[01/21] linux: Update to 5.15.85
Commit Message
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/kernel/kernel.config.x86_64-ipfire | 5 +-
config/rootfiles/common/x86_64/linux | 16 +-
lfs/linux | 9 +-
.../linux-5.15-wifi-security-patches-1.patch | 50 -
.../linux-5.15-wifi-security-patches-10.patch | 98 --
.../linux-5.15-wifi-security-patches-11.patch | 96 --
.../linux-5.15-wifi-security-patches-12.patch | 1179 -----------------
.../linux-5.15-wifi-security-patches-13.patch | 130 --
.../linux-5.15-wifi-security-patches-14.patch | 107 --
.../linux-5.15-wifi-security-patches-2.patch | 59 -
.../linux-5.15-wifi-security-patches-3.patch | 49 -
.../linux-5.15-wifi-security-patches-4.patch | 96 --
.../linux-5.15-wifi-security-patches-5.patch | 56 -
.../linux-5.15-wifi-security-patches-6.patch | 39 -
.../linux-5.15-wifi-security-patches-7.patch | 60 -
.../linux-5.15-wifi-security-patches-8.patch | 94 --
.../linux-5.15-wifi-security-patches-9.patch | 126 --
17 files changed, 10 insertions(+), 2259 deletions(-)
delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-1.patch
delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-10.patch
delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-11.patch
delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-12.patch
delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-13.patch
delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-14.patch
delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-2.patch
delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-3.patch
delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-4.patch
delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-5.patch
delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-6.patch
delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-7.patch
delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-8.patch
delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-9.patch
Comments
Hello,
> On 26 Dec 2022, at 20:24, Peter Müller <peter.mueller@ipfire.org> wrote:
>
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> config/kernel/kernel.config.x86_64-ipfire | 5 +-
> config/rootfiles/common/x86_64/linux | 16 +-
> lfs/linux | 9 +-
> .../linux-5.15-wifi-security-patches-1.patch | 50 -
> .../linux-5.15-wifi-security-patches-10.patch | 98 --
> .../linux-5.15-wifi-security-patches-11.patch | 96 --
> .../linux-5.15-wifi-security-patches-12.patch | 1179 -----------------
> .../linux-5.15-wifi-security-patches-13.patch | 130 --
> .../linux-5.15-wifi-security-patches-14.patch | 107 --
> .../linux-5.15-wifi-security-patches-2.patch | 59 -
> .../linux-5.15-wifi-security-patches-3.patch | 49 -
> .../linux-5.15-wifi-security-patches-4.patch | 96 --
> .../linux-5.15-wifi-security-patches-5.patch | 56 -
> .../linux-5.15-wifi-security-patches-6.patch | 39 -
> .../linux-5.15-wifi-security-patches-7.patch | 60 -
> .../linux-5.15-wifi-security-patches-8.patch | 94 --
> .../linux-5.15-wifi-security-patches-9.patch | 126 --
> 17 files changed, 10 insertions(+), 2259 deletions(-)
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-1.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-10.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-11.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-12.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-13.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-14.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-2.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-3.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-4.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-5.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-6.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-7.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-8.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-9.patch
>
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index bb4655a99..b160322cf 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -1,6 +1,6 @@
> #
> # Automatically generated file; DO NOT EDIT.
> -# Linux/x86 5.15.68-ipfire Kernel Configuration
> +# Linux/x86 5.15.85-ipfire Kernel Configuration
> #
> CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.3.0"
> CONFIG_CC_IS_GCC=y
> @@ -1036,6 +1036,7 @@ CONFIG_INET_ESP=m
> CONFIG_INET_ESP_OFFLOAD=m
> # CONFIG_INET_ESPINTCP is not set
> CONFIG_INET_IPCOMP=m
> +CONFIG_INET_TABLE_PERTURB_ORDER=16
Why didn’t this change in the other architecture’s configuration files?
This hardly looks like a architecture-dependent configuration option to me.
> CONFIG_INET_XFRM_TUNNEL=m
> CONFIG_INET_TUNNEL=m
> CONFIG_INET_DIAG=m
> @@ -7393,6 +7394,8 @@ CONFIG_SYMBOLIC_ERRNAME=y
> CONFIG_DEBUG_BUGVERBOSE=y
> # end of printk and dmesg options
>
> +CONFIG_AS_HAS_NON_CONST_LEB128=y
This looks more arch-dependent.
> +
> #
> # Compile-time checks and compiler options
> #
> diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux
> index 518230b39..d71fa4142 100644
> --- a/config/rootfiles/common/x86_64/linux
> +++ b/config/rootfiles/common/x86_64/linux
> @@ -6525,6 +6525,7 @@ etc/modprobe.d/ipv6.conf
> #lib/modules/KVER-ipfire/build/include/config/ASYNC_TX_DMA
> #lib/modules/KVER-ipfire/build/include/config/ASYNC_XOR
> #lib/modules/KVER-ipfire/build/include/config/AS_AVX512
> +#lib/modules/KVER-ipfire/build/include/config/AS_HAS_NON_CONST_LEB128
> #lib/modules/KVER-ipfire/build/include/config/AS_IS_GNU
> #lib/modules/KVER-ipfire/build/include/config/AS_SHA1_NI
> #lib/modules/KVER-ipfire/build/include/config/AS_SHA256_NI
> @@ -6668,8 +6669,6 @@ etc/modprobe.d/ipv6.conf
> #lib/modules/KVER-ipfire/build/include/config/BITREVERSE
> #lib/modules/KVER-ipfire/build/include/config/BLK_CGROUP
> #lib/modules/KVER-ipfire/build/include/config/BLK_CGROUP_RWSTAT
> -#lib/modules/KVER-ipfire/build/include/config/BLK_DEBUG_FS
> -#lib/modules/KVER-ipfire/build/include/config/BLK_DEBUG_FS_ZONED
> #lib/modules/KVER-ipfire/build/include/config/BLK_DEV
> #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_3W_XXXX_RAID
> #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_BSG
> @@ -7089,8 +7088,6 @@ etc/modprobe.d/ipv6.conf
> #lib/modules/KVER-ipfire/build/include/config/DE2104X_DSL
> #lib/modules/KVER-ipfire/build/include/config/DE4X5
> #lib/modules/KVER-ipfire/build/include/config/DEBUG_BUGVERBOSE
> -#lib/modules/KVER-ipfire/build/include/config/DEBUG_FS
> -#lib/modules/KVER-ipfire/build/include/config/DEBUG_FS_ALLOW_ALL
> #lib/modules/KVER-ipfire/build/include/config/DEBUG_KERNEL
> #lib/modules/KVER-ipfire/build/include/config/DEBUG_MISC
> #lib/modules/KVER-ipfire/build/include/config/DEBUG_WX
> @@ -7422,7 +7419,6 @@ etc/modprobe.d/ipv6.conf
> #lib/modules/KVER-ipfire/build/include/config/DW_XDATA_PCIE
> #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_DEBUG
> #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_DEBUG_CORE
> -#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_EVENTS
> #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE
> #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_ARGS
> #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_DIRECT_CALLS
> @@ -8024,6 +8020,7 @@ etc/modprobe.d/ipv6.conf
> #lib/modules/KVER-ipfire/build/include/config/INET_IPCOMP
> #lib/modules/KVER-ipfire/build/include/config/INET_RAW_DIAG
> #lib/modules/KVER-ipfire/build/include/config/INET_SCTP_DIAG
> +#lib/modules/KVER-ipfire/build/include/config/INET_TABLE_PERTURB_ORDER
> #lib/modules/KVER-ipfire/build/include/config/INET_TCP_DIAG
> #lib/modules/KVER-ipfire/build/include/config/INET_TUNNEL
> #lib/modules/KVER-ipfire/build/include/config/INET_UDP_DIAG
> @@ -8424,7 +8421,6 @@ etc/modprobe.d/ipv6.conf
> #lib/modules/KVER-ipfire/build/include/config/LOCKUP_DETECTOR
> #lib/modules/KVER-ipfire/build/include/config/LOCK_DEBUGGING_SUPPORT
> #lib/modules/KVER-ipfire/build/include/config/LOCK_DOWN_KERNEL_FORCE_NONE
> -#lib/modules/KVER-ipfire/build/include/config/LOCK_EVENT_COUNTS
> #lib/modules/KVER-ipfire/build/include/config/LOCK_SPIN_ON_OWNER
> #lib/modules/KVER-ipfire/build/include/config/LOGO
> #lib/modules/KVER-ipfire/build/include/config/LOGO_LINUX_CLUT224
> @@ -9490,7 +9486,6 @@ etc/modprobe.d/ipv6.conf
> #lib/modules/KVER-ipfire/build/include/config/PRINTER
> #lib/modules/KVER-ipfire/build/include/config/PRINTK
> #lib/modules/KVER-ipfire/build/include/config/PRINTK_SAFE_LOG_BUF_SHIFT
> -#lib/modules/KVER-ipfire/build/include/config/PROBE_EVENTS
> #lib/modules/KVER-ipfire/build/include/config/PROC_EVENTS
> #lib/modules/KVER-ipfire/build/include/config/PROC_FS
> #lib/modules/KVER-ipfire/build/include/config/PROC_PAGE_MONITOR
> @@ -9848,7 +9843,6 @@ etc/modprobe.d/ipv6.conf
> #lib/modules/KVER-ipfire/build/include/config/SCSI_SCAN_ASYNC
> #lib/modules/KVER-ipfire/build/include/config/SCSI_SMARTPQI
> #lib/modules/KVER-ipfire/build/include/config/SCSI_SNIC
> -#lib/modules/KVER-ipfire/build/include/config/SCSI_SNIC_DEBUG_FS
> #lib/modules/KVER-ipfire/build/include/config/SCSI_SPI_ATTRS
> #lib/modules/KVER-ipfire/build/include/config/SCSI_SRP_ATTRS
> #lib/modules/KVER-ipfire/build/include/config/SCSI_STEX
> @@ -10385,7 +10379,6 @@ etc/modprobe.d/ipv6.conf
> #lib/modules/KVER-ipfire/build/include/config/SWIOTLB
> #lib/modules/KVER-ipfire/build/include/config/SWIOTLB_XEN
> #lib/modules/KVER-ipfire/build/include/config/SWPHY
> -#lib/modules/KVER-ipfire/build/include/config/SW_SYNC
> #lib/modules/KVER-ipfire/build/include/config/SXGBE_ETH
> #lib/modules/KVER-ipfire/build/include/config/SYMBOLIC_ERRNAME
> #lib/modules/KVER-ipfire/build/include/config/SYNCLINK_GT
> @@ -10533,8 +10526,6 @@ etc/modprobe.d/ipv6.conf
> #lib/modules/KVER-ipfire/build/include/config/UNIX_DIAG
> #lib/modules/KVER-ipfire/build/include/config/UNIX_SCM
> #lib/modules/KVER-ipfire/build/include/config/UNWINDER_ORC
> -#lib/modules/KVER-ipfire/build/include/config/UPROBES
> -#lib/modules/KVER-ipfire/build/include/config/UPROBE_EVENTS
> #lib/modules/KVER-ipfire/build/include/config/USB
> #lib/modules/KVER-ipfire/build/include/config/USBIP_CORE
> #lib/modules/KVER-ipfire/build/include/config/USBIP_HOST
> @@ -11105,7 +11096,6 @@ etc/modprobe.d/ipv6.conf
> #lib/modules/KVER-ipfire/build/include/config/XEN_BLKDEV_BACKEND
> #lib/modules/KVER-ipfire/build/include/config/XEN_BLKDEV_FRONTEND
> #lib/modules/KVER-ipfire/build/include/config/XEN_COMPAT_XENFS
> -#lib/modules/KVER-ipfire/build/include/config/XEN_DEBUG_FS
> #lib/modules/KVER-ipfire/build/include/config/XEN_DEV_EVTCHN
> #lib/modules/KVER-ipfire/build/include/config/XEN_DOM0
> #lib/modules/KVER-ipfire/build/include/config/XEN_EFI
> @@ -16866,6 +16856,8 @@ etc/modprobe.d/ipv6.conf
> #lib/modules/KVER-ipfire/build/init
> #lib/modules/KVER-ipfire/build/init/Kconfig
> #lib/modules/KVER-ipfire/build/init/Makefile
> +#lib/modules/KVER-ipfire/build/io_uring
> +#lib/modules/KVER-ipfire/build/io_uring/Makefile
> #lib/modules/KVER-ipfire/build/ipc
> #lib/modules/KVER-ipfire/build/ipc/Makefile
> #lib/modules/KVER-ipfire/build/kernel
> diff --git a/lfs/linux b/lfs/linux
> index b628307fd..59238049c 100644
> --- a/lfs/linux
> +++ b/lfs/linux
> @@ -24,7 +24,7 @@
>
> include Config
>
> -VER = 5.15.71
> +VER = 5.15.85
> ARM_PATCHES = 5.15-ipfire5
>
> THISAPP = linux-$(VER)
> @@ -78,7 +78,7 @@ objects =$(DL_FILE) \
> $(DL_FILE) = $(URL_IPFIRE)/$(DL_FILE)
> arm-multi-patches-$(ARM_PATCHES).patch.xz = $(URL_IPFIRE)/arm-multi-patches-$(ARM_PATCHES).patch.xz
>
> -$(DL_FILE)_BLAKE2 = 77da2393a31b6c6fed7cdfef61a112ae49fcdfce96968daf8c7a690a6e65025c7238c1fe084d0bfda403dc56db877b6db99def12803e840cacf318da40327d7b
> +$(DL_FILE)_BLAKE2 = 481cea334dee4146d72704ecb88f654bd38ca62a5a28540f365a57f5cd522551c4b7f854c09380ec614098a9efa5dff4cef70c9cafe6277a410d3d2099eca1cc
> arm-multi-patches-$(ARM_PATCHES).patch.xz_BLAKE2 = 58a70e757a9121a0aac83604a37aa787ec7ac0ee4970c5a3ac3bcb2dbaca32b00089cae6c0da5cf2fe0a2e156427b5165c6a86e0371a3e896f4c7cdd699c34a0
>
> install : $(TARGET)
> @@ -146,11 +146,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> # https://bugzilla.ipfire.org/show_bug.cgi?id=12889
> cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch
>
> - # https://lists.ipfire.org/pipermail/development/2022-October/014562.html
> - for i in $$(seq 1 14); do \
> - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15-wifi-security-patches-$$i.patch || exit 1; \
> - done
> -
> ifeq "$(BUILD_ARCH)" "armv6l"
> # Apply Arm-multiarch kernel patches.
> cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-1.patch b/src/patches/linux/linux-5.15-wifi-security-patches-1.patch
> deleted file mode 100644
> index b646eea49..000000000
> --- a/src/patches/linux/linux-5.15-wifi-security-patches-1.patch
> +++ /dev/null
> @@ -1,50 +0,0 @@
> -From 9a8ef2030510a9d6ce86fd535b8d10720230811f Mon Sep 17 00:00:00 2001
> -From: Johannes Berg <johannes.berg@intel.com>
> -Date: Wed, 28 Sep 2022 21:56:15 +0200
> -Subject: [PATCH] wifi: cfg80211: fix u8 overflow in
> - cfg80211_update_notlisted_nontrans()
> -
> -commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream.
> -
> -In the copy code of the elements, we do the following calculation
> -to reach the end of the MBSSID element:
> -
> - /* copy the IEs after MBSSID */
> - cpy_len = mbssid[1] + 2;
> -
> -This looks fine, however, cpy_len is a u8, the same as mbssid[1],
> -so the addition of two can overflow. In this case the subsequent
> -memcpy() will overflow the allocated buffer, since it copies 256
> -bytes too much due to the way the allocation and memcpy() sizes
> -are calculated.
> -
> -Fix this by using size_t for the cpy_len variable.
> -
> -This fixes CVE-2022-41674.
> -
> -Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
> -Tested-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
> -Reviewed-by: Kees Cook <keescook@chromium.org>
> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ----
> - net/wireless/scan.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c
> -index 1a8b76c9dd56..d9ab37a798f4 100644
> ---- a/net/wireless/scan.c
> -+++ b/net/wireless/scan.c
> -@@ -2238,7 +2238,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
> - size_t new_ie_len;
> - struct cfg80211_bss_ies *new_ies;
> - const struct cfg80211_bss_ies *old;
> -- u8 cpy_len;
> -+ size_t cpy_len;
> -
> - lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock);
> -
> ---
> -2.30.2
> -
> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-10.patch b/src/patches/linux/linux-5.15-wifi-security-patches-10.patch
> deleted file mode 100644
> index 51986afe7..000000000
> --- a/src/patches/linux/linux-5.15-wifi-security-patches-10.patch
> +++ /dev/null
> @@ -1,98 +0,0 @@
> -From 21df3a583e8e03d8f74fa2eedbcd7a2b3f5cabc1 Mon Sep 17 00:00:00 2001
> -From: Johannes Berg <johannes.berg@intel.com>
> -Date: Thu, 13 Oct 2022 20:15:57 +0200
> -Subject: [PATCH] mac80211: move CRC into struct ieee802_11_elems
> -
> -commit c6e37ed498f958254b5459253199e816b6bfc52f upstream.
> -
> -We're currently returning this value, but to prepare for
> -returning the allocated structure, move it into there.
> -
> -Link: https://lore.kernel.org/r/20210920154009.479b8ebf999d.If0d4ba75ee38998dc3eeae25058aa748efcb2fc9@changeid
> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> -Cc: Felix Fietkau <nbd@nbd.name>
> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ----
> - net/mac80211/ieee80211_i.h | 9 +++++----
> - net/mac80211/mlme.c | 9 +++++----
> - net/mac80211/util.c | 10 +++++-----
> - 3 files changed, 15 insertions(+), 13 deletions(-)
> -
> -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
> -index 4bd55af184b2..5ea38ae65809 100644
> ---- a/net/mac80211/ieee80211_i.h
> -+++ b/net/mac80211/ieee80211_i.h
> -@@ -1532,6 +1532,7 @@ struct ieee80211_csa_ie {
> - struct ieee802_11_elems {
> - const u8 *ie_start;
> - size_t total_len;
> -+ u32 crc;
> -
> - /* pointers to IEs */
> - const struct ieee80211_tdls_lnkie *lnk_id;
> -@@ -2218,10 +2219,10 @@ static inline void ieee80211_tx_skb(struct ieee80211_sub_if_data *sdata,
> - ieee80211_tx_skb_tid(sdata, skb, 7);
> - }
> -
> --u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
> -- struct ieee802_11_elems *elems,
> -- u64 filter, u32 crc, u8 *transmitter_bssid,
> -- u8 *bss_bssid);
> -+void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
> -+ struct ieee802_11_elems *elems,
> -+ u64 filter, u32 crc, u8 *transmitter_bssid,
> -+ u8 *bss_bssid);
> - static inline void ieee802_11_parse_elems(const u8 *start, size_t len,
> - bool action,
> - struct ieee802_11_elems *elems,
> -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
> -index 1548f532dc1a..4414e82e71d1 100644
> ---- a/net/mac80211/mlme.c
> -+++ b/net/mac80211/mlme.c
> -@@ -4102,10 +4102,11 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
> - */
> - if (!ieee80211_is_s1g_beacon(hdr->frame_control))
> - ncrc = crc32_be(0, (void *)&mgmt->u.beacon.beacon_int, 4);
> -- ncrc = ieee802_11_parse_elems_crc(variable,
> -- len - baselen, false, &elems,
> -- care_about_ies, ncrc,
> -- mgmt->bssid, bssid);
> -+ ieee802_11_parse_elems_crc(variable,
> -+ len - baselen, false, &elems,
> -+ care_about_ies, ncrc,
> -+ mgmt->bssid, bssid);
> -+ ncrc = elems.crc;
> -
> - if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) &&
> - ieee80211_check_tim(elems.tim, elems.tim_len, bss_conf->aid)) {
> -diff --git a/net/mac80211/util.c b/net/mac80211/util.c
> -index 00543ea9c6b5..ceb6894381e4 100644
> ---- a/net/mac80211/util.c
> -+++ b/net/mac80211/util.c
> -@@ -1468,10 +1468,10 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
> - return found ? profile_len : 0;
> - }
> -
> --u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
> -- struct ieee802_11_elems *elems,
> -- u64 filter, u32 crc, u8 *transmitter_bssid,
> -- u8 *bss_bssid)
> -+void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
> -+ struct ieee802_11_elems *elems,
> -+ u64 filter, u32 crc, u8 *transmitter_bssid,
> -+ u8 *bss_bssid)
> - {
> - const struct element *non_inherit = NULL;
> - u8 *nontransmitted_profile;
> -@@ -1523,7 +1523,7 @@ u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
> -
> - kfree(nontransmitted_profile);
> -
> -- return crc;
> -+ elems->crc = crc;
> - }
> -
> - void ieee80211_regulatory_limit_wmm_params(struct ieee80211_sub_if_data *sdata,
> ---
> -2.30.2
> -
> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-11.patch b/src/patches/linux/linux-5.15-wifi-security-patches-11.patch
> deleted file mode 100644
> index ae639c696..000000000
> --- a/src/patches/linux/linux-5.15-wifi-security-patches-11.patch
> +++ /dev/null
> @@ -1,96 +0,0 @@
> -From 630060f1175676b9cb3a032767f20dbce93616c9 Mon Sep 17 00:00:00 2001
> -From: Johannes Berg <johannes.berg@intel.com>
> -Date: Thu, 13 Oct 2022 20:15:58 +0200
> -Subject: [PATCH] mac80211: mlme: find auth challenge directly
> -
> -commit 49a765d6785e99157ff5091cc37485732496864e upstream.
