ieee80211_parse_neg_ttlm() advances its cursor by map_size for every
TID, even TIDs whose bit is clear in link_map_presence and therefore
contribute no map bytes to the element.  A sparse map then makes a
later present TID read past the validated element.

Patch 1/2 moves the cursor advance inside the if-present branch so
the parser walks the same layout that ieee80211_tid_to_link_map_size_ok()
already validates.

Patch 2/2 adds two KUnit cases under the new mac80211-ttlm suite to
lock the layout: sparse_presence_no_oob_read crafts a buffer sized
exactly to the validated element so a pre-fix run is a KASAN
slab-out-of-bounds report; dense_presence_baseline confirms the fix
does not regress the path that was already correct.

Reach is adjacent (AV:A) from an associated peer MLD; the sender does
not need privileges on the victim kernel.  The OOB bytes are gated by
valid_links before being applied to driver state, so a peer cannot
turn the read into a policy change.  KUnit + KASAN observes a slab-
out-of-bounds read when the element is exactly sized.  Whether the
same read trips KASAN through the production RX frame path depends on
allocator state; this series does not include an over-the-air hwsim
replay.

Michael Bommarito (2):
  wifi: mac80211: consume only present negotiated TTLM maps
  wifi: mac80211: add KUnit coverage for negotiated TTLM parser

 net/mac80211/ieee80211_i.h      |   4 +
 net/mac80211/mlme.c             |   5 +-
 net/mac80211/tests/.kunitconfig |   4 +
 net/mac80211/tests/Makefile     |   2 +-
 net/mac80211/tests/ttlm.c       | 175 ++++++++++++++++++++++++++++++++
 5 files changed, 187 insertions(+), 3 deletions(-)
 create mode 100644 net/mac80211/tests/.kunitconfig
 create mode 100644 net/mac80211/tests/ttlm.c

-- 
2.53.0