfg80211_bss_ies *ies; >>> -+ >>> -+ ies =3D rcu_access_pointer(bss->pub.beacon_ies); >>> -+ WARN_ON(ies !=3D old_ies); >>> -+ >>> -+ rcu_assign_pointer(bss->pub.beacon_ies, new_ies); >>> -+ } >>> -+} >>> -+ >>> - static bool >>> - cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, >>> - struct cfg80211_internal_bss *known, >>> -@@ -1632,7 +1649,6 @@ cfg80211_update_known_bss(struct cfg80211_register= ed_device *rdev, >>> - kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); >>> - } else if (rcu_access_pointer(new->pub.beacon_ies)) { >>> - const struct cfg80211_bss_ies *old; >>> -- struct cfg80211_internal_bss *bss; >>> -=20 >>> - if (known->pub.hidden_beacon_bss && >>> - !list_empty(&known->hidden_list)) { >>> -@@ -1660,16 +1676,7 @@ cfg80211_update_known_bss(struct cfg80211_registe= red_device *rdev, >>> - if (old =3D=3D rcu_access_pointer(known->pub.ies)) >>> - rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies); >>> -=20 >>> -- /* Assign beacon IEs to all sub entries */ >>> -- list_for_each_entry(bss, &known->hidden_list, hidden_list) { >>> -- const struct cfg80211_bss_ies *ies; >>> -- >>> -- ies =3D rcu_access_pointer(bss->pub.beacon_ies); >>> -- WARN_ON(ies !=3D old); >>> -- >>> -- rcu_assign_pointer(bss->pub.beacon_ies, >>> -- new->pub.beacon_ies); >>> -- } >>> -+ cfg80211_update_hidden_bsses(known, new->pub.beacon_ies, old); >>> -=20 >>> - if (old) >>> - kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); >>> -@@ -2319,6 +2326,8 @@ cfg80211_update_notlisted_nontrans(struct wiphy *w= iphy, >>> - } else { >>> - old =3D rcu_access_pointer(nontrans_bss->beacon_ies); >>> - rcu_assign_pointer(nontrans_bss->beacon_ies, new_ies); >>> -+ cfg80211_update_hidden_bsses(bss_from_pub(nontrans_bss), >>> -+ new_ies, old); >>> - rcu_assign_pointer(nontrans_bss->ies, new_ies); >>> - if (old) >>> - kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); >>> ---=20 >>> -2.30.2 >>> - >>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-9.patch b= /src/patches/linux/linux-5.15-wifi-security-patches-9.patch >>> deleted file mode 100644 >>> index 5781b077d..000000000 >>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-9.patch >>> +++ /dev/null >>> @@ -1,126 +0,0 @@ >>> -From 864f2d3482f4bd0c62b355e35ee8300be8ef488e Mon Sep 17 00:00:00 2001 >>> -From: Johannes Berg >>> -Date: Thu, 13 Oct 2022 20:15:56 +0200 >>> -Subject: [PATCH] mac80211: mesh: clean up rx_bcn_presp API >>> - >>> -commit a5b983c6073140b624f64e79fea6d33c3e4315a0 upstream. >>> - >>> -We currently pass the entire elements to the rx_bcn_presp() >>> -method, but only need mesh_config. Additionally, we use the >>> -length of the elements to calculate back the entire frame's >>> -length, but that's confusing - just pass the length of the >>> -frame instead. >>> - >>> -Link: https://lore.kernel.org/r/20210920154009.a18ed3d2da6c.I1824b773a0f= bae4453e1433c184678ca14e8df45(a)changeid >>> -Signed-off-by: Johannes Berg >>> -Cc: Felix Fietkau >>> -Signed-off-by: Greg Kroah-Hartman >>> ---- >>> - net/mac80211/ieee80211_i.h | 7 +++---- >>> - net/mac80211/mesh.c | 4 ++-- >>> - net/mac80211/mesh_sync.c | 26 ++++++++++++-------------- >>> - 3 files changed, 17 insertions(+), 20 deletions(-) >>> - >>> -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h >>> -index f7bea4af2ddb..4bd55af184b2 100644 >>> ---- a/net/mac80211/ieee80211_i.h >>> -+++ b/net/mac80211/ieee80211_i.h >>> -@@ -631,10 +631,9 @@ struct ieee80211_if_ocb { >>> - */ >>> - struct ieee802_11_elems; >>> - struct ieee80211_mesh_sync_ops { >>> -- void (*rx_bcn_presp)(struct ieee80211_sub_if_data *sdata, >>> -- u16 stype, >>> -- struct ieee80211_mgmt *mgmt, >>> -- struct ieee802_11_elems *elems, >>> -+ void (*rx_bcn_presp)(struct ieee80211_sub_if_data *sdata, u16 stype, >>> -+ struct ieee80211_mgmt *mgmt, unsigned int len, >>> -+ const struct ieee80211_meshconf_ie *mesh_cfg, >>> - struct ieee80211_rx_status *rx_status); >>> -=20 >>> - /* should be called with beacon_data under RCU read lock */ >>> -diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c >>> -index 42bd81a30310..9f6414a68d71 100644 >>> ---- a/net/mac80211/mesh.c >>> -+++ b/net/mac80211/mesh.c >>> -@@ -1354,8 +1354,8 @@ static void ieee80211_mesh_rx_bcn_presp(struct iee= e80211_sub_if_data *sdata, >>> - } >>> -=20 >>> - if (ifmsh->sync_ops) >>> -- ifmsh->sync_ops->rx_bcn_presp(sdata, >>> -- stype, mgmt, &elems, rx_status); >>> -+ ifmsh->sync_ops->rx_bcn_presp(sdata, stype, mgmt, len, >>> -+ elems.mesh_config, rx_status); >>> - } >>> -=20 >>> - int ieee80211_mesh_finish_csa(struct ieee80211_sub_if_data *sdata) >>> -diff --git a/net/mac80211/mesh_sync.c b/net/mac80211/mesh_sync.c >>> -index fde93de2b80a..9e342cc2504c 100644 >>> ---- a/net/mac80211/mesh_sync.c >>> -+++ b/net/mac80211/mesh_sync.c >>> -@@ -3,6 +3,7 @@ >>> - * Copyright 2011-2012, Pavel Zubarev >>> - * Copyright 2011-2012, Marco Porsch >>> - * Copyright 2011-2012, cozybit Inc. >>> -+ * Copyright (C) 2021 Intel Corporation >>> - */ >>> -=20 >>> - #include "ieee80211_i.h" >>> -@@ -35,12 +36,12 @@ struct sync_method { >>> - /** >>> - * mesh_peer_tbtt_adjusting - check if an mp is currently adjusting its= TBTT >>> - * >>> -- * @ie: information elements of a management frame from the mesh peer >>> -+ * @cfg: mesh config element from the mesh peer (or %NULL) >>> - */ >>> --static bool mesh_peer_tbtt_adjusting(struct ieee802_11_elems *ie) >>> -+static bool mesh_peer_tbtt_adjusting(const struct ieee80211_meshconf_ie= *cfg) >>> - { >>> -- return (ie->mesh_config->meshconf_cap & >>> -- IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING) !=3D 0; >>> -+ return cfg && >>> -+ (cfg->meshconf_cap & IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING); >>> - } >>> -=20 >>> - void mesh_sync_adjust_tsf(struct ieee80211_sub_if_data *sdata) >>> -@@ -76,11 +77,11 @@ void mesh_sync_adjust_tsf(struct ieee80211_sub_if_da= ta *sdata) >>> - } >>> - } >>> -=20 >>> --static void mesh_sync_offset_rx_bcn_presp(struct ieee80211_sub_if_data = *sdata, >>> -- u16 stype, >>> -- struct ieee80211_mgmt *mgmt, >>> -- struct ieee802_11_elems *elems, >>> -- struct ieee80211_rx_status *rx_status) >>> -+static void >>> -+mesh_sync_offset_rx_bcn_presp(struct ieee80211_sub_if_data *sdata, u16 = stype, >>> -+ struct ieee80211_mgmt *mgmt, unsigned int len, >>> -+ const struct ieee80211_meshconf_ie *mesh_cfg, >>> -+ struct ieee80211_rx_status *rx_status) >>> - { >>> - struct ieee80211_if_mesh *ifmsh =3D &sdata->u.mesh; >>> - struct ieee80211_local *local =3D sdata->local; >>> -@@ -101,10 +102,7 @@ static void mesh_sync_offset_rx_bcn_presp(struct ie= ee80211_sub_if_data *sdata, >>> - */ >>> - if (ieee80211_have_rx_timestamp(rx_status)) >>> - t_r =3D ieee80211_calculate_rx_timestamp(local, rx_status, >>> -- 24 + 12 + >>> -- elems->total_len + >>> -- FCS_LEN, >>> -- 24); >>> -+ len + FCS_LEN, 24); >>> - else >>> - t_r =3D drv_get_tsf(local, sdata); >>> -=20 >>> -@@ -119,7 +117,7 @@ static void mesh_sync_offset_rx_bcn_presp(struct iee= e80211_sub_if_data *sdata, >>> - * dot11MeshNbrOffsetMaxNeighbor non-peer non-MBSS neighbors >>> - */ >>> -=20 >>> -- if (elems->mesh_config && mesh_peer_tbtt_adjusting(elems)) { >>> -+ if (mesh_peer_tbtt_adjusting(mesh_cfg)) { >>> - msync_dbg(sdata, "STA %pM : is adjusting TBTT\n", >>> - sta->sta.addr); >>> - goto no_sync; >>> ---=20 >>> -2.30.2 >>> - >>> --=20 >>> 2.35.3 --===============6448368034313996429==--