> -
> -There's no need to parse all elements etc. just to find the
> -authentication challenge - use cfg80211_find_elem() instead.
> -This also allows us to remove WLAN_EID_CHALLENGE handling
> -from the element parsing entirely.
> -
> -Link: https://lore.kernel.org/r/20210920154009.45f9b3a15722.Ice3159ffad03a007d6154cbf1fb3a8c48489e86f@changeid
> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> -Cc: Felix Fietkau <nbd@nbd.name>
> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ----
> - net/mac80211/ieee80211_i.h | 2 --
> - net/mac80211/mlme.c | 11 ++++++-----
> - net/mac80211/util.c | 4 ----
> - 3 files changed, 6 insertions(+), 11 deletions(-)
> -
> -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
> -index 5ea38ae65809..c5f0ff805010 100644
> ---- a/net/mac80211/ieee80211_i.h
> -+++ b/net/mac80211/ieee80211_i.h
> -@@ -1542,7 +1542,6 @@ struct ieee802_11_elems {
> - const u8 *supp_rates;
> - const u8 *ds_params;
> - const struct ieee80211_tim_ie *tim;
> -- const u8 *challenge;
> - const u8 *rsn;
> - const u8 *rsnx;
> - const u8 *erp_info;
> -@@ -1596,7 +1595,6 @@ struct ieee802_11_elems {
> - u8 ssid_len;
> - u8 supp_rates_len;
> - u8 tim_len;
> -- u8 challenge_len;
> - u8 rsn_len;
> - u8 rsnx_len;
> - u8 ext_supp_rates_len;
> -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
> -index 4414e82e71d1..548cd14c5503 100644
> ---- a/net/mac80211/mlme.c
> -+++ b/net/mac80211/mlme.c
> -@@ -2889,17 +2889,17 @@ static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata,
> - {
> - struct ieee80211_local *local = sdata->local;
> - struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data;
> -+ const struct element *challenge;
> - u8 *pos;
> -- struct ieee802_11_elems elems;
> - u32 tx_flags = 0;
> - struct ieee80211_prep_tx_info info = {
> - .subtype = IEEE80211_STYPE_AUTH,
> - };
> -
> - pos = mgmt->u.auth.variable;
> -- ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems,
> -- mgmt->bssid, auth_data->bss->bssid);
> -- if (!elems.challenge)
> -+ challenge = cfg80211_find_elem(WLAN_EID_CHALLENGE, pos,
> -+ len - (pos - (u8 *)mgmt));
> -+ if (!challenge)
> - return;
> - auth_data->expected_transaction = 4;
> - drv_mgd_prepare_tx(sdata->local, sdata, &info);
> -@@ -2907,7 +2907,8 @@ static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata,
> - tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
> - IEEE80211_TX_INTFL_MLME_CONN_TX;
> - ieee80211_send_auth(sdata, 3, auth_data->algorithm, 0,
> -- elems.challenge - 2, elems.challenge_len + 2,
> -+ (void *)challenge,
> -+ challenge->datalen + sizeof(*challenge),
> - auth_data->bss->bssid, auth_data->bss->bssid,
> - auth_data->key, auth_data->key_len,
> - auth_data->key_idx, tx_flags);
> -diff --git a/net/mac80211/util.c b/net/mac80211/util.c
> -index ceb6894381e4..664c32b6db19 100644
> ---- a/net/mac80211/util.c
> -+++ b/net/mac80211/util.c
> -@@ -1117,10 +1117,6 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
> - } else
> - elem_parse_failed = true;
> - break;
> -- case WLAN_EID_CHALLENGE:
> -- elems->challenge = pos;
> -- elems->challenge_len = elen;
> -- break;
> - case WLAN_EID_VENDOR_SPECIFIC:
> - if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 &&
> - pos[2] == 0xf2) {
> ---
> -2.30.2
> -
> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-12.patch b/src/patches/linux/linux-5.15-wifi-security-patches-12.patch
> deleted file mode 100644
> index 4dea89e4c..000000000
> --- a/src/patches/linux/linux-5.15-wifi-security-patches-12.patch
> +++ /dev/null
> @@ -1,1179 +0,0 @@
> -From fee48f3bdd7516bb63da507213916227cf147211 Mon Sep 17 00:00:00 2001
> -From: Johannes Berg <johannes.berg@intel.com>
> -Date: Thu, 13 Oct 2022 20:15:59 +0200
> -Subject: [PATCH] mac80211: always allocate struct ieee802_11_elems
> -
> -As the 802.11 spec evolves, we need to parse more and more
> -elements. This is causing the struct to grow, and we can no
> -longer get away with putting it on the stack.
> -
> -Change the API to always dynamically allocate and return an
> -allocated pointer that must be kfree()d later.
> -
> -As an alternative, I contemplated a scheme whereby we'd say
> -in the code which elements we needed, e.g.
> -
> - DECLARE_ELEMENT_PARSER(elems,
> - SUPPORTED_CHANNELS,
> - CHANNEL_SWITCH,
> - EXT(KEY_DELIVERY));
> -
> - ieee802_11_parse_elems(..., &elems, ...);
> -
> -and while I think this is possible and will save us a lot
> -since most individual places only care about a small subset
> -of the elements, it ended up being a bit more work since a
> -lot of places do the parsing and then pass the struct to
> -other functions, sometimes with multiple levels.
> -
> -Link: https://lore.kernel.org/r/20210920154009.26caff6b5998.I05ae58768e990e611aee8eca8abefd9d7bc15e05@changeid
> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> -Cc: Felix Fietkau <nbd@nbd.name>
> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ----
> - net/mac80211/agg-rx.c | 11 +--
> - net/mac80211/ibss.c | 25 +++---
> - net/mac80211/ieee80211_i.h | 22 ++---
> - net/mac80211/mesh.c | 85 ++++++++++--------
> - net/mac80211/mesh_hwmp.c | 44 +++++-----
> - net/mac80211/mesh_plink.c | 11 +--
> - net/mac80211/mlme.c | 176 +++++++++++++++++++++----------------
> - net/mac80211/scan.c | 16 ++--
> - net/mac80211/tdls.c | 63 +++++++------
> - net/mac80211/util.c | 20 +++--
> - 10 files changed, 272 insertions(+), 201 deletions(-)
> -
> -diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
> -index e43176794149..ffa4f31f6c2b 100644
> ---- a/net/mac80211/agg-rx.c
> -+++ b/net/mac80211/agg-rx.c
> -@@ -478,7 +478,7 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
> - size_t len)
> - {
> - u16 capab, tid, timeout, ba_policy, buf_size, start_seq_num;
> -- struct ieee802_11_elems elems = { };
> -+ struct ieee802_11_elems *elems = NULL;
> - u8 dialog_token;
> - int ies_len;
> -
> -@@ -496,16 +496,17 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
> - ies_len = len - offsetof(struct ieee80211_mgmt,
> - u.action.u.addba_req.variable);
> - if (ies_len) {
> -- ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable,
> -- ies_len, true, &elems, mgmt->bssid, NULL);
> -- if (elems.parse_error)
> -+ elems = ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable,
> -+ ies_len, true, mgmt->bssid, NULL);
> -+ if (!elems || elems->parse_error)
> - return;
> - }
> -
> - __ieee80211_start_rx_ba_session(sta, dialog_token, timeout,
> - start_seq_num, ba_policy, tid,
> - buf_size, true, false,
> -- elems.addba_ext_ie);
> -+ elems ? elems->addba_ext_ie : NULL);
> -+ kfree(elems);
> - }
> -
> - void ieee80211_manage_rx_ba_offl(struct ieee80211_vif *vif,
> -diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
> -index 1e133ca58e78..4b721b48f86a 100644
> ---- a/net/mac80211/ibss.c
> -+++ b/net/mac80211/ibss.c
> -@@ -9,7 +9,7 @@
> - * Copyright 2009, Johannes Berg <johannes@sipsolutions.net>
> - * Copyright 2013-2014 Intel Mobile Communications GmbH
> - * Copyright(c) 2016 Intel Deutschland GmbH
> -- * Copyright(c) 2018-2020 Intel Corporation
> -+ * Copyright(c) 2018-2021 Intel Corporation
> - */
> -
> - #include <linux/delay.h>
> -@@ -1593,7 +1593,7 @@ void ieee80211_rx_mgmt_probe_beacon(struct ieee80211_sub_if_data *sdata,
> - struct ieee80211_rx_status *rx_status)
> - {
> - size_t baselen;
> -- struct ieee802_11_elems elems;
> -+ struct ieee802_11_elems *elems;
> -
> - BUILD_BUG_ON(offsetof(typeof(mgmt->u.probe_resp), variable) !=
> - offsetof(typeof(mgmt->u.beacon), variable));
> -@@ -1606,10 +1606,14 @@ void ieee80211_rx_mgmt_probe_beacon(struct ieee80211_sub_if_data *sdata,
> - if (baselen > len)
> - return;
> -
> -- ieee802_11_parse_elems(mgmt->u.probe_resp.variable, len - baselen,
> -- false, &elems, mgmt->bssid, NULL);
> -+ elems = ieee802_11_parse_elems(mgmt->u.probe_resp.variable,
> -+ len - baselen, false,
> -+ mgmt->bssid, NULL);
> -
> -- ieee80211_rx_bss_info(sdata, mgmt, len, rx_status, &elems);
> -+ if (elems) {
> -+ ieee80211_rx_bss_info(sdata, mgmt, len, rx_status, elems);
> -+ kfree(elems);
> -+ }
> - }
> -
> - void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
> -@@ -1618,7 +1622,7 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
> - struct ieee80211_rx_status *rx_status;
> - struct ieee80211_mgmt *mgmt;
> - u16 fc;
> -- struct ieee802_11_elems elems;
> -+ struct ieee802_11_elems *elems;
> - int ies_len;
> -
> - rx_status = IEEE80211_SKB_RXCB(skb);
> -@@ -1655,15 +1659,16 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
> - if (ies_len < 0)
> - break;
> -
> -- ieee802_11_parse_elems(
> -+ elems = ieee802_11_parse_elems(
> - mgmt->u.action.u.chan_switch.variable,
> -- ies_len, true, &elems, mgmt->bssid, NULL);
> -+ ies_len, true, mgmt->bssid, NULL);
> -
> -- if (elems.parse_error)
> -+ if (!elems || elems->parse_error)
> - break;
> -
> - ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt, skb->len,
> -- rx_status, &elems);
> -+ rx_status, elems);
> -+ kfree(elems);
> - break;
> - }
> - }
> -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
> -index c5f0ff805010..3633e49239c7 100644
> ---- a/net/mac80211/ieee80211_i.h
> -+++ b/net/mac80211/ieee80211_i.h
> -@@ -2217,18 +2217,18 @@ static inline void ieee80211_tx_skb(struct ieee80211_sub_if_data *sdata,
> - ieee80211_tx_skb_tid(sdata, skb, 7);
> - }
> -
> --void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
> -- struct ieee802_11_elems *elems,
> -- u64 filter, u32 crc, u8 *transmitter_bssid,
> -- u8 *bss_bssid);
> --static inline void ieee802_11_parse_elems(const u8 *start, size_t len,
> -- bool action,
> -- struct ieee802_11_elems *elems,
> -- u8 *transmitter_bssid,
> -- u8 *bss_bssid)
> -+struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,
> -+ bool action,
> -+ u64 filter, u32 crc,
> -+ const u8 *transmitter_bssid,
> -+ const u8 *bss_bssid);
> -+static inline struct ieee802_11_elems *
> -+ieee802_11_parse_elems(const u8 *start, size_t len, bool action,
> -+ const u8 *transmitter_bssid,
> -+ const u8 *bss_bssid)
> - {
> -- ieee802_11_parse_elems_crc(start, len, action, elems, 0, 0,
> -- transmitter_bssid, bss_bssid);
> -+ return ieee802_11_parse_elems_crc(start, len, action, 0, 0,
> -+ transmitter_bssid, bss_bssid);
> - }
> -
> -
> -diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
> -index 9f6414a68d71..6847fdf93439 100644
> ---- a/net/mac80211/mesh.c
> -+++ b/net/mac80211/mesh.c
> -@@ -1247,7 +1247,7 @@ ieee80211_mesh_rx_probe_req(struct ieee80211_sub_if_data *sdata,
> - struct sk_buff *presp;
> - struct beacon_data *bcn;
> - struct ieee80211_mgmt *hdr;
> -- struct ieee802_11_elems elems;
> -+ struct ieee802_11_elems *elems;
> - size_t baselen;
> - u8 *pos;
> -
> -@@ -1256,22 +1256,24 @@ ieee80211_mesh_rx_probe_req(struct ieee80211_sub_if_data *sdata,
> - if (baselen > len)
> - return;
> -
> -- ieee802_11_parse_elems(pos, len - baselen, false, &elems, mgmt->bssid,
> -- NULL);
> --
> -- if (!elems.mesh_id)
> -+ elems = ieee802_11_parse_elems(pos, len - baselen, false, mgmt->bssid,
> -+ NULL);
> -+ if (!elems)
> - return;
> -
> -+ if (!elems->mesh_id)
> -+ goto free;
> -+
> - /* 802.11-2012 10.1.4.3.2 */
> - if ((!ether_addr_equal(mgmt->da, sdata->vif.addr) &&
> - !is_broadcast_ether_addr(mgmt->da)) ||
> -- elems.ssid_len != 0)
> -- return;
> -+ elems->ssid_len != 0)
> -+ goto free;
> -
> -- if (elems.mesh_id_len != 0 &&
> -- (elems.mesh_id_len != ifmsh->mesh_id_len ||
> -- memcmp(elems.mesh_id, ifmsh->mesh_id, ifmsh->mesh_id_len)))
> -- return;
> -+ if (elems->mesh_id_len != 0 &&
> -+ (elems->mesh_id_len != ifmsh->mesh_id_len ||
> -+ memcmp(elems->mesh_id, ifmsh->mesh_id, ifmsh->mesh_id_len)))
> -+ goto free;
> -
> - rcu_read_lock();
> - bcn = rcu_dereference(ifmsh->beacon);
> -@@ -1295,6 +1297,8 @@ ieee80211_mesh_rx_probe_req(struct ieee80211_sub_if_data *sdata,
> - ieee80211_tx_skb(sdata, presp);
> - out:
> - rcu_read_unlock();
> -+free:
> -+ kfree(elems);
> - }
> -
> - static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
> -@@ -1305,7 +1309,7 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
> - {
> - struct ieee80211_local *local = sdata->local;
> - struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
> -- struct ieee802_11_elems elems;
> -+ struct ieee802_11_elems *elems;
> - struct ieee80211_channel *channel;
> - size_t baselen;
> - int freq;
> -@@ -1320,42 +1324,47 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
> - if (baselen > len)
> - return;
> -
> -- ieee802_11_parse_elems(mgmt->u.probe_resp.variable, len - baselen,
> -- false, &elems, mgmt->bssid, NULL);
> -+ elems = ieee802_11_parse_elems(mgmt->u.probe_resp.variable,
> -+ len - baselen,
> -+ false, mgmt->bssid, NULL);
> -+ if (!elems)
> -+ return;
> -
> - /* ignore non-mesh or secure / unsecure mismatch */
> -- if ((!elems.mesh_id || !elems.mesh_config) ||
> -- (elems.rsn && sdata->u.mesh.security == IEEE80211_MESH_SEC_NONE) ||
> -- (!elems.rsn && sdata->u.mesh.security != IEEE80211_MESH_SEC_NONE))
> -- return;
> -+ if ((!elems->mesh_id || !elems->mesh_config) ||
> -+ (elems->rsn && sdata->u.mesh.security == IEEE80211_MESH_SEC_NONE) ||
> -+ (!elems->rsn && sdata->u.mesh.security != IEEE80211_MESH_SEC_NONE))
> -+ goto free;
> -
> -- if (elems.ds_params)
> -- freq = ieee80211_channel_to_frequency(elems.ds_params[0], band);
> -+ if (elems->ds_params)
> -+ freq = ieee80211_channel_to_frequency(elems->ds_params[0], band);
> - else
> - freq = rx_status->freq;
> -
> - channel = ieee80211_get_channel(local->hw.wiphy, freq);
> -
> - if (!channel || channel->flags & IEEE80211_CHAN_DISABLED)
> -- return;
> -+ goto free;
> -
> -- if (mesh_matches_local(sdata, &elems)) {
> -+ if (mesh_matches_local(sdata, elems)) {
> - mpl_dbg(sdata, "rssi_threshold=%d,rx_status->signal=%d\n",
> - sdata->u.mesh.mshcfg.rssi_threshold, rx_status->signal);
> - if (!sdata->u.mesh.user_mpm ||
> - sdata->u.mesh.mshcfg.rssi_threshold == 0 ||
> - sdata->u.mesh.mshcfg.rssi_threshold < rx_status->signal)
> -- mesh_neighbour_update(sdata, mgmt->sa, &elems,
> -+ mesh_neighbour_update(sdata, mgmt->sa, elems,
> - rx_status);
> -
> - if (ifmsh->csa_role != IEEE80211_MESH_CSA_ROLE_INIT &&
> - !sdata->vif.csa_active)
> -- ieee80211_mesh_process_chnswitch(sdata, &elems, true);
> -+ ieee80211_mesh_process_chnswitch(sdata, elems, true);
> - }
> -
> - if (ifmsh->sync_ops)
> - ifmsh->sync_ops->rx_bcn_presp(sdata, stype, mgmt, len,
> -- elems.mesh_config, rx_status);
> -+ elems->mesh_config, rx_status);
> -+free:
> -+ kfree(elems);
> - }
> -
> - int ieee80211_mesh_finish_csa(struct ieee80211_sub_if_data *sdata)
> -@@ -1447,7 +1456,7 @@ static void mesh_rx_csa_frame(struct ieee80211_sub_if_data *sdata,
> - struct ieee80211_mgmt *mgmt, size_t len)
> - {
> - struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
> -- struct ieee802_11_elems elems;
> -+ struct ieee802_11_elems *elems;
> - u16 pre_value;
> - bool fwd_csa = true;
> - size_t baselen;
> -@@ -1460,33 +1469,37 @@ static void mesh_rx_csa_frame(struct ieee80211_sub_if_data *sdata,
> - pos = mgmt->u.action.u.chan_switch.variable;
> - baselen = offsetof(struct ieee80211_mgmt,
> - u.action.u.chan_switch.variable);
> -- ieee802_11_parse_elems(pos, len - baselen, true, &elems,
> -- mgmt->bssid, NULL);
> --
> -- if (!mesh_matches_local(sdata, &elems))
> -+ elems = ieee802_11_parse_elems(pos, len - baselen, true,
> -+ mgmt->bssid, NULL);
> -+ if (!elems)
> - return;
> -
> -- ifmsh->chsw_ttl = elems.mesh_chansw_params_ie->mesh_ttl;
> -+ if (!mesh_matches_local(sdata, elems))
> -+ goto free;
> -+
> -+ ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;
> - if (!--ifmsh->chsw_ttl)
> - fwd_csa = false;
> -
> -- pre_value = le16_to_cpu(elems.mesh_chansw_params_ie->mesh_pre_value);
> -+ pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);
> - if (ifmsh->pre_value >= pre_value)
> -- return;
> -+ goto free;
> -
> - ifmsh->pre_value = pre_value;
> -
> - if (!sdata->vif.csa_active &&
> -- !ieee80211_mesh_process_chnswitch(sdata, &elems, false)) {
> -+ !ieee80211_mesh_process_chnswitch(sdata, elems, false)) {
> - mcsa_dbg(sdata, "Failed to process CSA action frame");
> -- return;
> -+ goto free;
> - }
> -
> - /* forward or re-broadcast the CSA frame */
> - if (fwd_csa) {
> -- if (mesh_fwd_csa_frame(sdata, mgmt, len, &elems) < 0)
> -+ if (mesh_fwd_csa_frame(sdata, mgmt, len, elems) < 0)
> - mcsa_dbg(sdata, "Failed to forward the CSA frame");
> - }
> -+free:
> -+ kfree(elems);
> - }
> -
> - static void ieee80211_mesh_rx_mgmt_action(struct ieee80211_sub_if_data *sdata,
> -diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
> -index a05b615deb51..44a6fdb6efbd 100644
> ---- a/net/mac80211/mesh_hwmp.c
> -+++ b/net/mac80211/mesh_hwmp.c
> -@@ -1,7 +1,7 @@
> - // SPDX-License-Identifier: GPL-2.0-only
> - /*
> - * Copyright (c) 2008, 2009 open80211s Ltd.
