From nobody Mon May 25 08:11:41 2026 Received: from mail-qk1-f177.google.com (mail-qk1-f177.google.com [209.85.222.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9CA263CCFBD for ; Fri, 15 May 2026 15:17:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778858258; cv=none; b=Bdw5hG7UxALqLU9gM3/Cyxxa5D1sADU+bBPeZySSPqCtPwzkFQypuXerc/QrS+vlpgQ9sGtUTtqxb+L41RFARp3LEqpGdp41r1gHPAOtGqvijVqrpFYSzJ+sEX9Xo++ObSqlt8bY6Le2u+aVtLvcr1WZbDX/4aiFhDJPi1BxfiE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778858258; c=relaxed/simple; bh=u6jb9Fs1k5nZrvjQt4XNUqnejmYfiJ3UGsEMQ5UICJY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=m499IJyRm/paJV1kGCda0qOspzRR/+6ewEA2iw+P3aRHPNdOnczVhCY01EWUeQ4mi0qcDyQuo2B5bYzbTE7AejTGCzkwnT6pfcOxyCAQrRaX9SuFPXmpTHgPLQ/6iNCJhdWV7X/tVs3X4arfPXLXxXOelv7CJeA28WGgjPczuGo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gY4y2UeF; arc=none smtp.client-ip=209.85.222.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gY4y2UeF" Received: by mail-qk1-f177.google.com with SMTP id af79cd13be357-9125d2a4d36so45807185a.3 for ; Fri, 15 May 2026 08:17:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778858254; x=1779463054; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6HI+46hroiLUB5E9BmVjlUPUfW8yVSnW31LUwOO9Kjc=; b=gY4y2UeF0xk+cCnO6b/FLsOWoDWlSBIteQ7sgmv/DtAUZXNcbyyknYrhJ4a13kFchV z1DAiAzsXyci0YJw2Qk57REBS1f4v+BnjJ1K1/lwjXTmKh3CdY5Rfu6a9qOdZokVsObr QwL49ph0iY19Y6s6hAzTRM2yqiJH5QbWZZA7kVw8qEAbt63j5d9Nhrsv4rfjWHELO2ps 9Zc0GTxPvoEljw7MhBJa6vGvdoYS4kBQQUnZZBbjBPVxKdcIvrBUyP81dIrj2OFXMem9 Bcdrgn619ukBZeJlAdzUrH0UesFoFst0LuDPIPbcxIlv9B+AzykCtRpAUWmS+HWgOpif iBsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778858254; x=1779463054; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=6HI+46hroiLUB5E9BmVjlUPUfW8yVSnW31LUwOO9Kjc=; b=Qr+CbyOtRttgLLkLTMq86jyiRW4sZUrpcTFLdDp1PL/hcGDX/fvrtiDXcyBROOjWRZ j0grojboNYat21I37hlVNkMY7uxz7Aa0wUBZh9zlF1RnfYBmUk9/cWqsynYMlCV8JKSu PiFtcXBM55HNbUUsF9BP6Mk/88y0nAheM7i+owauXcWkRNdiK8pBJ4sR0P9DG0OAOvgn pH0zby+9v58GBUc1sELBF+rIUlHCv1xY+72D4rJPJipwX4wUMawzu5S1Dh4kC+XzYOnW YPcRckBgctKpWG9a8ZembCpj31FgUzUvAK0XjVne+c+YyagmCqelWq/cEAM3bm7bMlGq CxLg== X-Forwarded-Encrypted: i=1; AFNElJ8ROdaa5iBfA0fK4KwkvMf8pmBPe7R/y1DyV3Q5SHLzQ3VFZbL30/uYxrgXlwWlT7kfunGHEWc8+OGziBo=@vger.kernel.org X-Gm-Message-State: AOJu0YzM9lKtplizb8KnuGUHeWSCmc3XLlu0EH2PDFNYBrWeQqq0G1S7 1Urz8skjYl6JWYJZ94JbPG+GIZbnEl+twuFuYrJPqEOi7rAo+k3N564581/Rqb9j X-Gm-Gg: Acq92OFhcHGlqScDcvVgmPe8h53AzvXHYQftZ/iOZ8Ns4lpHuFExToVBT7nfSHvOraR gNGeTRwJAk+uFYX7SWSM7ItDbsam3u1486BYsQe/4KQP67ZbRT//2IUFmU+duPKtUlwst+qatah d3S0Jfy6En4yuvVUeEiKBc8Ax5DVaLX0F0NCie/dkS7KcDeXqWk8eHk5+xao5tXuW2sGKYB731f zPIqlctdXQsLp7uToJ9oTUEbQCAbEOJzANUBQ3hmrSwWpsxZ78Jk+CWFJHzodIecCU2ykF0ZsNJ 6qcZmKBXtr8hTQbDrjLwt6SUZ0ZzAX/MTV9PsSCEVa0jumLn1TMXFlv6hd59+VhApVcAf6PwMZ3 LAEey2Al4k2WW70QcD2fKGfUlb539mX1WI1c4QZE11CtXkPr29ehAbnXK54mOjBSt0bqiXV9cHZ qhVoWE1fmLg/Mfkz8PHQL/fxO1JEZbJPx/czXtUvBbgJDgKKtr++MA5cO43gs0iMNCIImOJ2BTm mOp/SCyIx2r00940InDid64EsJjipKUBIwAWOmVj2E= X-Received: by 2002:a05:620a:2302:20b0:911:f0ff:3d21 with SMTP id af79cd13be357-911f10e8471mr474266085a.37.1778858253882; Fri, 15 May 2026 08:17:33 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id af79cd13be357-910ba36e638sm569877385a.9.2026.05.15.08.17.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 May 2026 08:17:33 -0700 (PDT) From: Michael Bommarito To: Johannes Berg Cc: Ayala Beker , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH wireless 1/2] wifi: mac80211: consume only present negotiated TTLM maps Date: Fri, 15 May 2026 11:17:18 -0400 Message-ID: <20260515151719.1317659-2-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260515151719.1317659-1-michael.bommarito@gmail.com> References: <20260515151719.1317659-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ieee80211_tid_to_link_map_size_ok() validates negotiated TTLM elements against the number of link-map entries indicated by link_map_presence. ieee80211_parse_neg_ttlm() must consume the same layout. The parser advanced its cursor for every TID, including TIDs whose presence bit is clear and therefore have no map bytes in the element. A sparse map can then make a later present TID read past the validated element. The bad bytes land in neg_ttlm->{up,down}link[tid] but are gated by valid_links before being applied to driver state, so a peer cannot turn the read into a policy change. Under KUnit + KASAN with an exact-sized element allocation the OOB read is reported as a slab-out-of-bounds; whether the same trigger fires under the production RX path depends on surrounding allocator state. Advance the cursor only when the current TID has a map present. Fixes: 8f500fbc6c65 ("wifi: mac80211: process and save negotiated TID to Li= nk mapping request") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito --- net/mac80211/mlme.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 160ae65a5c645..c3a2844740a14 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -8155,6 +8155,7 @@ ieee80211_parse_neg_ttlm(struct ieee80211_sub_if_data= *sdata, "No active links for TID %d", tid); return -EINVAL; } + pos +=3D map_size; } else { map =3D 0; } @@ -8173,7 +8174,6 @@ ieee80211_parse_neg_ttlm(struct ieee80211_sub_if_data= *sdata, default: return -EINVAL; } - pos +=3D map_size; } return 0; } --=20 2.53.0 From nobody Mon May 25 08:11:41 2026 Received: from mail-qk1-f170.google.com (mail-qk1-f170.google.com [209.85.222.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D1D8E3CAA2F for ; Fri, 15 May 2026 15:17:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778858261; cv=none; b=UQX1rMlxqtxHmLy/niQC3iHGrz7vtgssckIx1oBC64C/YbL1/Wnwn9yNcsspHsMYIn3AQBEYag2QV9ravomcqVPyDeJXU9/m8GUO63SLrTS5G22nP4TIXrJeVrLtRH5RxG4sDS6yK8AxFWa3KHTJKYaMYAX7sLUhYMHCDFf4Jao= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778858261; c=relaxed/simple; bh=Z75usw3QhAEglguIEOhIGPUv3SaIuY5V+MKHcB1EJ3A=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mSPqcKtZ9HJmpG/dCPF6SNYx0mronNln3n409hrAFGwc3e4DZFqgkSNaoLGTIyb0fzZPkCYLck62sjcMO3QZ0opCI6GxEhyeFd/7cf9OCDx4E4o5aO/duiad7BpLTTZgZHl2HAzTTIFfi5fVD2lHR2CQ/QE5k2KETWiAiofKYTU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Hsg4sxkd; arc=none smtp.client-ip=209.85.222.