> -- * Copyright (C) 2019 Intel Corporation
> -+ * Copyright (C) 2019, 2021 Intel Corporation
> - * Author: Luis Carlos Cobo <luisca@cozybit.com>
> - */
> -
> -@@ -908,7 +908,7 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata,
> - void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata,
> - struct ieee80211_mgmt *mgmt, size_t len)
> - {
> -- struct ieee802_11_elems elems;
> -+ struct ieee802_11_elems *elems;
> - size_t baselen;
> - u32 path_metric;
> - struct sta_info *sta;
> -@@ -926,37 +926,41 @@ void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata,
> - rcu_read_unlock();
> -
> - baselen = (u8 *) mgmt->u.action.u.mesh_action.variable - (u8 *) mgmt;
> -- ieee802_11_parse_elems(mgmt->u.action.u.mesh_action.variable,
> -- len - baselen, false, &elems, mgmt->bssid, NULL);
> -+ elems = ieee802_11_parse_elems(mgmt->u.action.u.mesh_action.variable,
> -+ len - baselen, false, mgmt->bssid, NULL);
> -+ if (!elems)
> -+ return;
> -
> -- if (elems.preq) {
> -- if (elems.preq_len != 37)
> -+ if (elems->preq) {
> -+ if (elems->preq_len != 37)
> - /* Right now we support just 1 destination and no AE */
> -- return;
> -- path_metric = hwmp_route_info_get(sdata, mgmt, elems.preq,
> -+ goto free;
> -+ path_metric = hwmp_route_info_get(sdata, mgmt, elems->preq,
> - MPATH_PREQ);
> - if (path_metric)
> -- hwmp_preq_frame_process(sdata, mgmt, elems.preq,
> -+ hwmp_preq_frame_process(sdata, mgmt, elems->preq,
> - path_metric);
> - }
> -- if (elems.prep) {
> -- if (elems.prep_len != 31)
> -+ if (elems->prep) {
> -+ if (elems->prep_len != 31)
> - /* Right now we support no AE */
> -- return;
> -- path_metric = hwmp_route_info_get(sdata, mgmt, elems.prep,
> -+ goto free;
> -+ path_metric = hwmp_route_info_get(sdata, mgmt, elems->prep,
> - MPATH_PREP);
> - if (path_metric)
> -- hwmp_prep_frame_process(sdata, mgmt, elems.prep,
> -+ hwmp_prep_frame_process(sdata, mgmt, elems->prep,
> - path_metric);
> - }
> -- if (elems.perr) {
> -- if (elems.perr_len != 15)
> -+ if (elems->perr) {
> -+ if (elems->perr_len != 15)
> - /* Right now we support only one destination per PERR */
> -- return;
> -- hwmp_perr_frame_process(sdata, mgmt, elems.perr);
> -+ goto free;
> -+ hwmp_perr_frame_process(sdata, mgmt, elems->perr);
> - }
> -- if (elems.rann)
> -- hwmp_rann_frame_process(sdata, mgmt, elems.rann);
> -+ if (elems->rann)
> -+ hwmp_rann_frame_process(sdata, mgmt, elems->rann);
> -+free:
> -+ kfree(elems);
> - }
> -
> - /**
> -diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
> -index a6915847d78a..a829470dd59e 100644
> ---- a/net/mac80211/mesh_plink.c
> -+++ b/net/mac80211/mesh_plink.c
> -@@ -1,7 +1,7 @@
> - // SPDX-License-Identifier: GPL-2.0-only
> - /*
> - * Copyright (c) 2008, 2009 open80211s Ltd.
> -- * Copyright (C) 2019 Intel Corporation
> -+ * Copyright (C) 2019, 2021 Intel Corporation
> - * Author: Luis Carlos Cobo <luisca@cozybit.com>
> - */
> - #include <linux/gfp.h>
> -@@ -1200,7 +1200,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata,
> - struct ieee80211_mgmt *mgmt, size_t len,
> - struct ieee80211_rx_status *rx_status)
> - {
> -- struct ieee802_11_elems elems;
> -+ struct ieee802_11_elems *elems;
> - size_t baselen;
> - u8 *baseaddr;
> -
> -@@ -1228,7 +1228,8 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata,
> - if (baselen > len)
> - return;
> - }
> -- ieee802_11_parse_elems(baseaddr, len - baselen, true, &elems,
> -- mgmt->bssid, NULL);
> -- mesh_process_plink_frame(sdata, mgmt, &elems, rx_status);
> -+ elems = ieee802_11_parse_elems(baseaddr, len - baselen, true,
> -+ mgmt->bssid, NULL);
> -+ mesh_process_plink_frame(sdata, mgmt, elems, rx_status);
> -+ kfree(elems);
> - }
> -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
> -index 548cd14c5503..45efa1d1c550 100644
> ---- a/net/mac80211/mlme.c
> -+++ b/net/mac80211/mlme.c
> -@@ -3317,8 +3317,11 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
> - aid = 0; /* TODO */
> - }
> - capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
> -- ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, elems,
> -- mgmt->bssid, assoc_data->bss->bssid);
> -+ elems = ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false,
> -+ mgmt->bssid, assoc_data->bss->bssid);
> -+
> -+ if (!elems)
> -+ return false;
> -
> - if (elems->aid_resp)
> - aid = le16_to_cpu(elems->aid_resp->aid);
> -@@ -3340,7 +3343,8 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
> -
> - if (!is_s1g && !elems->supp_rates) {
> - sdata_info(sdata, "no SuppRates element in AssocResp\n");
> -- return false;
> -+ ret = false;
> -+ goto out;
> - }
> -
> - sdata->vif.bss_conf.aid = aid;
> -@@ -3362,7 +3366,7 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
> - (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT) &&
> - (!elems->vht_cap_elem || !elems->vht_operation)))) {
> - const struct cfg80211_bss_ies *ies;
> -- struct ieee802_11_elems bss_elems;
> -+ struct ieee802_11_elems *bss_elems;
> -
> - rcu_read_lock();
> - ies = rcu_dereference(cbss->ies);
> -@@ -3373,13 +3377,17 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
> - if (!bss_ies)
> - return false;
> -
> -- ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
> -- false, &bss_elems,
> -- mgmt->bssid,
> -- assoc_data->bss->bssid);
> -+ bss_elems = ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
> -+ false, mgmt->bssid,
> -+ assoc_data->bss->bssid);
> -+ if (!bss_elems) {
> -+ ret = false;
> -+ goto out;
> -+ }
> -+
> - if (assoc_data->wmm &&
> -- !elems->wmm_param && bss_elems.wmm_param) {
> -- elems->wmm_param = bss_elems.wmm_param;
> -+ !elems->wmm_param && bss_elems->wmm_param) {
> -+ elems->wmm_param = bss_elems->wmm_param;
> - sdata_info(sdata,
> - "AP bug: WMM param missing from AssocResp\n");
> - }
> -@@ -3388,30 +3396,32 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
> - * Also check if we requested HT/VHT, otherwise the AP doesn't
> - * have to include the IEs in the (re)association response.
> - */
> -- if (!elems->ht_cap_elem && bss_elems.ht_cap_elem &&
> -+ if (!elems->ht_cap_elem && bss_elems->ht_cap_elem &&
> - !(ifmgd->flags & IEEE80211_STA_DISABLE_HT)) {
> -- elems->ht_cap_elem = bss_elems.ht_cap_elem;
> -+ elems->ht_cap_elem = bss_elems->ht_cap_elem;
> - sdata_info(sdata,
> - "AP bug: HT capability missing from AssocResp\n");
> - }
> -- if (!elems->ht_operation && bss_elems.ht_operation &&
> -+ if (!elems->ht_operation && bss_elems->ht_operation &&
> - !(ifmgd->flags & IEEE80211_STA_DISABLE_HT)) {
> -- elems->ht_operation = bss_elems.ht_operation;
> -+ elems->ht_operation = bss_elems->ht_operation;
> - sdata_info(sdata,
> - "AP bug: HT operation missing from AssocResp\n");
> - }
> -- if (!elems->vht_cap_elem && bss_elems.vht_cap_elem &&
> -+ if (!elems->vht_cap_elem && bss_elems->vht_cap_elem &&
> - !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) {
> -- elems->vht_cap_elem = bss_elems.vht_cap_elem;
> -+ elems->vht_cap_elem = bss_elems->vht_cap_elem;
> - sdata_info(sdata,
> - "AP bug: VHT capa missing from AssocResp\n");
> - }
> -- if (!elems->vht_operation && bss_elems.vht_operation &&
> -+ if (!elems->vht_operation && bss_elems->vht_operation &&
> - !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) {
> -- elems->vht_operation = bss_elems.vht_operation;
> -+ elems->vht_operation = bss_elems->vht_operation;
> - sdata_info(sdata,
> - "AP bug: VHT operation missing from AssocResp\n");
> - }
> -+
> -+ kfree(bss_elems);
> - }
> -
> - /*
> -@@ -3662,6 +3672,7 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
> -
> - ret = true;
> - out:
> -+ kfree(elems);
> - kfree(bss_ies);
> - return ret;
> - }
> -@@ -3673,7 +3684,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
> - struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
> - struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
> - u16 capab_info, status_code, aid;
> -- struct ieee802_11_elems elems;
> -+ struct ieee802_11_elems *elems;
> - int ac, uapsd_queues = -1;
> - u8 *pos;
> - bool reassoc;
> -@@ -3730,14 +3741,16 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
> - fils_decrypt_assoc_resp(sdata, (u8 *)mgmt, &len, assoc_data) < 0)
> - return;
> -
> -- ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems,
> -- mgmt->bssid, assoc_data->bss->bssid);
> -+ elems = ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false,
> -+ mgmt->bssid, assoc_data->bss->bssid);
> -+ if (!elems)
> -+ goto notify_driver;
> -
> - if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY &&
> -- elems.timeout_int &&
> -- elems.timeout_int->type == WLAN_TIMEOUT_ASSOC_COMEBACK) {
> -+ elems->timeout_int &&
> -+ elems->timeout_int->type == WLAN_TIMEOUT_ASSOC_COMEBACK) {
> - u32 tu, ms;
> -- tu = le32_to_cpu(elems.timeout_int->value);
> -+ tu = le32_to_cpu(elems->timeout_int->value);
> - ms = tu * 1024 / 1000;
> - sdata_info(sdata,
> - "%pM rejected association temporarily; comeback duration %u TU (%u ms)\n",
> -@@ -3757,7 +3770,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
> - event.u.mlme.reason = status_code;
> - drv_event_callback(sdata->local, sdata, &event);
> - } else {
> -- if (!ieee80211_assoc_success(sdata, cbss, mgmt, len, &elems)) {
> -+ if (!ieee80211_assoc_success(sdata, cbss, mgmt, len, elems)) {
> - /* oops -- internal error -- send timeout for now */
> - ieee80211_destroy_assoc_data(sdata, false, false);
> - cfg80211_assoc_timeout(sdata->dev, cbss);
> -@@ -3787,6 +3800,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
> - ifmgd->assoc_req_ies, ifmgd->assoc_req_ies_len);
> - notify_driver:
> - drv_mgd_complete_tx(sdata->local, sdata, &info);
> -+ kfree(elems);
> - }
> -
> - static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
> -@@ -3991,7 +4005,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
> - struct ieee80211_bss_conf *bss_conf = &sdata->vif.bss_conf;
> - struct ieee80211_mgmt *mgmt = (void *) hdr;
> - size_t baselen;
> -- struct ieee802_11_elems elems;
> -+ struct ieee802_11_elems *elems;
> - struct ieee80211_local *local = sdata->local;
> - struct ieee80211_chanctx_conf *chanctx_conf;
> - struct ieee80211_channel *chan;
> -@@ -4037,15 +4051,16 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
> -
> - if (ifmgd->assoc_data && ifmgd->assoc_data->need_beacon &&
> - ieee80211_rx_our_beacon(bssid, ifmgd->assoc_data->bss)) {
> -- ieee802_11_parse_elems(variable,
> -- len - baselen, false, &elems,
> -- bssid,
> -- ifmgd->assoc_data->bss->bssid);
> -+ elems = ieee802_11_parse_elems(variable, len - baselen, false,
> -+ bssid,
> -+ ifmgd->assoc_data->bss->bssid);
> -+ if (!elems)
> -+ return;
> -
> - ieee80211_rx_bss_info(sdata, mgmt, len, rx_status);
> -
> -- if (elems.dtim_period)
> -- ifmgd->dtim_period = elems.dtim_period;
> -+ if (elems->dtim_period)
> -+ ifmgd->dtim_period = elems->dtim_period;
> - ifmgd->have_beacon = true;
> - ifmgd->assoc_data->need_beacon = false;
> - if (ieee80211_hw_check(&local->hw, TIMING_BEACON_ONLY)) {
> -@@ -4053,17 +4068,17 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
> - le64_to_cpu(mgmt->u.beacon.timestamp);
> - sdata->vif.bss_conf.sync_device_ts =
> - rx_status->device_timestamp;
> -- sdata->vif.bss_conf.sync_dtim_count = elems.dtim_count;
> -+ sdata->vif.bss_conf.sync_dtim_count = elems->dtim_count;
> - }
> -
> -- if (elems.mbssid_config_ie)
> -+ if (elems->mbssid_config_ie)
> - bss_conf->profile_periodicity =
> -- elems.mbssid_config_ie->profile_periodicity;
> -+ elems->mbssid_config_ie->profile_periodicity;
> - else
> - bss_conf->profile_periodicity = 0;
> -
> -- if (elems.ext_capab_len >= 11 &&
> -- (elems.ext_capab[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
> -+ if (elems->ext_capab_len >= 11 &&
> -+ (elems->ext_capab[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
> - bss_conf->ema_ap = true;
> - else
> - bss_conf->ema_ap = false;
> -@@ -4072,6 +4087,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
> - ifmgd->assoc_data->timeout = jiffies;
> - ifmgd->assoc_data->timeout_started = true;
> - run_again(sdata, ifmgd->assoc_data->timeout);
> -+ kfree(elems);
> - return;
> - }
> -
> -@@ -4103,14 +4119,15 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
> - */
> - if (!ieee80211_is_s1g_beacon(hdr->frame_control))
> - ncrc = crc32_be(0, (void *)&mgmt->u.beacon.beacon_int, 4);
> -- ieee802_11_parse_elems_crc(variable,
> -- len - baselen, false, &elems,
> -- care_about_ies, ncrc,
> -- mgmt->bssid, bssid);
> -- ncrc = elems.crc;
> -+ elems = ieee802_11_parse_elems_crc(variable, len - baselen,
> -+ false, care_about_ies, ncrc,
> -+ mgmt->bssid, bssid);
> -+ if (!elems)
> -+ return;
> -+ ncrc = elems->crc;
> -
> - if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) &&
> -- ieee80211_check_tim(elems.tim, elems.tim_len, bss_conf->aid)) {
> -+ ieee80211_check_tim(elems->tim, elems->tim_len, bss_conf->aid)) {
> - if (local->hw.conf.dynamic_ps_timeout > 0) {
> - if (local->hw.conf.flags & IEEE80211_CONF_PS) {
> - local->hw.conf.flags &= ~IEEE80211_CONF_PS;
> -@@ -4180,12 +4197,12 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
> - le64_to_cpu(mgmt->u.beacon.timestamp);
> - sdata->vif.bss_conf.sync_device_ts =
> - rx_status->device_timestamp;
> -- sdata->vif.bss_conf.sync_dtim_count = elems.dtim_count;
> -+ sdata->vif.bss_conf.sync_dtim_count = elems->dtim_count;
> - }
> -
> - if ((ncrc == ifmgd->beacon_crc && ifmgd->beacon_crc_valid) ||
> - ieee80211_is_s1g_short_beacon(mgmt->frame_control))
> -- return;
> -+ goto free;
> - ifmgd->beacon_crc = ncrc;
> - ifmgd->beacon_crc_valid = true;
> -
> -@@ -4193,12 +4210,12 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
> -
> - ieee80211_sta_process_chanswitch(sdata, rx_status->mactime,
> - rx_status->device_timestamp,
> -- &elems, true);
> -+ elems, true);
> -
> - if (!(ifmgd->flags & IEEE80211_STA_DISABLE_WMM) &&
> -- ieee80211_sta_wmm_params(local, sdata, elems.wmm_param,
> -- elems.wmm_param_len,
> -- elems.mu_edca_param_set))
> -+ ieee80211_sta_wmm_params(local, sdata, elems->wmm_param,
> -+ elems->wmm_param_len,
> -+ elems->mu_edca_param_set))
> - changed |= BSS_CHANGED_QOS;
> -
> - /*
> -@@ -4207,7 +4224,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
> - */
> - if (!ifmgd->have_beacon) {
> - /* a few bogus AP send dtim_period = 0 or no TIM IE */
> -- bss_conf->dtim_period = elems.dtim_period ?: 1;
> -+ bss_conf->dtim_period = elems->dtim_period ?: 1;
> -
> - changed |= BSS_CHANGED_BEACON_INFO;
> - ifmgd->have_beacon = true;
> -@@ -4219,9 +4236,9 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
> - ieee80211_recalc_ps_vif(sdata);
> - }
> -
> -- if (elems.erp_info) {
> -+ if (elems->erp_info) {
> - erp_valid = true;
> -- erp_value = elems.erp_info[0];
> -+ erp_value = elems->erp_info[0];
> - } else {
> - erp_valid = false;
> - }
> -@@ -4234,12 +4251,12 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
> - mutex_lock(&local->sta_mtx);
> - sta = sta_info_get(sdata, bssid);
> -
> -- changed |= ieee80211_recalc_twt_req(sdata, sta, &elems);
> -+ changed |= ieee80211_recalc_twt_req(sdata, sta, elems);
> -
> -- if (ieee80211_config_bw(sdata, sta, elems.ht_cap_elem,
> -- elems.vht_cap_elem, elems.ht_operation,
> -- elems.vht_operation, elems.he_operation,
> -- elems.s1g_oper, bssid, &changed)) {
> -+ if (ieee80211_config_bw(sdata, sta, elems->ht_cap_elem,
> -+ elems->vht_cap_elem, elems->ht_operation,
> -+ elems->vht_operation, elems->he_operation,
> -+ elems->s1g_oper, bssid, &changed)) {
> - mutex_unlock(&local->sta_mtx);
> - sdata_info(sdata,
> - "failed to follow AP %pM bandwidth change, disconnect\n",
> -@@ -4251,21 +4268,23 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
> - sizeof(deauth_buf), true,
> - WLAN_REASON_DEAUTH_LEAVING,
> - false);
> -- return;
> -+ goto free;
> - }
> -
> -- if (sta && elems.opmode_notif)
> -- ieee80211_vht_handle_opmode(sdata, sta, *elems.opmode_notif,
> -+ if (sta && elems->opmode_notif)
> -+ ieee80211_vht_handle_opmode(sdata, sta, *elems->opmode_notif,
> - rx_status->band);
> - mutex_unlock(&local->sta_mtx);
> -
> - changed |= ieee80211_handle_pwr_constr(sdata, chan, mgmt,
> -- elems.country_elem,
> -- elems.country_elem_len,
> -- elems.pwr_constr_elem,
> -- elems.cisco_dtpc_elem);
> -+ elems->country_elem,
> -+ elems->country_elem_len,
> -+ elems->pwr_constr_elem,
> -+ elems->cisco_dtpc_elem);
> -
> - ieee80211_bss_info_change_notify(sdata, changed);
> -+free:
> -+ kfree(elems);
> - }
> -
> - void ieee80211_sta_rx_queued_ext(struct ieee80211_sub_if_data *sdata,
> -@@ -4294,7 +4313,6 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
> - struct ieee80211_rx_status *rx_status;
> - struct ieee80211_mgmt *mgmt;
> - u16 fc;
> -- struct ieee802_11_elems elems;
> - int ies_len;
> -
> - rx_status = (struct ieee80211_rx_status *) skb->cb;
> -@@ -4326,6 +4344,8 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
> - break;
> - case IEEE80211_STYPE_ACTION:
> - if (mgmt->u.action.category == WLAN_CATEGORY_SPECTRUM_MGMT) {
> -+ struct ieee802_11_elems *elems;
> -+
> - ies_len = skb->len -
> - offsetof(struct ieee80211_mgmt,
> - u.action.u.chan_switch.variable);
> -@@ -4334,18 +4354,21 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
> - break;
> -
> - /* CSA IE cannot be overridden, no need for BSSID */
> -- ieee802_11_parse_elems(
> -- mgmt->u.action.u.chan_switch.variable,
> -- ies_len, true, &elems, mgmt->bssid, NULL);
> -+ elems = ieee802_11_parse_elems(
> -+ mgmt->u.action.u.chan_switch.variable,
> -+ ies_len, true, mgmt->bssid, NULL);
> -
> -- if (elems.parse_error)
> -+ if (!elems || elems->parse_error)
> - break;
> -
> - ieee80211_sta_process_chanswitch(sdata,
> - rx_status->mactime,
> - rx_status->device_timestamp,
> -- &elems, false);
> -+ elems, false);
> -+ kfree(elems);
> - } else if (mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) {
> -+ struct ieee802_11_elems *elems;
> -+
> - ies_len = skb->len -
> - offsetof(struct ieee80211_mgmt,
> - u.action.u.ext_chan_switch.variable);
> -@@ -4357,21 +4380,22 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
> - * extended CSA IE can't be overridden, no need for
> - * BSSID
> - */
> -- ieee802_11_parse_elems(
> -- mgmt->u.action.u.ext_chan_switch.variable,
> -- ies_len, true, &elems, mgmt->bssid, NULL);
> -+ elems = ieee802_11_parse_elems(
> -+ mgmt->u.action.u.ext_chan_switch.variable,
> -+ ies_len, true, mgmt->bssid, NULL);
> -
> -- if (elems.parse_error)
> -+ if (!elems || elems->parse_error)
> - break;
> -
> - /* for the handling code pretend this was also an IE */
> -- elems.ext_chansw_ie =
> -+ elems->ext_chansw_ie =
> - &mgmt->u.action.u.ext_chan_switch.data;
> -
> - ieee80211_sta_process_chanswitch(sdata,
> - rx_status->mactime,
> - rx_status->device_timestamp,
> -- &elems, false);
> -+ elems, false);
> -+ kfree(elems);
> - }
> - break;
> - }
> -diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
> -index d6afaacaf7ef..e692a2487eb5 100644
> ---- a/net/mac80211/scan.c
> -+++ b/net/mac80211/scan.c
> -@@ -9,7 +9,7 @@
> - * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
> - * Copyright 2013-2015 Intel Mobile Communications GmbH
> - * Copyright 2016-2017 Intel Deutschland GmbH
> -- * Copyright (C) 2018-2020 Intel Corporation
> -+ * Copyright (C) 2018-2021 Intel Corporation
> - */
> -
> - #include <linux/if_arp.h>
> -@@ -155,7 +155,7 @@ ieee80211_bss_info_update(struct ieee80211_local *local,
> - };
> - bool signal_valid;
> - struct ieee80211_sub_if_data *scan_sdata;
> -- struct ieee802_11_elems elems;
> -+ struct ieee802_11_elems *elems;
> - size_t baselen;
> - u8 *elements;
> -
> -@@ -209,8 +209,10 @@ ieee80211_bss_info_update(struct ieee80211_local *local,
> - if (baselen > len)
> - return NULL;
> -
> -- ieee802_11_parse_elems(elements, len - baselen, false, &elems,
> -- mgmt->bssid, cbss->bssid);
> -+ elems = ieee802_11_parse_elems(elements, len - baselen, false,
> -+ mgmt->bssid, cbss->bssid);
> -+ if (!elems)
> -+ return NULL;
> -
> - /* In case the signal is invalid update the status */
> - signal_valid = channel == cbss->channel;
> -@@ -218,15 +220,17 @@ ieee80211_bss_info_update(struct ieee80211_local *local,
> - rx_status->flag |= RX_FLAG_NO_SIGNAL_VAL;
> -
> - bss = (void *)cbss->priv;
> -- ieee80211_update_bss_from_elems(local, bss, &elems, rx_status, beacon);
> -+ ieee80211_update_bss_from_elems(local, bss, elems, rx_status, beacon);
> -
> - list_for_each_entry(non_tx_cbss, &cbss->nontrans_list, nontrans_list) {
> - non_tx_bss = (void *)non_tx_cbss->priv;
> -
> -- ieee80211_update_bss_from_elems(local, non_tx_bss, &elems,
> -+ ieee80211_update_bss_from_elems(local, non_tx_bss, elems,
> - rx_status, beacon);
> - }
> -
> -+ kfree(elems);
> -+
> - return bss;
> - }
> -
> -diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
> -index 45e532ad1215..137be9ec94af 100644
> ---- a/net/mac80211/tdls.c
> -+++ b/net/mac80211/tdls.c
> -@@ -6,7 +6,7 @@
> - * Copyright 2014, Intel Corporation
> - * Copyright 2014 Intel Mobile Communications GmbH
> - * Copyright 2015 - 2016 Intel Deutschland GmbH
> -- * Copyright (C) 2019 Intel Corporation
> -+ * Copyright (C) 2019, 2021 Intel Corporation
> - */
> -
> - #include <linux/ieee80211.h>
> -@@ -1684,7 +1684,7 @@ ieee80211_process_tdls_channel_switch_resp(struct ieee80211_sub_if_data *sdata,
> - struct sk_buff *skb)
> - {
> - struct ieee80211_local *local = sdata->local;
> -- struct ieee802_11_elems elems;
> -+ struct ieee802_11_elems *elems = NULL;
> - struct sta_info *sta;
> - struct ieee80211_tdls_data *tf = (void *)skb->data;
> - bool local_initiator;
> -@@ -1718,16 +1718,20 @@ ieee80211_process_tdls_channel_switch_resp(struct ieee80211_sub_if_data *sdata,
> - goto call_drv;
> - }
> -
> -- ieee802_11_parse_elems(tf->u.chan_switch_resp.variable,
> -- skb->len - baselen, false, &elems,
> -- NULL, NULL);
> -- if (elems.parse_error) {
> -+ elems = ieee802_11_parse_elems(tf->u.chan_switch_resp.variable,
> -+ skb->len - baselen, false, NULL, NULL);
> -+ if (!elems) {
> -+ ret = -ENOMEM;
> -+ goto out;
> -+ }
> -+
> -+ if (elems->parse_error) {
> - tdls_dbg(sdata, "Invalid IEs in TDLS channel switch resp\n");
> - ret = -EINVAL;
> - goto out;
> - }
> -
> -- if (!elems.ch_sw_timing || !elems.lnk_id) {
> -+ if (!elems->ch_sw_timing || !elems->lnk_id) {
> - tdls_dbg(sdata, "TDLS channel switch resp - missing IEs\n");
> - ret = -EINVAL;
> - goto out;
> -@@ -1735,15 +1739,15 @@ ieee80211_process_tdls_channel_switch_resp(struct ieee80211_sub_if_data *sdata,
> -
> - /* validate the initiator is set correctly */
> - local_initiator =
> -- !memcmp(elems.lnk_id->init_sta, sdata->vif.addr, ETH_ALEN);
> -+ !memcmp(elems->lnk_id->init_sta, sdata->vif.addr, ETH_ALEN);
> - if (local_initiator == sta->sta.tdls_initiator) {
> - tdls_dbg(sdata, "TDLS chan switch invalid lnk-id initiator\n");
> - ret = -EINVAL;
> - goto out;
> - }
> -
> -- params.switch_time = le16_to_cpu(elems.ch_sw_timing->switch_time);
> -- params.switch_timeout = le16_to_cpu(elems.ch_sw_timing->switch_timeout);
> -+ params.switch_time = le16_to_cpu(elems->ch_sw_timing->switch_time);
> -+ params.switch_timeout = le16_to_cpu(elems->ch_sw_timing->switch_timeout);
> -
> - params.tmpl_skb =
> - ieee80211_tdls_ch_sw_resp_tmpl_get(sta, ¶ms.ch_sw_tm_ie);
> -@@ -1763,6 +1767,7 @@ call_drv:
> - out:
> - mutex_unlock(&local->sta_mtx);
> - dev_kfree_skb_any(params.tmpl_skb);
> -+ kfree(elems);
> - return ret;
> - }
> -
> -@@ -1771,7 +1776,7 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
> - struct sk_buff *skb)
> - {
> - struct ieee80211_local *local = sdata->local;
> -- struct ieee802_11_elems elems;
> -+ struct ieee802_11_elems *elems;
> - struct cfg80211_chan_def chandef;
> - struct ieee80211_channel *chan;
> - enum nl80211_channel_type chan_type;
> -@@ -1831,22 +1836,27 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
> - return -EINVAL;
> - }
> -
> -- ieee802_11_parse_elems(tf->u.chan_switch_req.variable,
> -- skb->len - baselen, false, &elems, NULL, NULL);
> -- if (elems.parse_error) {
> -+ elems = ieee802_11_parse_elems(tf->u.chan_switch_req.variable,
> -+ skb->len - baselen, false, NULL, NULL);
> -+ if (!elems)
> -+ return -ENOMEM;
> -+
> -+ if (elems->parse_error) {
> - tdls_dbg(sdata, "Invalid IEs in TDLS channel switch req\n");
> -- return -EINVAL;
> -+ ret = -EINVAL;
> -+ goto free;
> - }
> -
> -- if (!elems.ch_sw_timing || !elems.lnk_id) {
> -+ if (!elems->ch_sw_timing || !elems->lnk_id) {
> - tdls_dbg(sdata, "TDLS channel switch req - missing IEs\n");
> -- return -EINVAL;
> -+ ret = -EINVAL;
> -+ goto free;
> - }
> -
> -- if (!elems.sec_chan_offs) {
> -+ if (!elems->sec_chan_offs) {
> - chan_type = NL80211_CHAN_HT20;
> - } else {
> -- switch (elems.sec_chan_offs->sec_chan_offs) {
> -+ switch (elems->sec_chan_offs->sec_chan_offs) {
> - case IEEE80211_HT_PARAM_CHA_SEC_ABOVE:
> - chan_type = NL80211_CHAN_HT40PLUS;
> - break;
> -@@ -1865,7 +1875,8 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
> - if (!cfg80211_reg_can_beacon_relax(sdata->local->hw.wiphy, &chandef,
> - sdata->wdev.iftype)) {
> - tdls_dbg(sdata, "TDLS chan switch to forbidden channel\n");
> -- return -EINVAL;
> -+ ret = -EINVAL;
> -+ goto free;
> - }
> -
> - mutex_lock(&local->sta_mtx);
> -@@ -1881,7 +1892,7 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
> -
> - /* validate the initiator is set correctly */
> - local_initiator =
> -- !memcmp(elems.lnk_id->init_sta, sdata->vif.addr, ETH_ALEN);
> -+ !memcmp(elems->lnk_id->init_sta, sdata->vif.addr, ETH_ALEN);
> - if (local_initiator == sta->sta.tdls_initiator) {
> - tdls_dbg(sdata, "TDLS chan switch invalid lnk-id initiator\n");
> - ret = -EINVAL;
> -@@ -1889,16 +1900,16 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
> - }
> -
> - /* peer should have known better */
> -- if (!sta->sta.ht_cap.ht_supported && elems.sec_chan_offs &&
> -- elems.sec_chan_offs->sec_chan_offs) {
> -+ if (!sta->sta.ht_cap.ht_supported && elems->sec_chan_offs &&
> -+ elems->sec_chan_offs->sec_chan_offs) {
> - tdls_dbg(sdata, "TDLS chan switch - wide chan unsupported\n");
> - ret = -ENOTSUPP;
> - goto out;
> - }
> -
> - params.chandef = &chandef;
> -- params.switch_time = le16_to_cpu(elems.ch_sw_timing->switch_time);
> -- params.switch_timeout = le16_to_cpu(elems.ch_sw_timing->switch_timeout);
> -+ params.switch_time = le16_to_cpu(elems->ch_sw_timing->switch_time);
> -+ params.switch_timeout = le16_to_cpu(elems->ch_sw_timing->switch_timeout);
> -
> - params.tmpl_skb =
> - ieee80211_tdls_ch_sw_resp_tmpl_get(sta,
> -@@ -1917,6 +1928,8 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
> - out:
> - mutex_unlock(&local->sta_mtx);
> - dev_kfree_skb_any(params.tmpl_skb);
> -+free:
> -+ kfree(elems);
> - return ret;
> - }
> -
> -diff --git a/net/mac80211/util.c b/net/mac80211/util.c
> -index 664c32b6db19..2ac61e68b6b4 100644
> ---- a/net/mac80211/util.c
> -+++ b/net/mac80211/util.c
> -@@ -1396,8 +1396,8 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
> -
> - static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
> - struct ieee802_11_elems *elems,
> -- u8 *transmitter_bssid,
> -- u8 *bss_bssid,
> -+ const u8 *transmitter_bssid,
> -+ const u8 *bss_bssid,
> - u8 *nontransmitted_profile)
> - {
> - const struct element *elem, *sub;
> -@@ -1464,16 +1464,20 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
> - return found ? profile_len : 0;
> - }
> -
> --void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
> -- struct ieee802_11_elems *elems,
> -- u64 filter, u32 crc, u8 *transmitter_bssid,
> -- u8 *bss_bssid)
> -+struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,
> -+ bool action, u64 filter,
> -+ u32 crc,
> -+ const u8 *transmitter_bssid,
> -+ const u8 *bss_bssid)
> - {
> -+ struct ieee802_11_elems *elems;
> - const struct element *non_inherit = NULL;
> - u8 *nontransmitted_profile;
> - int nontransmitted_profile_len = 0;
> -
> -- memset(elems, 0, sizeof(*elems));
> -+ elems = kzalloc(sizeof(*elems), GFP_ATOMIC);
> -+ if (!elems)
> -+ return NULL;
> - elems->ie_start = start;
> - elems->total_len = len;
> -
> -@@ -1520,6 +1524,8 @@ void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
> - kfree(nontransmitted_profile);
> -
> - elems->crc = crc;
> -+
> -+ return elems;
> - }
> -
> - void ieee80211_regulatory_limit_wmm_params(struct ieee80211_sub_if_data *sdata,
> ---
> -2.30.2
> -
> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-13.patch b/src/patches/linux/linux-5.15-wifi-security-patches-13.patch
> deleted file mode 100644
> index 1d167c19a..000000000
> --- a/src/patches/linux/linux-5.15-wifi-security-patches-13.patch
> +++ /dev/null
> @@ -1,130 +0,0 @@
> -From 7d998f6b7365d50a9905bf57fd28b41c7ebe8e9d Mon Sep 17 00:00:00 2001
> -From: Johannes Berg <johannes.berg@intel.com>
> -Date: Thu, 13 Oct 2022 20:16:00 +0200
> -Subject: [PATCH] mac80211: fix memory leaks with element parsing
> -
> -commit 8223ac199a3849257e86ec27865dc63f034b1cf1 upstream.
> -
> -My previous commit 5d24828d05f3 ("mac80211: always allocate
> -struct ieee802_11_elems") had a few bugs and leaked the new
> -allocated struct in a few error cases, fix that.
> -
> -Fixes: 5d24828d05f3 ("mac80211: always allocate struct ieee802_11_elems")
> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> -Link: https://lore.kernel.org/r/20211001211108.9839928e42e0.Ib81ca187d3d3af7ed1bfeac2e00d08a4637c8025@changeid
> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> -Cc: Felix Fietkau <nbd@nbd.name>
> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ----
> - net/mac80211/agg-rx.c | 3 ++-
> - net/mac80211/ibss.c | 10 +++++-----
> - net/mac80211/mlme.c | 36 ++++++++++++++++++------------------
> - 3 files changed, 25 insertions(+), 24 deletions(-)
> -
> -diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
> -index ffa4f31f6c2b..0d2bab9d351c 100644
> ---- a/net/mac80211/agg-rx.c
> -+++ b/net/mac80211/agg-rx.c
> -@@ -499,13 +499,14 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
> - elems = ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable,
> - ies_len, true, mgmt->bssid, NULL);
> - if (!elems || elems->parse_error)
> -- return;
> -+ goto free;
> - }
> -
> - __ieee80211_start_rx_ba_session(sta, dialog_token, timeout,
> - start_seq_num, ba_policy, tid,
> - buf_size, true, false,
> - elems ? elems->addba_ext_ie : NULL);
> -+free:
> - kfree(elems);
> - }
> -
> -diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
> -index 4b721b48f86a..48e0260f3424 100644
> ---- a/net/mac80211/ibss.c
> -+++ b/net/mac80211/ibss.c
> -@@ -1663,11 +1663,11 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
> - mgmt->u.action.u.chan_switch.variable,
> - ies_len, true, mgmt->bssid, NULL);
> -
> -- if (!elems || elems->parse_error)
> -- break;
> --
> -- ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt, skb->len,
> -- rx_status, elems);
> -+ if (elems && !elems->parse_error)
> -+ ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt,
> -+ skb->len,
> -+ rx_status,
> -+ elems);
> - kfree(elems);
> - break;
> - }
> -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
> -index 45efa1d1c550..cc6d38a2e6d5 100644
> ---- a/net/mac80211/mlme.c
> -+++ b/net/mac80211/mlme.c
> -@@ -3374,8 +3374,10 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
> - bss_ies = kmemdup(ies, sizeof(*ies) + ies->len,
> - GFP_ATOMIC);
> - rcu_read_unlock();
> -- if (!bss_ies)
> -- return false;
> -+ if (!bss_ies) {
> -+ ret = false;
> -+ goto out;
> -+ }
> -
> - bss_elems = ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
> - false, mgmt->bssid,
> -@@ -4358,13 +4360,11 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
> - mgmt->u.action.u.chan_switch.variable,
> - ies_len, true, mgmt->bssid, NULL);
> -
> -- if (!elems || elems->parse_error)
> -- break;
> --
> -- ieee80211_sta_process_chanswitch(sdata,
> -- rx_status->mactime,
> -- rx_status->device_timestamp,
> -- elems, false);
> -+ if (elems && !elems->parse_error)
> -+ ieee80211_sta_process_chanswitch(sdata,
> -+ rx_status->mactime,
> -+ rx_status->device_timestamp,
> -+ elems, false);
> - kfree(elems);
> - } else if (mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) {
> - struct ieee802_11_elems *elems;
> -@@ -4384,17 +4384,17 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
> - mgmt->u.action.u.ext_chan_switch.variable,
> - ies_len, true, mgmt->bssid, NULL);
> -
> -- if (!elems || elems->parse_error)
> -- break;
> -+ if (elems && !elems->parse_error) {
> -+ /* for the handling code pretend it was an IE */
> -+ elems->ext_chansw_ie =
> -+ &mgmt->u.action.u.ext_chan_switch.data;
> -
> -- /* for the handling code pretend this was also an IE */
> -- elems->ext_chansw_ie =
> -- &mgmt->u.action.u.ext_chan_switch.data;
> -+ ieee80211_sta_process_chanswitch(sdata,
> -+ rx_status->mactime,
> -+ rx_status->device_timestamp,
> -+ elems, false);
> -+ }
> -
> -- ieee80211_sta_process_chanswitch(sdata,
> -- rx_status->mactime,
> -- rx_status->device_timestamp,
> -- elems, false);
> - kfree(elems);
> - }
> - break;
> ---
> -2.30.2
> -
> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-14.patch b/src/patches/linux/linux-5.15-wifi-security-patches-14.patch
> deleted file mode 100644
> index f0ccc0b6a..000000000
> --- a/src/patches/linux/linux-5.15-wifi-security-patches-14.patch
> +++ /dev/null
> @@ -1,107 +0,0 @@
> -From de124365a7d2deed22cf706583930f28d537ff0f Mon Sep 17 00:00:00 2001
> -From: Johannes Berg <johannes.berg@intel.com>
> -Date: Thu, 13 Oct 2022 20:16:01 +0200
> -Subject: [PATCH] wifi: mac80211: fix MBSSID parsing use-after-free
> -
> -commit ff05d4b45dd89b922578dac497dcabf57cf771c6
> -
> -When we parse a multi-BSSID element, we might point some
> -element pointers into the allocated nontransmitted_profile.