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Hsg4sxkd" Received: by mail-qk1-f170.google.com with SMTP id af79cd13be357-912575fa768so111485885a.2 for ; Fri, 15 May 2026 08:17:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778858255; x=1779463055; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=p4US3tDvikO40MDXGe3cYhe8E3tMaY5/koyKTZbuTHc=; b=Hsg4sxkdWwwrUtB1Ib8cLR1KujlWodqUpbGkmZ8ZhylsECTRmhYQRkOC24izLoqPd9 4pqse742CYo4ca25dtjtm8DgSs2TZDM45CART5s3RIafwgnKLzkxR8GjXLEhqfHbvUre MznKv4CsIaEesrpc3x/TKCGxk1FORUpNiTdtBdd4yRXWjMfcgQoqYT+R3pfXpszNmJkL mvIvhSvhWFyhRFA7e99eqa9ioMD1vIL0qCRJ3dfTJW2gA13Z3ujm34WeG+r5XeMx2Gvd 21sIGP3pmX6tGKiiqkiDq7V1c6akX0Fuy7hdY5/79jiye5SQYqPyoyNel6UD0YSpJBLx Uigw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778858255; x=1779463055; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=p4US3tDvikO40MDXGe3cYhe8E3tMaY5/koyKTZbuTHc=; b=p4koiYEQPx94UsWeaUIp1EELBPvohUq2eu+zblmXonrpugDXu7dp9A1zygqcOUPZXh 75RisJmZd3oqHJNAhbCzQZiflXfewgPjZGz9Kv3piHKUWnt+zalROfQQMIh7T/cdhQZE gEio8uu5P1teda2eXhikThsM5oWCGuNbZTBnjnOI34MbSdni0OZFf2754kidFeOJE4Uk hencHN3H2Hrs0zEUx+1Aq85yC5UL2TOeqWsZaPnYx32yiIwC3Q51+IB4Zj1zgfKp+XNY x2KhyBcFvu41sm6BpV4pY+dOddDOLZ24JHbjTJT+1gXPimrh+OVoGFosjlbKXYB7Kpkl Ip0w== X-Forwarded-Encrypted: i=1; AFNElJ9P13wpUMaB+hetVU8eW1AgOqLQQz+K4YYWEXd49sEcyP/wk08KlBPfK5GC+XvCi2rnOojkPGY/IGnaKLw=@vger.kernel.org X-Gm-Message-State: AOJu0Yxh2wEiODKQHTWSgChrin3DvcqOoWb6T0tRkEbF3d+xsaN1rQl+ QpRTWJByzY+9FysutxLVaYqg6uZV7xY5hlirAl/rJTfRTJx2hGPG5fAF X-Gm-Gg: Acq92OExQx5NAwiLoCA9xW1v9ZQskmhutmUVh1BmWNf1JIoTSInUSS4nhVUBhkmFa7f 6hdMyJoEeEHnIeEdKAF7SQF930eAITlggVvKGdQqoIbMuf1xTAta2W8hi2yG5UtX5582nh3hxBH Sp9tx+mOPYO6jKdQ7v2l3wE8eHPgDiQoAZUvxrws9mv1lZGcUGjr/dBvgDct3ZSrTX7xmvbTZEv Xe41N7DPfog2ddvW+EglxFLNSgoGmO3wLQl7HxCKX2EXuXJIFp20FaTboRTNktL0Uafp/Np2uuK aAHRreWSDPRI9niCKF5S+LKxIOqYrNDxfylYiK9sPNVc1SfB0RoxO+ehVus5Ls8ZTZyMu/EFlAE 4BfJ0FlUI/BY+zj57MryfUv/7wXFh9m8C/RyzsYOkqIodP4Faoh4X2QRrviQi7VjNFpBit3OkMj /+E2wxxjSFIA6kpaB9kySRRp98EVun59fwTGxG5CrPJLt0m/JEaF/vhTZoPyLwHR5vs2cM1MVnJ 7zmdvR4KgE9LF9rPRN+xfcYV7IAEFql4hIrAgXj91w= X-Received: by 2002:a05:620a:7112:b0:8f0:7516:da99 with SMTP id af79cd13be357-911ce90bc41mr703018185a.60.1778858254803; Fri, 15 May 2026 08:17:34 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id af79cd13be357-910ba36e638sm569877385a.9.2026.05.15.08.17.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 May 2026 08:17:34 -0700 (PDT) From: Michael Bommarito To: Johannes Berg Cc: Ayala Beker , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH wireless 2/2] wifi: mac80211: add KUnit coverage for negotiated TTLM parser Date: Fri, 15 May 2026 11:17:19 -0400 Message-ID: <20260515151719.1317659-3-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260515151719.1317659-1-michael.bommarito@gmail.com> References: <20260515151719.1317659-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add KUnit coverage for ieee80211_parse_neg_ttlm() to lock the sparse link_map_presence layout against future regressions. The sparse_presence_no_oob_read case crafts a negotiated TTLM element with link_map_presence =3D BIT(0) | BIT(7) and bm_size =3D 2 in a buffer sized exactly to the validated element length. Without the parser fix this would read 14 bytes past the buffer when processing TID 7; under KASAN that is a slab-out-of-bounds report. The dense_presence_baseline case crafts a fully populated link_map_presence =3D 0xff element to confirm that the cursor-advance fix does not regress the path that was already correct. Export ieee80211_parse_neg_ttlm via VISIBLE_IF_MAC80211_KUNIT so the test can call it directly. Assisted-by: Claude:claude-sonnet-4-6 Signed-off-by: Michael Bommarito --- net/mac80211/ieee80211_i.h | 4 + net/mac80211/mlme.c | 3 +- net/mac80211/tests/.kunitconfig | 4 + net/mac80211/tests/Makefile | 2 +- net/mac80211/tests/ttlm.c | 175 ++++++++++++++++++++++++++++++++ 5 files changed, 186 insertions(+), 2 deletions(-) create mode 100644 net/mac80211/tests/.kunitconfig create mode 100644 net/mac80211/tests/ttlm.c diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index 2a693406294bc..aa9c9781db92e 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -2948,6 +2948,10 @@ ieee80211_determine_chan_mode(struct ieee80211_sub_i= f_data *sdata, struct ieee80211_chan_req *chanreq, struct cfg80211_chan_def *ap_chandef, unsigned long *userspace_selectors); +int ieee80211_parse_neg_ttlm(struct ieee80211_sub_if_data *sdata, + const struct ieee80211_ttlm_elem *ttlm, + struct ieee80211_neg_ttlm *neg_ttlm, + u8 *direction); #else #define EXPORT_SYMBOL_IF_MAC80211_KUNIT(sym) #define VISIBLE_IF_MAC80211_KUNIT static diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index c3a2844740a14..9a51870a818da 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -8096,7 +8096,7 @@ ieee80211_send_neg_ttlm_res(struct ieee80211_sub_if_d= ata *sdata, ieee80211_tx_skb(sdata, skb); } =20 -static int +VISIBLE_IF_MAC80211_KUNIT int ieee80211_parse_neg_ttlm(struct ieee80211_sub_if_data *sdata, const struct ieee80211_ttlm_elem *ttlm, struct ieee80211_neg_ttlm *neg_ttlm, @@ -8177,6 +8177,7 @@ ieee80211_parse_neg_ttlm(struct ieee80211_sub_if_data= *sdata, } return 0; } +EXPORT_SYMBOL_IF_MAC80211_KUNIT(ieee80211_parse_neg_ttlm); =20 void ieee80211_process_neg_ttlm_req(struct ieee80211_sub_if_data *sdata, struct ieee80211_mgmt *mgmt, size_t len) diff --git a/net/mac80211/tests/.kunitconfig b/net/mac80211/tests/.kunitcon= fig new file mode 100644 index 0000000000000..ab2cc5cfc1f5c --- /dev/null +++ b/net/mac80211/tests/.kunitconfig @@ -0,0 +1,4 @@ +CONFIG_KUNIT=3Dy +CONFIG_CFG80211=3Dy +CONFIG_MAC80211=3Dy +CONFIG_MAC80211_KUNIT_TEST=3Dy diff --git a/net/mac80211/tests/Makefile b/net/mac80211/tests/Makefile index 3c7f874e5c412..2e9ade90f7b63 100644 --- a/net/mac80211/tests/Makefile +++ b/net/mac80211/tests/Makefile @@ -1,3 +1,3 @@ -mac80211-tests-y +=3D module.o util.o elems.o mfp.o tpe.o chan-mode.o s1g_= tim.o +mac80211-tests-y +=3D module.o util.o elems.o mfp.o tpe.o chan-mode.o s1g_= tim.o