> -However, we free this before returning, causing UAF when the
> -relevant pointers in the parsed elements are accessed.
> -
> -Fix this by not allocating the scratch buffer separately but
> -as part of the returned structure instead, that way, there
> -are no lifetime issues with it.
> -
> -The scratch buffer introduction as part of the returned data
> -here is taken from MLO feature work done by Ilan.
> -
> -This fixes CVE-2022-42719.
> -
> -Fixes: 5023b14cf4df ("mac80211: support profile split between elements")
> -Co-developed-by: Ilan Peer <ilan.peer@intel.com>
> -Signed-off-by: Ilan Peer <ilan.peer@intel.com>
> -Reviewed-by: Kees Cook <keescook@chromium.org>
> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> -Cc: Felix Fietkau <nbd@nbd.name>
> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ----
> - net/mac80211/ieee80211_i.h | 8 ++++++++
> - net/mac80211/util.c | 29 ++++++++++++++---------------
> - 2 files changed, 22 insertions(+), 15 deletions(-)
> -
> -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
> -index 3633e49239c7..21549a440b38 100644
> ---- a/net/mac80211/ieee80211_i.h
> -+++ b/net/mac80211/ieee80211_i.h
> -@@ -1613,6 +1613,14 @@ struct ieee802_11_elems {
> -
> - /* whether a parse error occurred while retrieving these elements */
> - bool parse_error;
> -+
> -+ /*
> -+ * scratch buffer that can be used for various element parsing related
> -+ * tasks, e.g., element de-fragmentation etc.
> -+ */
> -+ size_t scratch_len;
> -+ u8 *scratch_pos;
> -+ u8 scratch[];
> - };
> -
> - static inline struct ieee80211_local *hw_to_local(
> -diff --git a/net/mac80211/util.c b/net/mac80211/util.c
> -index 2ac61e68b6b4..354badd32793 100644
> ---- a/net/mac80211/util.c
> -+++ b/net/mac80211/util.c
> -@@ -1475,24 +1475,25 @@ struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,
> - u8 *nontransmitted_profile;
> - int nontransmitted_profile_len = 0;
> -
> -- elems = kzalloc(sizeof(*elems), GFP_ATOMIC);
> -+ elems = kzalloc(sizeof(*elems) + len, GFP_ATOMIC);
> - if (!elems)
> - return NULL;
> - elems->ie_start = start;
> - elems->total_len = len;
> -
> -- nontransmitted_profile = kmalloc(len, GFP_ATOMIC);
> -- if (nontransmitted_profile) {
> -- nontransmitted_profile_len =
> -- ieee802_11_find_bssid_profile(start, len, elems,
> -- transmitter_bssid,
> -- bss_bssid,
> -- nontransmitted_profile);
> -- non_inherit =
> -- cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
> -- nontransmitted_profile,
> -- nontransmitted_profile_len);
> -- }
> -+ elems->scratch_len = len;
> -+ elems->scratch_pos = elems->scratch;
> -+
> -+ nontransmitted_profile = elems->scratch_pos;
> -+ nontransmitted_profile_len =
> -+ ieee802_11_find_bssid_profile(start, len, elems,
> -+ transmitter_bssid,
> -+ bss_bssid,
> -+ nontransmitted_profile);
> -+ non_inherit =
> -+ cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
> -+ nontransmitted_profile,
> -+ nontransmitted_profile_len);
> -
> - crc = _ieee802_11_parse_elems_crc(start, len, action, elems, filter,
> - crc, non_inherit);
> -@@ -1521,8 +1522,6 @@ struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,
> - offsetofend(struct ieee80211_bssid_index, dtim_count))
> - elems->dtim_count = elems->bssid_index->dtim_count;
> -
> -- kfree(nontransmitted_profile);
> --
> - elems->crc = crc;
> -
> - return elems;
> ---
> -2.30.2
> -
> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-2.patch b/src/patches/linux/linux-5.15-wifi-security-patches-2.patch
> deleted file mode 100644
> index d2a04e717..000000000
> --- a/src/patches/linux/linux-5.15-wifi-security-patches-2.patch
> +++ /dev/null
> @@ -1,59 +0,0 @@
> -From 0a861bd25dad508e492c48169509d8c6b9246895 Mon Sep 17 00:00:00 2001
> -From: Johannes Berg <johannes.berg@intel.com>
> -Date: Wed, 28 Sep 2022 22:01:37 +0200
> -Subject: [PATCH] wifi: cfg80211/mac80211: reject bad MBSSID elements
> -
> -commit 8f033d2becc24aa6bfd2a5c104407963560caabc upstream.
> -
> -Per spec, the maximum value for the MaxBSSID ('n') indicator is 8,
> -and the minimum is 1 since a multiple BSSID set with just one BSSID
> -doesn't make sense (the # of BSSIDs is limited by 2^n).
> -
> -Limit this in the parsing in both cfg80211 and mac80211, rejecting
> -any elements with an invalid value.
> -
> -This fixes potentially bad shifts in the processing of these inside
> -the cfg80211_gen_new_bssid() function later.
> -
> -I found this during the investigation of CVE-2022-41674 fixed by the
> -previous patch.
> -
> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
> -Fixes: 78ac51f81532 ("mac80211: support multi-bssid")
> -Reviewed-by: Kees Cook <keescook@chromium.org>
> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ----
> - net/mac80211/util.c | 2 ++
> - net/wireless/scan.c | 2 ++
> - 2 files changed, 4 insertions(+)
> -
> -diff --git a/net/mac80211/util.c b/net/mac80211/util.c
> -index be1911d8089f..00543ea9c6b5 100644
> ---- a/net/mac80211/util.c
> -+++ b/net/mac80211/util.c
> -@@ -1414,6 +1414,8 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
> - for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) {
> - if (elem->datalen < 2)
> - continue;
> -+ if (elem->data[0] < 1 || elem->data[0] > 8)
> -+ continue;
> -
> - for_each_element(sub, elem->data + 1, elem->datalen - 1) {
> - u8 new_bssid[ETH_ALEN];
> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c
> -index d9ab37a798f4..84c642eae4d8 100644
> ---- a/net/wireless/scan.c
> -+++ b/net/wireless/scan.c
> -@@ -2103,6 +2103,8 @@ static void cfg80211_parse_mbssid_data(struct wiphy *wiphy,
> - for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) {
> - if (elem->datalen < 4)
> - continue;
> -+ if (elem->data[0] < 1 || (int)elem->data[0] > 8)
> -+ continue;
> - for_each_element(sub, elem->data + 1, elem->datalen - 1) {
> - u8 profile_len;
> -
> ---
> -2.30.2
> -
> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-3.patch b/src/patches/linux/linux-5.15-wifi-security-patches-3.patch
> deleted file mode 100644
> index 60be08214..000000000
> --- a/src/patches/linux/linux-5.15-wifi-security-patches-3.patch
> +++ /dev/null
> @@ -1,49 +0,0 @@
> -From 9e99ca59ed3976921f8891c103d503b6da3e78af Mon Sep 17 00:00:00 2001
> -From: Johannes Berg <johannes.berg@intel.com>
> -Date: Thu, 29 Sep 2022 21:50:44 +0200
> -Subject: [PATCH] wifi: cfg80211: ensure length byte is present before access
> -
> -commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream.
> -
> -When iterating the elements here, ensure the length byte is
> -present before checking it to see if the entire element will
> -fit into the buffer.
> -
> -Longer term, we should rewrite this code using the type-safe
> -element iteration macros that check all of this.
> -
> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
> -Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ----
> - net/wireless/scan.c | 6 ++++--
> - 1 file changed, 4 insertions(+), 2 deletions(-)
> -
> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c
> -index 84c642eae4d8..04c9b78b3fec 100644
> ---- a/net/wireless/scan.c
> -+++ b/net/wireless/scan.c
> -@@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
> - tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen);
> - tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie;
> -
> -- while (tmp_old + tmp_old[1] + 2 - ie <= ielen) {
> -+ while (tmp_old + 2 - ie <= ielen &&
> -+ tmp_old + tmp_old[1] + 2 - ie <= ielen) {
> - if (tmp_old[0] == 0) {
> - tmp_old++;
> - continue;
> -@@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
> - * copied to new ie, skip ssid, capability, bssid-index ie
> - */
> - tmp_new = sub_copy;
> -- while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
> -+ while (tmp_new + 2 - sub_copy <= subie_len &&
> -+ tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
> - if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP ||
> - tmp_new[0] == WLAN_EID_SSID)) {
> - memcpy(pos, tmp_new, tmp_new[1] + 2);
> ---
> -2.30.2
> -
> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-4.patch b/src/patches/linux/linux-5.15-wifi-security-patches-4.patch
> deleted file mode 100644
> index bd2439041..000000000
> --- a/src/patches/linux/linux-5.15-wifi-security-patches-4.patch
> +++ /dev/null
> @@ -1,96 +0,0 @@
> -From bfe29873454f38eb1a511a76144ad1a4848ca176 Mon Sep 17 00:00:00 2001
> -From: Johannes Berg <johannes.berg@intel.com>
> -Date: Fri, 30 Sep 2022 23:44:23 +0200
> -Subject: [PATCH] wifi: cfg80211: fix BSS refcounting bugs
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=utf8
> -Content-Transfer-Encoding: 8bit
> -
> -commit 0b7808818cb9df6680f98996b8e9a439fa7bcc2f upstream.
> -
> -There are multiple refcounting bugs related to multi-BSSID:
> - - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then
> - the bss pointer is overwritten before checking for the
> - transmitted BSS, which is clearly wrong. Fix this by using
> - the bss_from_pub() macro.
> -
> - - In cfg80211_bss_update() we copy the transmitted_bss pointer
> - from tmp into new, but then if we release new, we'll unref
> - it erroneously. We already set the pointer and ref it, but
> - need to NULL it since it was copied from the tmp data.
> -
> - - In cfg80211_inform_single_bss_data(), if adding to the non-
> - transmitted list fails, we unlink the BSS and yet still we
> - return it, but this results in returning an entry without
> - a reference. We shouldn't return it anyway if it was broken
> - enough to not get added there.
> -
> -This fixes CVE-2022-42720.
> -
> -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
> -Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
> -Fixes: a3584f56de1c ("cfg80211: Properly track transmitting and non-transmitting BSS")
> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ----
> - net/wireless/scan.c | 27 ++++++++++++++-------------
> - 1 file changed, 14 insertions(+), 13 deletions(-)
> -
> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c
> -index 04c9b78b3fec..2e576714e989 100644
> ---- a/net/wireless/scan.c
> -+++ b/net/wireless/scan.c
> -@@ -143,18 +143,12 @@ static inline void bss_ref_get(struct cfg80211_registered_device *rdev,
> - lockdep_assert_held(&rdev->bss_lock);
> -
> - bss->refcount++;
> -- if (bss->pub.hidden_beacon_bss) {
> -- bss = container_of(bss->pub.hidden_beacon_bss,
> -- struct cfg80211_internal_bss,
> -- pub);
> -- bss->refcount++;
> -- }
> -- if (bss->pub.transmitted_bss) {
> -- bss = container_of(bss->pub.transmitted_bss,
> -- struct cfg80211_internal_bss,
> -- pub);
> -- bss->refcount++;
> -- }
> -+
> -+ if (bss->pub.hidden_beacon_bss)
> -+ bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++;
> -+
> -+ if (bss->pub.transmitted_bss)
> -+ bss_from_pub(bss->pub.transmitted_bss)->refcount++;
> - }
> -
> - static inline void bss_ref_put(struct cfg80211_registered_device *rdev,
> -@@ -1743,6 +1737,8 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev,
> - new->refcount = 1;
> - INIT_LIST_HEAD(&new->hidden_list);
> - INIT_LIST_HEAD(&new->pub.nontrans_list);
> -+ /* we'll set this later if it was non-NULL */
> -+ new->pub.transmitted_bss = NULL;
> -
> - if (rcu_access_pointer(tmp->pub.proberesp_ies)) {
> - hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN);
> -@@ -1983,10 +1979,15 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy,
> - spin_lock_bh(&rdev->bss_lock);
> - if (cfg80211_add_nontrans_list(non_tx_data->tx_bss,
> - &res->pub)) {
> -- if (__cfg80211_unlink_bss(rdev, res))
> -+ if (__cfg80211_unlink_bss(rdev, res)) {
> - rdev->bss_generation++;
> -+ res = NULL;
> -+ }
> - }
> - spin_unlock_bh(&rdev->bss_lock);
> -+
> -+ if (!res)
> -+ return NULL;
> - }
> -
> - trace_cfg80211_return_bss(&res->pub);
> ---
> -2.30.2
> -
> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-5.patch b/src/patches/linux/linux-5.15-wifi-security-patches-5.patch
> deleted file mode 100644
> index c0c4dadd3..000000000
> --- a/src/patches/linux/linux-5.15-wifi-security-patches-5.patch
> +++ /dev/null
> @@ -1,56 +0,0 @@
> -From 0a8ee682e4f992eccce226b012bba600bb2251e2 Mon Sep 17 00:00:00 2001
> -From: Johannes Berg <johannes.berg@intel.com>
> -Date: Sat, 1 Oct 2022 00:01:44 +0200
> -Subject: [PATCH] wifi: cfg80211: avoid nontransmitted BSS list corruption
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=utf8
> -Content-Transfer-Encoding: 8bit
> -
> -commit bcca852027e5878aec911a347407ecc88d6fff7f upstream.
> -
> -If a non-transmitted BSS shares enough information (both
> -SSID and BSSID!) with another non-transmitted BSS of a
> -different AP, then we can find and update it, and then
> -try to add it to the non-transmitted BSS list. We do a
> -search for it on the transmitted BSS, but if it's not
> -there (but belongs to another transmitted BSS), the list
> -gets corrupted.
> -
> -Since this is an erroneous situation, simply fail the
> -list insertion in this case and free the non-transmitted
> -BSS.
> -
> -This fixes CVE-2022-42721.
> -
> -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
> -Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ----
> - net/wireless/scan.c | 9 +++++++++
> - 1 file changed, 9 insertions(+)
> -
> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c
> -index 2e576714e989..a21baf7b3612 100644
> ---- a/net/wireless/scan.c
> -+++ b/net/wireless/scan.c
> -@@ -425,6 +425,15 @@ cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss,
> -
> - rcu_read_unlock();
> -
> -+ /*
> -+ * This is a bit weird - it's not on the list, but already on another
> -+ * one! The only way that could happen is if there's some BSSID/SSID
> -+ * shared by multiple APs in their multi-BSSID profiles, potentially
> -+ * with hidden SSID mixed in ... ignore it.
> -+ */
> -+ if (!list_empty(&nontrans_bss->nontrans_list))
> -+ return -EINVAL;
> -+
> - /* add to the list */
> - list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list);
> - return 0;
> ---
> -2.30.2
> -
> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-6.patch b/src/patches/linux/linux-5.15-wifi-security-patches-6.patch
> deleted file mode 100644
> index caa380de8..000000000
> --- a/src/patches/linux/linux-5.15-wifi-security-patches-6.patch
> +++ /dev/null
> @@ -1,39 +0,0 @@
> -From fff244e9171b2ca692469d41c68b36607bd73ab0 Mon Sep 17 00:00:00 2001
> -From: Johannes Berg <johannes.berg@intel.com>
> -Date: Wed, 5 Oct 2022 15:10:09 +0200
> -Subject: [PATCH] wifi: mac80211_hwsim: avoid mac80211 warning on bad rate
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=utf8
> -Content-Transfer-Encoding: 8bit
> -
> -commit 1833b6f46d7e2830251a063935ab464256defe22 upstream.
> -
> -If the tool on the other side (e.g. wmediumd) gets confused
> -about the rate, we hit a warning in mac80211. Silence that
> -by effectively duplicating the check here and dropping the
> -frame silently (in mac80211 it's dropped with the warning).
> -
> -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
> -Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ----
> - drivers/net/wireless/mac80211_hwsim.c | 2 ++
> - 1 file changed, 2 insertions(+)
> -
> -diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
> -index 52a2574b7d13..b228567b2a73 100644
> ---- a/drivers/net/wireless/mac80211_hwsim.c
> -+++ b/drivers/net/wireless/mac80211_hwsim.c
> -@@ -3749,6 +3749,8 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
> -
> - rx_status.band = channel->band;
> - rx_status.rate_idx = nla_get_u32(info->attrs[HWSIM_ATTR_RX_RATE]);
> -+ if (rx_status.rate_idx >= data2->hw->wiphy->bands[rx_status.band]->n_bitrates)
> -+ goto out;
> - rx_status.signal = nla_get_u32(info->attrs[HWSIM_ATTR_SIGNAL]);
> -
> - hdr = (void *)skb->data;
> ---
> -2.30.2
> -
> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-7.patch b/src/patches/linux/linux-5.15-wifi-security-patches-7.patch
> deleted file mode 100644
> index b5cb2ad12..000000000
> --- a/src/patches/linux/linux-5.15-wifi-security-patches-7.patch
> +++ /dev/null
> @@ -1,60 +0,0 @@
> -From 93a3a32554079432b49cf87f326607b2a2fab4f2 Mon Sep 17 00:00:00 2001
> -From: Johannes Berg <johannes.berg@intel.com>
> -Date: Wed, 5 Oct 2022 21:24:10 +0200
> -Subject: [PATCH] wifi: mac80211: fix crash in beacon protection for P2P-device
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=utf8
> -Content-Transfer-Encoding: 8bit
> -
> -commit b2d03cabe2b2e150ff5a381731ea0355459be09f upstream.
> -
> -If beacon protection is active but the beacon cannot be
> -decrypted or is otherwise malformed, we call the cfg80211
> -API to report this to userspace, but that uses a netdev
> -pointer, which isn't present for P2P-Device. Fix this to
> -call it only conditionally to ensure cfg80211 won't crash
> -in the case of P2P-Device.
> -
> -This fixes CVE-2022-42722.
> -
> -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
> -Fixes: 9eaf183af741 ("mac80211: Report beacon protection failures to user space")
> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ----
> - net/mac80211/rx.c | 12 +++++++-----
> - 1 file changed, 7 insertions(+), 5 deletions(-)
> -
> -diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
> -index 743e97ba352c..175ead6b19cb 100644
> ---- a/net/mac80211/rx.c
> -+++ b/net/mac80211/rx.c
> -@@ -1982,10 +1982,11 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
> -
> - if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS ||
> - mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS +
> -- NUM_DEFAULT_BEACON_KEYS) {
> -- cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
> -- skb->data,
> -- skb->len);
> -+ NUM_DEFAULT_BEACON_KEYS) {
> -+ if (rx->sdata->dev)
> -+ cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
> -+ skb->data,
> -+ skb->len);
> - return RX_DROP_MONITOR; /* unexpected BIP keyidx */
> - }
> -
> -@@ -2133,7 +2134,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
> - /* either the frame has been decrypted or will be dropped */
> - status->flag |= RX_FLAG_DECRYPTED;
> -
> -- if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE))
> -+ if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE &&
> -+ rx->sdata->dev))
> - cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
> - skb->data, skb->len);
> -
> ---
> -2.30.2
> -
> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-8.patch b/src/patches/linux/linux-5.15-wifi-security-patches-8.patch
> deleted file mode 100644
> index 8099f3a72..000000000
> --- a/src/patches/linux/linux-5.15-wifi-security-patches-8.patch
> +++ /dev/null
> @@ -1,94 +0,0 @@
> -From d15bb1f6dabe1d2a4155958111bea47db72b599c Mon Sep 17 00:00:00 2001
> -From: Johannes Berg <johannes.berg@intel.com>
> -Date: Wed, 5 Oct 2022 23:11:43 +0200
> -Subject: [PATCH] wifi: cfg80211: update hidden BSSes to avoid WARN_ON
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=utf8
> -Content-Transfer-Encoding: 8bit
> -
> -commit c90b93b5b782891ebfda49d4e5da36632fefd5d1 upstream.