ttlm.o =20 obj-$(CONFIG_MAC80211_KUNIT_TEST) +=3D mac80211-tests.o diff --git a/net/mac80211/tests/ttlm.c b/net/mac80211/tests/ttlm.c new file mode 100644 index 0000000000000..18d0592b13d9e --- /dev/null +++ b/net/mac80211/tests/ttlm.c @@ -0,0 +1,175 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * KUnit tests for negotiated TTLM (TID-To-Link Mapping) parsing + * + * Copyright (C) 2026 Michael Bommarito + */ +#include +#include +#include "../ieee80211_i.h" + +MODULE_IMPORT_NS("EXPORTED_FOR_KUNIT_TESTING"); + +/* + * Build a negotiated TTLM element in caller-supplied buffer. + * + * @buf: destination buffer (must be at least elem_size bytes) + * @elem_size: sizeof(ttlm_elem) + 1 (presence byte) + npresent * bm_size + * @presence: link_map_presence bitmask; each set bit =3D> one map follows + * @bm_size: bytes per map (1 or 2); 2 =3D> LINK_MAP_SIZE bit clear + * @maps: array of npresent u16 maps, one per set bit in presence + * + * Control field encodes direction=3DBOTH; no switch-time, no expected-dur, + * no DEF_LINK_MAP. LINK_MAP_SIZE bit is set iff bm_size=3D=3D1. + * + * Returns pointer to the ieee80211_ttlm_elem at buf. + */ +static const struct ieee80211_ttlm_elem * +build_neg_ttlm_elem(u8 *buf, size_t elem_size, + u8 presence, u8 bm_size, const u16 *maps) +{ + struct ieee80211_ttlm_elem *t =3D (void *)buf; + u8 control; + u8 *pos; + int i, tid; + + memset(buf, 0, elem_size); + + control =3D IEEE80211_TTLM_DIRECTION_BOTH; /* bits [1:0] =3D 2 */ + if (bm_size =3D=3D 1) + control |=3D IEEE80211_TTLM_CONTROL_LINK_MAP_SIZE; + + t->control =3D control; + + pos =3D (u8 *)t->optional; + *pos++ =3D presence; + + i =3D 0; + for (tid =3D 0; tid < IEEE80211_TTLM_NUM_TIDS; tid++) { + if (!(presence & BIT(tid))) + continue; + if (bm_size =3D=3D 1) + *pos =3D (u8)maps[i]; + else + put_unaligned_le16(maps[i], pos); + pos +=3D bm_size; + i++; + } + + return t; +} + +/* + * sparse_presence_no_oob_read - BIT(0)|BIT(7) presence, bm_size=3D2 + * + * Only TID 0 and TID 7 have maps; TIDs 1-6 are absent. Element length + * is exactly 6 bytes (1 control + 1 presence + 2 * 2-byte maps). + * + * Pre-fix the parser advanced pos by bm_size AFTER the switch() block + * (i.e. unconditionally for every TID), so when processing TID 7 it + * had already advanced 6 * bm_size =3D 12 bytes past the presence byte + * for the absent TIDs before reading the TID-7 map - 14 bytes past the + * end of the 2-byte TID-7 map. Under KASAN that is a slab-out-of-bounds. + * + * After the fix pos is advanced only inside the presence-bit branch so + * the cursor lands exactly at end-of-element after processing TID 7. + */ +static void sparse_presence_no_oob_read(struct kunit *test) +{ + /* + * presence =3D BIT(0)|BIT(7): 2 maps present. + * elem_size =3D sizeof(ttlm_elem) + 1 (presence) + 2*2 (maps) =3D 6. + */ + const u8 presence =3D BIT(0) | BIT(7); + const u8 bm_size =3D 2; + const int npresent =3D 2; + const size_t elem_size =3D sizeof(struct ieee80211_ttlm_elem) + + 1 + npresent * bm_size; + /* + * Allocate exact-size buffer so a pre-fix