> -
> -When updating beacon elements in a non-transmitted BSS,
> -also update the hidden sub-entries to the same beacon
> -elements, so that a future update through other paths
> -won't trigger a WARN_ON().
> -
> -The warning is triggered because the beacon elements in
> -the hidden BSSes that are children of the BSS should
> -always be the same as in the parent.
> -
> -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
> -Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ----
> - net/wireless/scan.c | 31 ++++++++++++++++++++-----------
> - 1 file changed, 20 insertions(+), 11 deletions(-)
> -
> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c
> -index a21baf7b3612..f0de22a6caf7 100644
> ---- a/net/wireless/scan.c
> -+++ b/net/wireless/scan.c
> -@@ -1609,6 +1609,23 @@ struct cfg80211_non_tx_bss {
> - u8 bssid_index;
> - };
> -
> -+static void cfg80211_update_hidden_bsses(struct cfg80211_internal_bss *known,
> -+ const struct cfg80211_bss_ies *new_ies,
> -+ const struct cfg80211_bss_ies *old_ies)
> -+{
> -+ struct cfg80211_internal_bss *bss;
> -+
> -+ /* Assign beacon IEs to all sub entries */
> -+ list_for_each_entry(bss, &known->hidden_list, hidden_list) {
> -+ const struct cfg80211_bss_ies *ies;
> -+
> -+ ies = rcu_access_pointer(bss->pub.beacon_ies);
> -+ WARN_ON(ies != old_ies);
> -+
> -+ rcu_assign_pointer(bss->pub.beacon_ies, new_ies);
> -+ }
> -+}
> -+
> - static bool
> - cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
> - struct cfg80211_internal_bss *known,
> -@@ -1632,7 +1649,6 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
> - kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head);
> - } else if (rcu_access_pointer(new->pub.beacon_ies)) {
> - const struct cfg80211_bss_ies *old;
> -- struct cfg80211_internal_bss *bss;
> -
> - if (known->pub.hidden_beacon_bss &&
> - !list_empty(&known->hidden_list)) {
> -@@ -1660,16 +1676,7 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
> - if (old == rcu_access_pointer(known->pub.ies))
> - rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies);
> -
> -- /* Assign beacon IEs to all sub entries */
> -- list_for_each_entry(bss, &known->hidden_list, hidden_list) {
> -- const struct cfg80211_bss_ies *ies;
> --
> -- ies = rcu_access_pointer(bss->pub.beacon_ies);
> -- WARN_ON(ies != old);
> --
> -- rcu_assign_pointer(bss->pub.beacon_ies,
> -- new->pub.beacon_ies);
> -- }
> -+ cfg80211_update_hidden_bsses(known, new->pub.beacon_ies, old);
> -
> - if (old)
> - kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head);
> -@@ -2319,6 +2326,8 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
> - } else {
> - old = rcu_access_pointer(nontrans_bss->beacon_ies);
> - rcu_assign_pointer(nontrans_bss->beacon_ies, new_ies);
> -+ cfg80211_update_hidden_bsses(bss_from_pub(nontrans_bss),
> -+ new_ies, old);
> - rcu_assign_pointer(nontrans_bss->ies, new_ies);
> - if (old)
> - kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head);
> ---
> -2.30.2
> -
> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-9.patch b/src/patches/linux/linux-5.15-wifi-security-patches-9.patch
> deleted file mode 100644
> index 5781b077d..000000000
> --- a/src/patches/linux/linux-5.15-wifi-security-patches-9.patch
> +++ /dev/null
> @@ -1,126 +0,0 @@
> -From 864f2d3482f4bd0c62b355e35ee8300be8ef488e Mon Sep 17 00:00:00 2001
> -From: Johannes Berg <johannes.berg@intel.com>
> -Date: Thu, 13 Oct 2022 20:15:56 +0200
> -Subject: [PATCH] mac80211: mesh: clean up rx_bcn_presp API
> -
> -commit a5b983c6073140b624f64e79fea6d33c3e4315a0 upstream.
> -
> -We currently pass the entire elements to the rx_bcn_presp()
> -method, but only need mesh_config. Additionally, we use the
> -length of the elements to calculate back the entire frame's
> -length, but that's confusing - just pass the length of the
> -frame instead.
> -
> -Link: https://lore.kernel.org/r/20210920154009.a18ed3d2da6c.I1824b773a0fbae4453e1433c184678ca14e8df45@changeid
> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> -Cc: Felix Fietkau <nbd@nbd.name>
> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ----
> - net/mac80211/ieee80211_i.h | 7 +++----
> - net/mac80211/mesh.c | 4 ++--
> - net/mac80211/mesh_sync.c | 26 ++++++++++++--------------
> - 3 files changed, 17 insertions(+), 20 deletions(-)
> -
> -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
> -index f7bea4af2ddb..4bd55af184b2 100644
> ---- a/net/mac80211/ieee80211_i.h
> -+++ b/net/mac80211/ieee80211_i.h
> -@@ -631,10 +631,9 @@ struct ieee80211_if_ocb {
> - */
> - struct ieee802_11_elems;
> - struct ieee80211_mesh_sync_ops {
> -- void (*rx_bcn_presp)(struct ieee80211_sub_if_data *sdata,
> -- u16 stype,
> -- struct ieee80211_mgmt *mgmt,
> -- struct ieee802_11_elems *elems,
> -+ void (*rx_bcn_presp)(struct ieee80211_sub_if_data *sdata, u16 stype,
> -+ struct ieee80211_mgmt *mgmt, unsigned int len,
> -+ const struct ieee80211_meshconf_ie *mesh_cfg,
> - struct ieee80211_rx_status *rx_status);
> -
> - /* should be called with beacon_data under RCU read lock */
> -diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
> -index 42bd81a30310..9f6414a68d71 100644
> ---- a/net/mac80211/mesh.c
> -+++ b/net/mac80211/mesh.c
> -@@ -1354,8 +1354,8 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
> - }
> -
> - if (ifmsh->sync_ops)
> -- ifmsh->sync_ops->rx_bcn_presp(sdata,
> -- stype, mgmt, &elems, rx_status);
> -+ ifmsh->sync_ops->rx_bcn_presp(sdata, stype, mgmt, len,
> -+ elems.mesh_config, rx_status);
> - }
> -
> - int ieee80211_mesh_finish_csa(struct ieee80211_sub_if_data *sdata)
> -diff --git a/net/mac80211/mesh_sync.c b/net/mac80211/mesh_sync.c
> -index fde93de2b80a..9e342cc2504c 100644
> ---- a/net/mac80211/mesh_sync.c
> -+++ b/net/mac80211/mesh_sync.c
> -@@ -3,6 +3,7 @@
> - * Copyright 2011-2012, Pavel Zubarev <pavel.zubarev@gmail.com>
> - * Copyright 2011-2012, Marco Porsch <marco.porsch@s2005.tu-chemnitz.de>
> - * Copyright 2011-2012, cozybit Inc.
> -+ * Copyright (C) 2021 Intel Corporation
> - */
> -
> - #include "ieee80211_i.h"
> -@@ -35,12 +36,12 @@ struct sync_method {
> - /**
> - * mesh_peer_tbtt_adjusting - check if an mp is currently adjusting its TBTT
> - *
> -- * @ie: information elements of a management frame from the mesh peer
> -+ * @cfg: mesh config element from the mesh peer (or %NULL)
> - */
> --static bool mesh_peer_tbtt_adjusting(struct ieee802_11_elems *ie)
> -+static bool mesh_peer_tbtt_adjusting(const struct ieee80211_meshconf_ie *cfg)
> - {
> -- return (ie->mesh_config->meshconf_cap &
> -- IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING) != 0;
> -+ return cfg &&
> -+ (cfg->meshconf_cap & IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING);
> - }
> -
> - void mesh_sync_adjust_tsf(struct ieee80211_sub_if_data *sdata)
> -@@ -76,11 +77,11 @@ void mesh_sync_adjust_tsf(struct ieee80211_sub_if_data *sdata)
> - }
> - }
> -
> --static void mesh_sync_offset_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
> -- u16 stype,
> -- struct ieee80211_mgmt *mgmt,
> -- struct ieee802_11_elems *elems,
> -- struct ieee80211_rx_status *rx_status)
> -+static void
> -+mesh_sync_offset_rx_bcn_presp(struct ieee80211_sub_if_data *sdata, u16 stype,
> -+ struct ieee80211_mgmt *mgmt, unsigned int len,
> -+ const struct ieee80211_meshconf_ie *mesh_cfg,
> -+ struct ieee80211_rx_status *rx_status)
> - {
> - struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
> - struct ieee80211_local *local = sdata->local;
> -@@ -101,10 +102,7 @@ static void mesh_sync_offset_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
> - */
> - if (ieee80211_have_rx_timestamp(rx_status))
> - t_r = ieee80211_calculate_rx_timestamp(local, rx_status,
> -- 24 + 12 +
> -- elems->total_len +
> -- FCS_LEN,
> -- 24);
> -+ len + FCS_LEN, 24);
> - else
> - t_r = drv_get_tsf(local, sdata);
> -
> -@@ -119,7 +117,7 @@ static void mesh_sync_offset_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
> - * dot11MeshNbrOffsetMaxNeighbor non-peer non-MBSS neighbors
> - */
> -
> -- if (elems->mesh_config && mesh_peer_tbtt_adjusting(elems)) {
> -+ if (mesh_peer_tbtt_adjusting(mesh_cfg)) {
> - msync_dbg(sdata, "STA %pM : is adjusting TBTT\n",
> - sta->sta.addr);
> - goto no_sync;
> ---
> -2.30.2
> -
> --
> 2.35.3
Hello Michael,
> Hello,
>
>> On 26 Dec 2022, at 20:24, Peter Müller <peter.mueller@ipfire.org> wrote:
>>
>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>> ---
>> config/kernel/kernel.config.x86_64-ipfire | 5 +-
>> config/rootfiles/common/x86_64/linux | 16 +-
>> lfs/linux | 9 +-
>> .../linux-5.15-wifi-security-patches-1.patch | 50 -
>> .../linux-5.15-wifi-security-patches-10.patch | 98 --
>> .../linux-5.15-wifi-security-patches-11.patch | 96 --
>> .../linux-5.15-wifi-security-patches-12.patch | 1179 -----------------
>> .../linux-5.15-wifi-security-patches-13.patch | 130 --
>> .../linux-5.15-wifi-security-patches-14.patch | 107 --
>> .../linux-5.15-wifi-security-patches-2.patch | 59 -
>> .../linux-5.15-wifi-security-patches-3.patch | 49 -
>> .../linux-5.15-wifi-security-patches-4.patch | 96 --
>> .../linux-5.15-wifi-security-patches-5.patch | 56 -
>> .../linux-5.15-wifi-security-patches-6.patch | 39 -
>> .../linux-5.15-wifi-security-patches-7.patch | 60 -
>> .../linux-5.15-wifi-security-patches-8.patch | 94 --
>> .../linux-5.15-wifi-security-patches-9.patch | 126 --
>> 17 files changed, 10 insertions(+), 2259 deletions(-)
>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-1.patch
>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-10.patch
>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-11.patch
>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-12.patch
>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-13.patch
>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-14.patch
>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-2.patch
>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-3.patch
>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-4.patch
>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-5.patch
>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-6.patch
>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-7.patch
>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-8.patch
>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-9.patch
>>
>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>> index bb4655a99..b160322cf 100644
>> --- a/config/kernel/kernel.config.x86_64-ipfire
>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>> @@ -1,6 +1,6 @@
>> #
>> # Automatically generated file; DO NOT EDIT.
>> -# Linux/x86 5.15.68-ipfire Kernel Configuration
>> +# Linux/x86 5.15.85-ipfire Kernel Configuration
>> #
>> CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.3.0"
>> CONFIG_CC_IS_GCC=y
>> @@ -1036,6 +1036,7 @@ CONFIG_INET_ESP=m
>> CONFIG_INET_ESP_OFFLOAD=m
>> # CONFIG_INET_ESPINTCP is not set
>> CONFIG_INET_IPCOMP=m
>> +CONFIG_INET_TABLE_PERTURB_ORDER=16
>
> Why didn’t this change in the other architecture’s configuration files?
>
> This hardly looks like a architecture-dependent configuration option to me.
ah, this is because I only intended to update the ARM configuration files in one
go in this patchset (#21/21). If it's okay to you, I would like to merge this patch
for Core Update 173 nevertheless, and conduct the necessary config/rootfile updates
for ARM manually.
Thanks, and best regards,
Peter Müller
>
>> CONFIG_INET_XFRM_TUNNEL=m
>> CONFIG_INET_TUNNEL=m
>> CONFIG_INET_DIAG=m
>> @@ -7393,6 +7394,8 @@ CONFIG_SYMBOLIC_ERRNAME=y
>> CONFIG_DEBUG_BUGVERBOSE=y
>> # end of printk and dmesg options
>>
>> +CONFIG_AS_HAS_NON_CONST_LEB128=y
>
> This looks more arch-dependent.
>
>> +
>> #
>> # Compile-time checks and compiler options
>> #
>> diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux
>> index 518230b39..d71fa4142 100644
>> --- a/config/rootfiles/common/x86_64/linux
>> +++ b/config/rootfiles/common/x86_64/linux
>> @@ -6525,6 +6525,7 @@ etc/modprobe.d/ipv6.conf
>> #lib/modules/KVER-ipfire/build/include/config/ASYNC_TX_DMA
>> #lib/modules/KVER-ipfire/build/include/config/ASYNC_XOR
>> #lib/modules/KVER-ipfire/build/include/config/AS_AVX512
>> +#lib/modules/KVER-ipfire/build/include/config/AS_HAS_NON_CONST_LEB128
>> #lib/modules/KVER-ipfire/build/include/config/AS_IS_GNU
>> #lib/modules/KVER-ipfire/build/include/config/AS_SHA1_NI
>> #lib/modules/KVER-ipfire/build/include/config/AS_SHA256_NI
>> @@ -6668,8 +6669,6 @@ etc/modprobe.d/ipv6.conf
>> #lib/modules/KVER-ipfire/build/include/config/BITREVERSE
>> #lib/modules/KVER-ipfire/build/include/config/BLK_CGROUP
>> #lib/modules/KVER-ipfire/build/include/config/BLK_CGROUP_RWSTAT
>> -#lib/modules/KVER-ipfire/build/include/config/BLK_DEBUG_FS
>> -#lib/modules/KVER-ipfire/build/include/config/BLK_DEBUG_FS_ZONED
>> #lib/modules/KVER-ipfire/build/include/config/BLK_DEV
>> #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_3W_XXXX_RAID
>> #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_BSG
>> @@ -7089,8 +7088,6 @@ etc/modprobe.d/ipv6.conf
>> #lib/modules/KVER-ipfire/build/include/config/DE2104X_DSL
>> #lib/modules/KVER-ipfire/build/include/config/DE4X5
>> #lib/modules/KVER-ipfire/build/include/config/DEBUG_BUGVERBOSE
>> -#lib/modules/KVER-ipfire/build/include/config/DEBUG_FS
>> -#lib/modules/KVER-ipfire/build/include/config/DEBUG_FS_ALLOW_ALL
>> #lib/modules/KVER-ipfire/build/include/config/DEBUG_KERNEL
>> #lib/modules/KVER-ipfire/build/include/config/DEBUG_MISC
>> #lib/modules/KVER-ipfire/build/include/config/DEBUG_WX
>> @@ -7422,7 +7419,6 @@ etc/modprobe.d/ipv6.conf
>> #lib/modules/KVER-ipfire/build/include/config/DW_XDATA_PCIE
>> #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_DEBUG
>> #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_DEBUG_CORE
>> -#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_EVENTS
>> #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE
>> #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_ARGS
>> #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_DIRECT_CALLS
>> @@ -8024,6 +8020,7 @@ etc/modprobe.d/ipv6.conf
>> #lib/modules/KVER-ipfire/build/include/config/INET_IPCOMP
>> #lib/modules/KVER-ipfire/build/include/config/INET_RAW_DIAG
>> #lib/modules/KVER-ipfire/build/include/config/INET_SCTP_DIAG
>> +#lib/modules/KVER-ipfire/build/include/config/INET_TABLE_PERTURB_ORDER
>> #lib/modules/KVER-ipfire/build/include/config/INET_TCP_DIAG
>> #lib/modules/KVER-ipfire/build/include/config/INET_TUNNEL
>> #lib/modules/KVER-ipfire/build/include/config/INET_UDP_DIAG
>> @@ -8424,7 +8421,6 @@ etc/modprobe.d/ipv6.conf
>> #lib/modules/KVER-ipfire/build/include/config/LOCKUP_DETECTOR
>> #lib/modules/KVER-ipfire/build/include/config/LOCK_DEBUGGING_SUPPORT
>> #lib/modules/KVER-ipfire/build/include/config/LOCK_DOWN_KERNEL_FORCE_NONE
>> -#lib/modules/KVER-ipfire/build/include/config/LOCK_EVENT_COUNTS
>> #lib/modules/KVER-ipfire/build/include/config/LOCK_SPIN_ON_OWNER
>> #lib/modules/KVER-ipfire/build/include/config/LOGO
>> #lib/modules/KVER-ipfire/build/include/config/LOGO_LINUX_CLUT224
>> @@ -9490,7 +9486,6 @@ etc/modprobe.d/ipv6.conf
>> #lib/modules/KVER-ipfire/build/include/config/PRINTER
>> #lib/modules/KVER-ipfire/build/include/config/PRINTK
>> #lib/modules/KVER-ipfire/build/include/config/PRINTK_SAFE_LOG_BUF_SHIFT
>> -#lib/modules/KVER-ipfire/build/include/config/PROBE_EVENTS
>> #lib/modules/KVER-ipfire/build/include/config/PROC_EVENTS
>> #lib/modules/KVER-ipfire/build/include/config/PROC_FS
>> #lib/modules/KVER-ipfire/build/include/config/PROC_PAGE_MONITOR
>> @@ -9848,7 +9843,6 @@ etc/modprobe.d/ipv6.conf
>> #lib/modules/KVER-ipfire/build/include/config/SCSI_SCAN_ASYNC
>> #lib/modules/KVER-ipfire/build/include/config/SCSI_SMARTPQI
>> #lib/modules/KVER-ipfire/build/include/config/SCSI_SNIC
>> -#lib/modules/KVER-ipfire/build/include/config/SCSI_SNIC_DEBUG_FS
>> #lib/modules/KVER-ipfire/build/include/config/SCSI_SPI_ATTRS
>> #lib/modules/KVER-ipfire/build/include/config/SCSI_SRP_ATTRS
>> #lib/modules/KVER-ipfire/build/include/config/SCSI_STEX
>> @@ -10385,7 +10379,6 @@ etc/modprobe.d/ipv6.conf
>> #lib/modules/KVER-ipfire/build/include/config/SWIOTLB
>> #lib/modules/KVER-ipfire/build/include/config/SWIOTLB_XEN
>> #lib/modules/KVER-ipfire/build/include/config/SWPHY
>> -#lib/modules/KVER-ipfire/build/include/config/SW_SYNC
>> #lib/modules/KVER-ipfire/build/include/config/SXGBE_ETH
>> #lib/modules/KVER-ipfire/build/include/config/SYMBOLIC_ERRNAME
>> #lib/modules/KVER-ipfire/build/include/config/SYNCLINK_GT
>> @@ -10533,8 +10526,6 @@ etc/modprobe.d/ipv6.conf
>> #lib/modules/KVER-ipfire/build/include/config/UNIX_DIAG
>> #lib/modules/KVER-ipfire/build/include/config/UNIX_SCM
>> #lib/modules/KVER-ipfire/build/include/config/UNWINDER_ORC
>> -#lib/modules/KVER-ipfire/build/include/config/UPROBES
>> -#lib/modules/KVER-ipfire/build/include/config/UPROBE_EVENTS
>> #lib/modules/KVER-ipfire/build/include/config/USB
>> #lib/modules/KVER-ipfire/build/include/config/USBIP_CORE
>> #lib/modules/KVER-ipfire/build/include/config/USBIP_HOST
>> @@ -11105,7 +11096,6 @@ etc/modprobe.d/ipv6.conf
>> #lib/modules/KVER-ipfire/build/include/config/XEN_BLKDEV_BACKEND
>> #lib/modules/KVER-ipfire/build/include/config/XEN_BLKDEV_FRONTEND
>> #lib/modules/KVER-ipfire/build/include/config/XEN_COMPAT_XENFS
>> -#lib/modules/KVER-ipfire/build/include/config/XEN_DEBUG_FS
>> #lib/modules/KVER-ipfire/build/include/config/XEN_DEV_EVTCHN
>> #lib/modules/KVER-ipfire/build/include/config/XEN_DOM0
>> #lib/modules/KVER-ipfire/build/include/config/XEN_EFI
>> @@ -16866,6 +16856,8 @@ etc/modprobe.d/ipv6.conf
>> #lib/modules/KVER-ipfire/build/init
>> #lib/modules/KVER-ipfire/build/init/Kconfig
>> #lib/modules/KVER-ipfire/build/init/Makefile
>> +#lib/modules/KVER-ipfire/build/io_uring
>> +#lib/modules/KVER-ipfire/build/io_uring/Makefile
>> #lib/modules/KVER-ipfire/build/ipc
>> #lib/modules/KVER-ipfire/build/ipc/Makefile
>> #lib/modules/KVER-ipfire/build/kernel
>> diff --git a/lfs/linux b/lfs/linux
>> index b628307fd..59238049c 100644
>> --- a/lfs/linux
>> +++ b/lfs/linux
>> @@ -24,7 +24,7 @@
>>
>> include Config
>>
>> -VER = 5.15.71
>> +VER = 5.15.85
>> ARM_PATCHES = 5.15-ipfire5
>>
>> THISAPP = linux-$(VER)
>> @@ -78,7 +78,7 @@ objects =$(DL_FILE) \
>> $(DL_FILE) = $(URL_IPFIRE)/$(DL_FILE)
>> arm-multi-patches-$(ARM_PATCHES).patch.xz = $(URL_IPFIRE)/arm-multi-patches-$(ARM_PATCHES).patch.xz
>>
>> -$(DL_FILE)_BLAKE2 = 77da2393a31b6c6fed7cdfef61a112ae49fcdfce96968daf8c7a690a6e65025c7238c1fe084d0bfda403dc56db877b6db99def12803e840cacf318da40327d7b
>> +$(DL_FILE)_BLAKE2 = 481cea334dee4146d72704ecb88f654bd38ca62a5a28540f365a57f5cd522551c4b7f854c09380ec614098a9efa5dff4cef70c9cafe6277a410d3d2099eca1cc
>> arm-multi-patches-$(ARM_PATCHES).patch.xz_BLAKE2 = 58a70e757a9121a0aac83604a37aa787ec7ac0ee4970c5a3ac3bcb2dbaca32b00089cae6c0da5cf2fe0a2e156427b5165c6a86e0371a3e896f4c7cdd699c34a0
>>
>> install : $(TARGET)
>> @@ -146,11 +146,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>> # https://bugzilla.ipfire.org/show_bug.cgi?id=12889
>> cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch
>>
>> - # https://lists.ipfire.org/pipermail/development/2022-October/014562.html
>> - for i in $$(seq 1 14); do \
>> - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15-wifi-security-patches-$$i.patch || exit 1; \
>> - done
>> -
>> ifeq "$(BUILD_ARCH)" "armv6l"
>> # Apply Arm-multiarch kernel patches.
>> cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-1.patch b/src/patches/linux/linux-5.15-wifi-security-patches-1.patch
>> deleted file mode 100644
>> index b646eea49..000000000
>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-1.patch
>> +++ /dev/null
>> @@ -1,50 +0,0 @@
>> -From 9a8ef2030510a9d6ce86fd535b8d10720230811f Mon Sep 17 00:00:00 2001
>> -From: Johannes Berg <johannes.berg@intel.com>
>> -Date: Wed, 28 Sep 2022 21:56:15 +0200
>> -Subject: [PATCH] wifi: cfg80211: fix u8 overflow in
>> - cfg80211_update_notlisted_nontrans()
>> -
>> -commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream.
>> -
>> -In the copy code of the elements, we do the following calculation
>> -to reach the end of the MBSSID element:
>> -
>> - /* copy the IEs after MBSSID */
>> - cpy_len = mbssid[1] + 2;
>> -
>> -This looks fine, however, cpy_len is a u8, the same as mbssid[1],
>> -so the addition of two can overflow. In this case the subsequent
>> -memcpy() will overflow the allocated buffer, since it copies 256
>> -bytes too much due to the way the allocation and memcpy() sizes
>> -are calculated.
>> -
>> -Fix this by using size_t for the cpy_len variable.
>> -
>> -This fixes CVE-2022-41674.
>> -
>> -Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
>> -Tested-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
>> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
>> -Reviewed-by: Kees Cook <keescook@chromium.org>
>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> ----
>> - net/wireless/scan.c | 2 +-
>> - 1 file changed, 1 insertion(+), 1 deletion(-)
>> -
>> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c
>> -index 1a8b76c9dd56..d9ab37a798f4 100644
>> ---- a/net/wireless/scan.c
>> -+++ b/net/wireless/scan.c
>> -@@ -2238,7 +2238,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
>> - size_t new_ie_len;
>> - struct cfg80211_bss_ies *new_ies;
>> - const struct cfg80211_bss_ies *old;
>> -- u8 cpy_len;
>> -+ size_t cpy_len;
>> -
>> - lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock);
>> -
>> ---
>> -2.30.2
>> -
>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-10.patch b/src/patches/linux/linux-5.15-wifi-security-patches-10.patch
>> deleted file mode 100644
>> index 51986afe7..000000000
>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-10.patch
>> +++ /dev/null
>> @@ -1,98 +0,0 @@
>> -From 21df3a583e8e03d8f74fa2eedbcd7a2b3f5cabc1 Mon Sep 17 00:00:00 2001
>> -From: Johannes Berg <johannes.berg@intel.com>
>> -Date: Thu, 13 Oct 2022 20:15:57 +0200
>> -Subject: [PATCH] mac80211: move CRC into struct ieee802_11_elems
>> -
>> -commit c6e37ed498f958254b5459253199e816b6bfc52f upstream.
>> -
>> -We're currently returning this value, but to prepare for
>> -returning the allocated structure, move it into there.
>> -
>> -Link: https://lore.kernel.org/r/20210920154009.479b8ebf999d.If0d4ba75ee38998dc3eeae25058aa748efcb2fc9@changeid
>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>> -Cc: Felix Fietkau <nbd@nbd.name>
>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> ----
>> - net/mac80211/ieee80211_i.h | 9 +++++----
>> - net/mac80211/mlme.c | 9 +++++----
>> - net/mac80211/util.c | 10 +++++-----
>> - 3 files changed, 15 insertions(+), 13 deletions(-)
>> -
>> -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
>> -index 4bd55af184b2..5ea38ae65809 100644
>> ---- a/net/mac80211/ieee80211_i.h
>> -+++ b/net/mac80211/ieee80211_i.h
>> -@@ -1532,6 +1532,7 @@ struct ieee80211_csa_ie {
>> - struct ieee802_11_elems {
>> - const u8 *ie_start;
>> - size_t total_len;
>> -+ u32 crc;
>> -
>> - /* pointers to IEs */
>> - const struct ieee80211_tdls_lnkie *lnk_id;
>> -@@ -2218,10 +2219,10 @@ static inline void ieee80211_tx_skb(struct ieee80211_sub_if_data *sdata,
>> - ieee80211_tx_skb_tid(sdata, skb, 7);
>> - }
>> -
>> --u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
>> -- struct ieee802_11_elems *elems,
>> -- u64 filter, u32 crc, u8 *transmitter_bssid,
>> -- u8 *bss_bssid);
>> -+void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
>> -+ struct ieee802_11_elems *elems,
>> -+ u64 filter, u32 crc, u8 *transmitter_bssid,
>> -+ u8 *bss_bssid);
>> - static inline void ieee802_11_parse_elems(const u8 *start, size_t len,
>> - bool action,
>> - struct ieee802_11_elems *elems,
>> -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
>> -index 1548f532dc1a..4414e82e71d1 100644
>> ---- a/net/mac80211/mlme.c
>> -+++ b/net/mac80211/mlme.c
>> -@@ -4102,10 +4102,11 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>> - */
>> - if (!ieee80211_is_s1g_beacon(hdr->frame_control))
>> - ncrc = crc32_be(0, (void *)&mgmt->u.beacon.beacon_int, 4);
>> -- ncrc = ieee802_11_parse_elems_crc(variable,
>> -- len - baselen, false, &elems,
>> -- care_about_ies, ncrc,
>> -- mgmt->bssid, bssid);
>> -+ ieee802_11_parse_elems_crc(variable,
>> -+ len - baselen, false, &elems,
>> -+ care_about_ies, ncrc,
>> -+ mgmt->bssid, bssid);
>> -+ ncrc = elems.crc;
>> -
>> - if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) &&
>> - ieee80211_check_tim(elems.tim, elems.tim_len, bss_conf->aid)) {
>> -diff --git a/net/mac80211/util.c b/net/mac80211/util.c
>> -index 00543ea9c6b5..ceb6894381e4 100644
>> ---- a/net/mac80211/util.c
>> -+++ b/net/mac80211/util.c
>> -@@ -1468,10 +1468,10 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
>> - return found ? profile_len : 0;
>> - }
>> -
>> --u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
>> -- struct ieee802_11_elems *elems,
>> -- u64 filter, u32 crc, u8 *transmitter_bssid,
>> -- u8 *bss_bssid)
>> -+void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
>> -+ struct ieee802_11_elems *elems,
>> -+ u64 filter, u32 crc, u8 *transmitter_bssid,
>> -+ u8 *bss_bssid)
>> - {
>> - const struct element *non_inherit = NULL;
>> - u8 *nontransmitted_profile;
>> -@@ -1523,7 +1523,7 @@ u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
>> -
>> - kfree(nontransmitted_profile);
>> -
>> -- return crc;
>> -+ elems->crc = crc;
>> - }
>> -
>> - void ieee80211_regulatory_limit_wmm_params(struct ieee80211_sub_if_data *sdata,
>> ---
>> -2.30.2
>> -
>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-11.patch b/src/patches/linux/linux-5.15-wifi-security-patches-11.patch
>> deleted file mode 100644
>> index ae639c696..000000000
>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-11.patch
>> +++ /dev/null
>> @@ -1,96 +0,0 @@
>> -From 630060f1175676b9cb3a032767f20dbce93616c9 Mon Sep 17 00:00:00 2001
>> -From: Johannes Berg <johannes.berg@intel.com>
>> -Date: Thu, 13 Oct 2022 20:15:58 +0200
>> -Subject: [PATCH] mac80211: mlme: find auth challenge directly
>> -
>> -commit 49a765d6785e99157ff5091cc37485732496864e upstream.
>> -
>> -There's no need to parse all elements etc. just to find the
>> -authentication challenge - use cfg80211_find_elem() instead.
>> -This also allows us to remove WLAN_EID_CHALLENGE handling
>> -from the element parsing entirely.
>> -
>> -Link: https://lore.kernel.org/r/20210920154009.45f9b3a15722.Ice3159ffad03a007d6154cbf1fb3a8c48489e86f@changeid
>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>> -Cc: Felix Fietkau <nbd@nbd.name>
>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> ----
>> - net/mac80211/ieee80211_i.h | 2 --
>> - net/mac80211/mlme.c | 11 ++++++-----
>> - net/mac80211/util.c | 4 ----
>> - 3 files changed, 6 insertions(+), 11 deletions(-)
>> -
>> -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
>> -index 5ea38ae65809..c5f0ff805010 100644
>> ---- a/net/mac80211/ieee80211_i.h
>> -+++ b/net/mac80211/ieee80211_i.h
>> -@@ -1542,7 +1542,6 @@ struct ieee802_11_elems {
>> - const u8 *supp_rates;
>> - const u8 *ds_params;
>> - const struct ieee80211_tim_ie *tim;
>> -- const u8 *challenge;
>> - const u8 *rsn;
>> - const u8 *rsnx;
>> - const u8 *erp_info;
>> -@@ -1596,7 +1595,6 @@ struct ieee802_11_elems {
>> - u8 ssid_len;
>> - u8 supp_rates_len;
>> - u8 tim_len;
>> -- u8 challenge_len;
>> - u8 rsn_len;
>> - u8 rsnx_len;
>> - u8 ext_supp_rates_len;
>> -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
>> -index 4414e82e71d1..548cd14c5503 100644
>> ---- a/net/mac80211/mlme.c
>> -+++ b/net/mac80211/mlme.c
>> -@@ -2889,17 +2889,17 @@ static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata,
>> - {
>> - struct ieee80211_local *local = sdata->local;
>> - struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data;
>> -+ const struct element *challenge;
>> - u8 *pos;
>> -- struct ieee802_11_elems elems;
>> - u32 tx_flags = 0;
>> - struct ieee80211_prep_tx_info info = {
>> - .subtype = IEEE80211_STYPE_AUTH,
>> - };
>> -
>> - pos = mgmt->u.auth.variable;
>> -- ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems,
>> -- mgmt->bssid, auth_data->bss->bssid);
>> -- if (!elems.challenge)
>> -+ challenge = cfg80211_find_elem(WLAN_EID_CHALLENGE, pos,
>> -+ len - (pos - (u8 *)mgmt));
>> -+ if (!challenge)
>> - return;
>> - auth_data->expected_transaction = 4;
>> - drv_mgd_prepare_tx(sdata->local, sdata, &info);
>> -@@ -2907,7 +2907,8 @@ static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata,
>> - tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
>> - IEEE80211_TX_INTFL_MLME_CONN_TX;
>> - ieee80211_send_auth(sdata, 3, auth_data->algorithm, 0,
>> -- elems.challenge - 2, elems.challenge_len + 2,
>> -+ (void *)challenge,
>> -+ challenge->datalen + sizeof(*challenge),
>> - auth_data->bss->bssid, auth_data->bss->bssid,
>> - auth_data->key, auth_data->key_len,
>> - auth_data->key_idx, tx_flags);
>> -diff --git a/net/mac80211/util.c b/net/mac80211/util.c
>> -index ceb6894381e4..664c32b6db19 100644
>> ---- a/net/mac80211/util.c
>> -+++ b/net/mac80211/util.c
>> -@@ -1117,10 +1117,6 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
>> - } else
>> - elem_parse_failed = true;
>> - break;
>> -- case WLAN_EID_CHALLENGE:
>> -- elems->challenge = pos;
>> -- elems->challenge_len = elen;
>> -- break;
>> - case WLAN_EID_VENDOR_SPECIFIC:
>> - if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 &&
>> - pos[2] == 0xf2) {
>> ---
>> -2.30.2
>> -
>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-12.patch b/src/patches/linux/linux-5.15-wifi-security-patches-12.patch
>> deleted file mode 100644
>> index 4dea89e4c..000000000
>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-12.patch
>> +++ /dev/null
>> @@ -1,1179 +0,0 @@
>> -From fee48f3bdd7516bb63da507213916227cf147211 Mon Sep 17 00:00:00 2001
>> -From: Johannes Berg <johannes.berg@intel.com>
>> -Date: Thu, 13 Oct 2022 20:15:59 +0200
>> -Subject: [PATCH] mac80211: always allocate struct ieee802_11_elems
>> -
>> -As the 802.11 spec evolves, we need to parse more and more
>> -elements. This is causing the struct to grow, and we can no
>> -longer get away with putting it on the stack.
>> -
>> -Change the API to always dynamically allocate and return an
>> -allocated pointer that must be kfree()d later.
>> -
>> -As an alternative, I contemplated a scheme whereby we'd say
>> -in the code which elements we needed, e.g.
>> -
>> - DECLARE_ELEMENT_PARSER(elems,
>> - SUPPORTED_CHANNELS,
>> - CHANNEL_SWITCH,
>> - EXT(KEY_DELIVERY));
>> -
>> - ieee802_11_parse_elems(..., &elems, ...);
>> -
>> -and while I think this is possible and will save us a lot
>> -since most individual places only care about a small subset
>> -of the elements, it ended up being a bit more work since a
>> -lot of places do the parsing and then pass the struct to
>> -other functions, sometimes with multiple levels.