OOB read walks into the + * KASAN red zone immediately after the allocation. + */ + u8 *buf =3D kunit_kzalloc(test, elem_size, GFP_KERNEL); + const struct ieee80211_ttlm_elem *ttlm; + struct ieee80211_neg_ttlm neg_ttlm =3D {}; + /* Non-zero maps so the parser does not reject with -EINVAL. */ + const u16 maps[2] =3D { 0x0001, 0x0001 }; + u8 direction =3D 0; + int ret; + + KUNIT_ASSERT_NOT_NULL(test, buf); + + ttlm =3D build_neg_ttlm_elem(buf, elem_size, presence, bm_size, maps); + + /* + * Pass NULL for sdata: the only sdata dereference in this code path + * is inside mlme_dbg() on error returns, which are guarded by + * MAC80211_MLME_DEBUG =3D=3D 0 in non-debug builds and by the dead-code + * eliminator in KUnit builds. The success path does not touch sdata. + */ + ret =3D ieee80211_parse_neg_ttlm(NULL, ttlm, &neg_ttlm, &direction); + + KUNIT_EXPECT_EQ(test, ret, 0); + KUNIT_EXPECT_EQ(test, (int)direction, IEEE80211_TTLM_DIRECTION_BOTH); + /* TID 0: map present */ + KUNIT_EXPECT_EQ(test, (int)neg_ttlm.downlink[0], 0x0001); + KUNIT_EXPECT_EQ(test, (int)neg_ttlm.uplink[0], 0x0001); + /* TID 3: absent =3D> map should be 0 */ + KUNIT_EXPECT_EQ(test, (int)neg_ttlm.downlink[3], 0); + KUNIT_EXPECT_EQ(test, (int)neg_ttlm.uplink[3], 0); + /* TID 7: map present */ + KUNIT_EXPECT_EQ(test, (int)neg_ttlm.downlink[7], 0x0001); + KUNIT_EXPECT_EQ(test, (int)neg_ttlm.uplink[7], 0x0001); +} + +/* + * dense_presence_baseline - presence=3D0xff (all 8 TIDs), bm_size=3D2 + * + * Every TID has a map; this is the dense layout the parser handled + * correctly even before the fix. Confirms the cursor-advance fix + * does not regress the already-correct path. + */ +static void dense_presence_baseline(struct kunit *test) +{ + const u8 presence =3D 0xff; + const u8 bm_size =3D 2; + const int npresent =3D 8; + const size_t elem_size =3D sizeof(struct ieee80211_ttlm_elem) + + 1 + npresent * bm_size; + u8 *buf =3D kunit_kzalloc(test, elem_size, GFP_KERNEL); + const struct ieee80211_ttlm_elem *ttlm; + struct ieee80211_neg_ttlm neg_ttlm =3D {}; + const u16 maps[8] =3D { + 0x0003, 0x0003, 0x0003, 0x0003, + 0x0003, 0x0003, 0x0003, 0x0003, + }; + u8 direction =3D 0; + int ret; + + KUNIT_ASSERT_NOT_NULL(test, buf); + + ttlm =3D build_neg_ttlm_elem(buf, elem_size, presence, bm_size, maps); + + ret =3D ieee80211_parse_neg_ttlm(NULL, ttlm, &neg_ttlm, &direction); + + KUNIT_EXPECT_EQ(test, ret, 0); + KUNIT_EXPECT_EQ(test, (int)direction, IEEE80211_TTLM_DIRECTION_BOTH); + /* All TIDs present: every downlink/uplink entry must be 0x0003. */ + for (int tid =3D 0; tid < IEEE80211_TTLM_NUM_TIDS; tid++) { + KUNIT_EXPECT_EQ(test, (int)neg_ttlm.downlink[tid], 0x0003); + KUNIT_EXPECT_EQ(test, (int)neg_ttlm.uplink[tid], 0x0003); + } +} + +static struct kunit_case mac80211_ttlm_test_cases[] =3D { + KUNIT_CASE(sparse_presence_no_oob_read), + KUNIT_CASE(dense_presence_baseline), + {} +}; + +static struct kunit_suite mac80211_ttlm =3D { + .name =3D "mac80211-ttlm", + .test_cases =3D mac80211_ttlm_test_cases, +}; + +kunit_test_suite(mac80211_ttlm); --=20 2.53.0