>> -
>> -Link: https://lore.kernel.org/r/20210920154009.26caff6b5998.I05ae58768e990e611aee8eca8abefd9d7bc15e05@changeid
>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>> -Cc: Felix Fietkau <nbd@nbd.name>
>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> ----
>> - net/mac80211/agg-rx.c | 11 +--
>> - net/mac80211/ibss.c | 25 +++---
>> - net/mac80211/ieee80211_i.h | 22 ++---
>> - net/mac80211/mesh.c | 85 ++++++++++--------
>> - net/mac80211/mesh_hwmp.c | 44 +++++-----
>> - net/mac80211/mesh_plink.c | 11 +--
>> - net/mac80211/mlme.c | 176 +++++++++++++++++++++----------------
>> - net/mac80211/scan.c | 16 ++--
>> - net/mac80211/tdls.c | 63 +++++++------
>> - net/mac80211/util.c | 20 +++--
>> - 10 files changed, 272 insertions(+), 201 deletions(-)
>> -
>> -diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
>> -index e43176794149..ffa4f31f6c2b 100644
>> ---- a/net/mac80211/agg-rx.c
>> -+++ b/net/mac80211/agg-rx.c
>> -@@ -478,7 +478,7 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
>> - size_t len)
>> - {
>> - u16 capab, tid, timeout, ba_policy, buf_size, start_seq_num;
>> -- struct ieee802_11_elems elems = { };
>> -+ struct ieee802_11_elems *elems = NULL;
>> - u8 dialog_token;
>> - int ies_len;
>> -
>> -@@ -496,16 +496,17 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
>> - ies_len = len - offsetof(struct ieee80211_mgmt,
>> - u.action.u.addba_req.variable);
>> - if (ies_len) {
>> -- ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable,
>> -- ies_len, true, &elems, mgmt->bssid, NULL);
>> -- if (elems.parse_error)
>> -+ elems = ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable,
>> -+ ies_len, true, mgmt->bssid, NULL);
>> -+ if (!elems || elems->parse_error)
>> - return;
>> - }
>> -
>> - __ieee80211_start_rx_ba_session(sta, dialog_token, timeout,
>> - start_seq_num, ba_policy, tid,
>> - buf_size, true, false,
>> -- elems.addba_ext_ie);
>> -+ elems ? elems->addba_ext_ie : NULL);
>> -+ kfree(elems);
>> - }
>> -
>> - void ieee80211_manage_rx_ba_offl(struct ieee80211_vif *vif,
>> -diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
>> -index 1e133ca58e78..4b721b48f86a 100644
>> ---- a/net/mac80211/ibss.c
>> -+++ b/net/mac80211/ibss.c
>> -@@ -9,7 +9,7 @@
>> - * Copyright 2009, Johannes Berg <johannes@sipsolutions.net>
>> - * Copyright 2013-2014 Intel Mobile Communications GmbH
>> - * Copyright(c) 2016 Intel Deutschland GmbH
>> -- * Copyright(c) 2018-2020 Intel Corporation
>> -+ * Copyright(c) 2018-2021 Intel Corporation
>> - */
>> -
>> - #include <linux/delay.h>
>> -@@ -1593,7 +1593,7 @@ void ieee80211_rx_mgmt_probe_beacon(struct ieee80211_sub_if_data *sdata,
>> - struct ieee80211_rx_status *rx_status)
>> - {
>> - size_t baselen;
>> -- struct ieee802_11_elems elems;
>> -+ struct ieee802_11_elems *elems;
>> -
>> - BUILD_BUG_ON(offsetof(typeof(mgmt->u.probe_resp), variable) !=
>> - offsetof(typeof(mgmt->u.beacon), variable));
>> -@@ -1606,10 +1606,14 @@ void ieee80211_rx_mgmt_probe_beacon(struct ieee80211_sub_if_data *sdata,
>> - if (baselen > len)
>> - return;
>> -
>> -- ieee802_11_parse_elems(mgmt->u.probe_resp.variable, len - baselen,
>> -- false, &elems, mgmt->bssid, NULL);
>> -+ elems = ieee802_11_parse_elems(mgmt->u.probe_resp.variable,
>> -+ len - baselen, false,
>> -+ mgmt->bssid, NULL);
>> -
>> -- ieee80211_rx_bss_info(sdata, mgmt, len, rx_status, &elems);
>> -+ if (elems) {
>> -+ ieee80211_rx_bss_info(sdata, mgmt, len, rx_status, elems);
>> -+ kfree(elems);
>> -+ }
>> - }
>> -
>> - void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>> -@@ -1618,7 +1622,7 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>> - struct ieee80211_rx_status *rx_status;
>> - struct ieee80211_mgmt *mgmt;
>> - u16 fc;
>> -- struct ieee802_11_elems elems;
>> -+ struct ieee802_11_elems *elems;
>> - int ies_len;
>> -
>> - rx_status = IEEE80211_SKB_RXCB(skb);
>> -@@ -1655,15 +1659,16 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>> - if (ies_len < 0)
>> - break;
>> -
>> -- ieee802_11_parse_elems(
>> -+ elems = ieee802_11_parse_elems(
>> - mgmt->u.action.u.chan_switch.variable,
>> -- ies_len, true, &elems, mgmt->bssid, NULL);
>> -+ ies_len, true, mgmt->bssid, NULL);
>> -
>> -- if (elems.parse_error)
>> -+ if (!elems || elems->parse_error)
>> - break;
>> -
>> - ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt, skb->len,
>> -- rx_status, &elems);
>> -+ rx_status, elems);
>> -+ kfree(elems);
>> - break;
>> - }
>> - }
>> -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
>> -index c5f0ff805010..3633e49239c7 100644
>> ---- a/net/mac80211/ieee80211_i.h
>> -+++ b/net/mac80211/ieee80211_i.h
>> -@@ -2217,18 +2217,18 @@ static inline void ieee80211_tx_skb(struct ieee80211_sub_if_data *sdata,
>> - ieee80211_tx_skb_tid(sdata, skb, 7);
>> - }
>> -
>> --void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
>> -- struct ieee802_11_elems *elems,
>> -- u64 filter, u32 crc, u8 *transmitter_bssid,
>> -- u8 *bss_bssid);
>> --static inline void ieee802_11_parse_elems(const u8 *start, size_t len,
>> -- bool action,
>> -- struct ieee802_11_elems *elems,
>> -- u8 *transmitter_bssid,
>> -- u8 *bss_bssid)
>> -+struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,
>> -+ bool action,
>> -+ u64 filter, u32 crc,
>> -+ const u8 *transmitter_bssid,
>> -+ const u8 *bss_bssid);
>> -+static inline struct ieee802_11_elems *
>> -+ieee802_11_parse_elems(const u8 *start, size_t len, bool action,
>> -+ const u8 *transmitter_bssid,
>> -+ const u8 *bss_bssid)
>> - {
>> -- ieee802_11_parse_elems_crc(start, len, action, elems, 0, 0,
>> -- transmitter_bssid, bss_bssid);
>> -+ return ieee802_11_parse_elems_crc(start, len, action, 0, 0,
>> -+ transmitter_bssid, bss_bssid);
>> - }
>> -
>> -
>> -diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
>> -index 9f6414a68d71..6847fdf93439 100644
>> ---- a/net/mac80211/mesh.c
>> -+++ b/net/mac80211/mesh.c
>> -@@ -1247,7 +1247,7 @@ ieee80211_mesh_rx_probe_req(struct ieee80211_sub_if_data *sdata,
>> - struct sk_buff *presp;
>> - struct beacon_data *bcn;
>> - struct ieee80211_mgmt *hdr;
>> -- struct ieee802_11_elems elems;
>> -+ struct ieee802_11_elems *elems;
>> - size_t baselen;
>> - u8 *pos;
>> -
>> -@@ -1256,22 +1256,24 @@ ieee80211_mesh_rx_probe_req(struct ieee80211_sub_if_data *sdata,
>> - if (baselen > len)
>> - return;
>> -
>> -- ieee802_11_parse_elems(pos, len - baselen, false, &elems, mgmt->bssid,
>> -- NULL);
>> --
>> -- if (!elems.mesh_id)
>> -+ elems = ieee802_11_parse_elems(pos, len - baselen, false, mgmt->bssid,
>> -+ NULL);
>> -+ if (!elems)
>> - return;
>> -
>> -+ if (!elems->mesh_id)
>> -+ goto free;
>> -+
>> - /* 802.11-2012 10.1.4.3.2 */
>> - if ((!ether_addr_equal(mgmt->da, sdata->vif.addr) &&
>> - !is_broadcast_ether_addr(mgmt->da)) ||
>> -- elems.ssid_len != 0)
>> -- return;
>> -+ elems->ssid_len != 0)
>> -+ goto free;
>> -
>> -- if (elems.mesh_id_len != 0 &&
>> -- (elems.mesh_id_len != ifmsh->mesh_id_len ||
>> -- memcmp(elems.mesh_id, ifmsh->mesh_id, ifmsh->mesh_id_len)))
>> -- return;
>> -+ if (elems->mesh_id_len != 0 &&
>> -+ (elems->mesh_id_len != ifmsh->mesh_id_len ||
>> -+ memcmp(elems->mesh_id, ifmsh->mesh_id, ifmsh->mesh_id_len)))
>> -+ goto free;
>> -
>> - rcu_read_lock();
>> - bcn = rcu_dereference(ifmsh->beacon);
>> -@@ -1295,6 +1297,8 @@ ieee80211_mesh_rx_probe_req(struct ieee80211_sub_if_data *sdata,
>> - ieee80211_tx_skb(sdata, presp);
>> - out:
>> - rcu_read_unlock();
>> -+free:
>> -+ kfree(elems);
>> - }
>> -
>> - static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
>> -@@ -1305,7 +1309,7 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
>> - {
>> - struct ieee80211_local *local = sdata->local;
>> - struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
>> -- struct ieee802_11_elems elems;
>> -+ struct ieee802_11_elems *elems;
>> - struct ieee80211_channel *channel;
>> - size_t baselen;
>> - int freq;
>> -@@ -1320,42 +1324,47 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
>> - if (baselen > len)
>> - return;
>> -
>> -- ieee802_11_parse_elems(mgmt->u.probe_resp.variable, len - baselen,
>> -- false, &elems, mgmt->bssid, NULL);
>> -+ elems = ieee802_11_parse_elems(mgmt->u.probe_resp.variable,
>> -+ len - baselen,
>> -+ false, mgmt->bssid, NULL);
>> -+ if (!elems)
>> -+ return;
>> -
>> - /* ignore non-mesh or secure / unsecure mismatch */
>> -- if ((!elems.mesh_id || !elems.mesh_config) ||
>> -- (elems.rsn && sdata->u.mesh.security == IEEE80211_MESH_SEC_NONE) ||
>> -- (!elems.rsn && sdata->u.mesh.security != IEEE80211_MESH_SEC_NONE))
>> -- return;
>> -+ if ((!elems->mesh_id || !elems->mesh_config) ||
>> -+ (elems->rsn && sdata->u.mesh.security == IEEE80211_MESH_SEC_NONE) ||
>> -+ (!elems->rsn && sdata->u.mesh.security != IEEE80211_MESH_SEC_NONE))
>> -+ goto free;
>> -
>> -- if (elems.ds_params)
>> -- freq = ieee80211_channel_to_frequency(elems.ds_params[0], band);
>> -+ if (elems->ds_params)
>> -+ freq = ieee80211_channel_to_frequency(elems->ds_params[0], band);
>> - else
>> - freq = rx_status->freq;
>> -
>> - channel = ieee80211_get_channel(local->hw.wiphy, freq);
>> -
>> - if (!channel || channel->flags & IEEE80211_CHAN_DISABLED)
>> -- return;
>> -+ goto free;
>> -
>> -- if (mesh_matches_local(sdata, &elems)) {
>> -+ if (mesh_matches_local(sdata, elems)) {
>> - mpl_dbg(sdata, "rssi_threshold=%d,rx_status->signal=%d\n",
>> - sdata->u.mesh.mshcfg.rssi_threshold, rx_status->signal);
>> - if (!sdata->u.mesh.user_mpm ||
>> - sdata->u.mesh.mshcfg.rssi_threshold == 0 ||
>> - sdata->u.mesh.mshcfg.rssi_threshold < rx_status->signal)
>> -- mesh_neighbour_update(sdata, mgmt->sa, &elems,
>> -+ mesh_neighbour_update(sdata, mgmt->sa, elems,
>> - rx_status);
>> -
>> - if (ifmsh->csa_role != IEEE80211_MESH_CSA_ROLE_INIT &&
>> - !sdata->vif.csa_active)
>> -- ieee80211_mesh_process_chnswitch(sdata, &elems, true);
>> -+ ieee80211_mesh_process_chnswitch(sdata, elems, true);
>> - }
>> -
>> - if (ifmsh->sync_ops)
>> - ifmsh->sync_ops->rx_bcn_presp(sdata, stype, mgmt, len,
>> -- elems.mesh_config, rx_status);
>> -+ elems->mesh_config, rx_status);
>> -+free:
>> -+ kfree(elems);
>> - }
>> -
>> - int ieee80211_mesh_finish_csa(struct ieee80211_sub_if_data *sdata)
>> -@@ -1447,7 +1456,7 @@ static void mesh_rx_csa_frame(struct ieee80211_sub_if_data *sdata,
>> - struct ieee80211_mgmt *mgmt, size_t len)
>> - {
>> - struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
>> -- struct ieee802_11_elems elems;
>> -+ struct ieee802_11_elems *elems;
>> - u16 pre_value;
>> - bool fwd_csa = true;
>> - size_t baselen;
>> -@@ -1460,33 +1469,37 @@ static void mesh_rx_csa_frame(struct ieee80211_sub_if_data *sdata,
>> - pos = mgmt->u.action.u.chan_switch.variable;
>> - baselen = offsetof(struct ieee80211_mgmt,
>> - u.action.u.chan_switch.variable);
>> -- ieee802_11_parse_elems(pos, len - baselen, true, &elems,
>> -- mgmt->bssid, NULL);
>> --
>> -- if (!mesh_matches_local(sdata, &elems))
>> -+ elems = ieee802_11_parse_elems(pos, len - baselen, true,
>> -+ mgmt->bssid, NULL);
>> -+ if (!elems)
>> - return;
>> -
>> -- ifmsh->chsw_ttl = elems.mesh_chansw_params_ie->mesh_ttl;
>> -+ if (!mesh_matches_local(sdata, elems))
>> -+ goto free;
>> -+
>> -+ ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;
>> - if (!--ifmsh->chsw_ttl)
>> - fwd_csa = false;
>> -
>> -- pre_value = le16_to_cpu(elems.mesh_chansw_params_ie->mesh_pre_value);
>> -+ pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);
>> - if (ifmsh->pre_value >= pre_value)
>> -- return;
>> -+ goto free;
>> -
>> - ifmsh->pre_value = pre_value;
>> -
>> - if (!sdata->vif.csa_active &&
>> -- !ieee80211_mesh_process_chnswitch(sdata, &elems, false)) {
>> -+ !ieee80211_mesh_process_chnswitch(sdata, elems, false)) {
>> - mcsa_dbg(sdata, "Failed to process CSA action frame");
>> -- return;
>> -+ goto free;
>> - }
>> -
>> - /* forward or re-broadcast the CSA frame */
>> - if (fwd_csa) {
>> -- if (mesh_fwd_csa_frame(sdata, mgmt, len, &elems) < 0)
>> -+ if (mesh_fwd_csa_frame(sdata, mgmt, len, elems) < 0)
>> - mcsa_dbg(sdata, "Failed to forward the CSA frame");
>> - }
>> -+free:
>> -+ kfree(elems);
>> - }
>> -
>> - static void ieee80211_mesh_rx_mgmt_action(struct ieee80211_sub_if_data *sdata,
>> -diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
>> -index a05b615deb51..44a6fdb6efbd 100644
>> ---- a/net/mac80211/mesh_hwmp.c
>> -+++ b/net/mac80211/mesh_hwmp.c
>> -@@ -1,7 +1,7 @@
>> - // SPDX-License-Identifier: GPL-2.0-only
>> - /*
>> - * Copyright (c) 2008, 2009 open80211s Ltd.
>> -- * Copyright (C) 2019 Intel Corporation
>> -+ * Copyright (C) 2019, 2021 Intel Corporation
>> - * Author: Luis Carlos Cobo <luisca@cozybit.com>
>> - */
>> -
>> -@@ -908,7 +908,7 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata,
>> - void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata,
>> - struct ieee80211_mgmt *mgmt, size_t len)
>> - {
>> -- struct ieee802_11_elems elems;
>> -+ struct ieee802_11_elems *elems;
>> - size_t baselen;
>> - u32 path_metric;
>> - struct sta_info *sta;
>> -@@ -926,37 +926,41 @@ void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata,
>> - rcu_read_unlock();
>> -
>> - baselen = (u8 *) mgmt->u.action.u.mesh_action.variable - (u8 *) mgmt;
>> -- ieee802_11_parse_elems(mgmt->u.action.u.mesh_action.variable,
>> -- len - baselen, false, &elems, mgmt->bssid, NULL);
>> -+ elems = ieee802_11_parse_elems(mgmt->u.action.u.mesh_action.variable,
>> -+ len - baselen, false, mgmt->bssid, NULL);
>> -+ if (!elems)
>> -+ return;
>> -
>> -- if (elems.preq) {
>> -- if (elems.preq_len != 37)
>> -+ if (elems->preq) {
>> -+ if (elems->preq_len != 37)
>> - /* Right now we support just 1 destination and no AE */
>> -- return;
>> -- path_metric = hwmp_route_info_get(sdata, mgmt, elems.preq,
>> -+ goto free;
>> -+ path_metric = hwmp_route_info_get(sdata, mgmt, elems->preq,
>> - MPATH_PREQ);
>> - if (path_metric)
>> -- hwmp_preq_frame_process(sdata, mgmt, elems.preq,
>> -+ hwmp_preq_frame_process(sdata, mgmt, elems->preq,
>> - path_metric);
>> - }
>> -- if (elems.prep) {
>> -- if (elems.prep_len != 31)
>> -+ if (elems->prep) {
>> -+ if (elems->prep_len != 31)
>> - /* Right now we support no AE */
>> -- return;
>> -- path_metric = hwmp_route_info_get(sdata, mgmt, elems.prep,
>> -+ goto free;
>> -+ path_metric = hwmp_route_info_get(sdata, mgmt, elems->prep,
>> - MPATH_PREP);
>> - if (path_metric)
>> -- hwmp_prep_frame_process(sdata, mgmt, elems.prep,
>> -+ hwmp_prep_frame_process(sdata, mgmt, elems->prep,
>> - path_metric);
>> - }
>> -- if (elems.perr) {
>> -- if (elems.perr_len != 15)
>> -+ if (elems->perr) {
>> -+ if (elems->perr_len != 15)
>> - /* Right now we support only one destination per PERR */
>> -- return;
>> -- hwmp_perr_frame_process(sdata, mgmt, elems.perr);
>> -+ goto free;
>> -+ hwmp_perr_frame_process(sdata, mgmt, elems->perr);
>> - }
>> -- if (elems.rann)
>> -- hwmp_rann_frame_process(sdata, mgmt, elems.rann);
>> -+ if (elems->rann)
>> -+ hwmp_rann_frame_process(sdata, mgmt, elems->rann);
>> -+free:
>> -+ kfree(elems);
>> - }
>> -
>> - /**
>> -diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
>> -index a6915847d78a..a829470dd59e 100644
>> ---- a/net/mac80211/mesh_plink.c
>> -+++ b/net/mac80211/mesh_plink.c
>> -@@ -1,7 +1,7 @@
>> - // SPDX-License-Identifier: GPL-2.0-only
>> - /*
>> - * Copyright (c) 2008, 2009 open80211s Ltd.
>> -- * Copyright (C) 2019 Intel Corporation
>> -+ * Copyright (C) 2019, 2021 Intel Corporation
>> - * Author: Luis Carlos Cobo <luisca@cozybit.com>
>> - */
>> - #include <linux/gfp.h>
>> -@@ -1200,7 +1200,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata,
>> - struct ieee80211_mgmt *mgmt, size_t len,
>> - struct ieee80211_rx_status *rx_status)
>> - {
>> -- struct ieee802_11_elems elems;
>> -+ struct ieee802_11_elems *elems;
>> - size_t baselen;
>> - u8 *baseaddr;
>> -
>> -@@ -1228,7 +1228,8 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata,
>> - if (baselen > len)
>> - return;
>> - }
>> -- ieee802_11_parse_elems(baseaddr, len - baselen, true, &elems,
>> -- mgmt->bssid, NULL);
>> -- mesh_process_plink_frame(sdata, mgmt, &elems, rx_status);
>> -+ elems = ieee802_11_parse_elems(baseaddr, len - baselen, true,
>> -+ mgmt->bssid, NULL);
>> -+ mesh_process_plink_frame(sdata, mgmt, elems, rx_status);
>> -+ kfree(elems);
>> - }
>> -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
>> -index 548cd14c5503..45efa1d1c550 100644
>> ---- a/net/mac80211/mlme.c
>> -+++ b/net/mac80211/mlme.c
>> -@@ -3317,8 +3317,11 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
>> - aid = 0; /* TODO */
>> - }
>> - capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
>> -- ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, elems,
>> -- mgmt->bssid, assoc_data->bss->bssid);
>> -+ elems = ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false,
>> -+ mgmt->bssid, assoc_data->bss->bssid);
>> -+
>> -+ if (!elems)
>> -+ return false;
>> -
>> - if (elems->aid_resp)
>> - aid = le16_to_cpu(elems->aid_resp->aid);
>> -@@ -3340,7 +3343,8 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
>> -
>> - if (!is_s1g && !elems->supp_rates) {
>> - sdata_info(sdata, "no SuppRates element in AssocResp\n");
>> -- return false;
>> -+ ret = false;
>> -+ goto out;
>> - }
>> -
>> - sdata->vif.bss_conf.aid = aid;
>> -@@ -3362,7 +3366,7 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
>> - (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT) &&
>> - (!elems->vht_cap_elem || !elems->vht_operation)))) {
>> - const struct cfg80211_bss_ies *ies;
>> -- struct ieee802_11_elems bss_elems;
>> -+ struct ieee802_11_elems *bss_elems;
>> -
>> - rcu_read_lock();
>> - ies = rcu_dereference(cbss->ies);
>> -@@ -3373,13 +3377,17 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
>> - if (!bss_ies)
>> - return false;
>> -
>> -- ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
>> -- false, &bss_elems,
>> -- mgmt->bssid,
>> -- assoc_data->bss->bssid);
>> -+ bss_elems = ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
>> -+ false, mgmt->bssid,
>> -+ assoc_data->bss->bssid);
>> -+ if (!bss_elems) {
>> -+ ret = false;
>> -+ goto out;
>> -+ }
>> -+
>> - if (assoc_data->wmm &&
>> -- !elems->wmm_param && bss_elems.wmm_param) {
>> -- elems->wmm_param = bss_elems.wmm_param;
>> -+ !elems->wmm_param && bss_elems->wmm_param) {
>> -+ elems->wmm_param = bss_elems->wmm_param;
>> - sdata_info(sdata,
>> - "AP bug: WMM param missing from AssocResp\n");
>> - }
>> -@@ -3388,30 +3396,32 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
>> - * Also check if we requested HT/VHT, otherwise the AP doesn't
>> - * have to include the IEs in the (re)association response.
>> - */
>> -- if (!elems->ht_cap_elem && bss_elems.ht_cap_elem &&
>> -+ if (!elems->ht_cap_elem && bss_elems->ht_cap_elem &&
>> - !(ifmgd->flags & IEEE80211_STA_DISABLE_HT)) {
>> -- elems->ht_cap_elem = bss_elems.ht_cap_elem;
>> -+ elems->ht_cap_elem = bss_elems->ht_cap_elem;
>> - sdata_info(sdata,
>> - "AP bug: HT capability missing from AssocResp\n");
>> - }
>> -- if (!elems->ht_operation && bss_elems.ht_operation &&
>> -+ if (!elems->ht_operation && bss_elems->ht_operation &&
>> - !(ifmgd->flags & IEEE80211_STA_DISABLE_HT)) {
>> -- elems->ht_operation = bss_elems.ht_operation;
>> -+ elems->ht_operation = bss_elems->ht_operation;
>> - sdata_info(sdata,
>> - "AP bug: HT operation missing from AssocResp\n");
>> - }
>> -- if (!elems->vht_cap_elem && bss_elems.vht_cap_elem &&
>> -+ if (!elems->vht_cap_elem && bss_elems->vht_cap_elem &&
>> - !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) {
>> -- elems->vht_cap_elem = bss_elems.vht_cap_elem;
>> -+ elems->vht_cap_elem = bss_elems->vht_cap_elem;
>> - sdata_info(sdata,
>> - "AP bug: VHT capa missing from AssocResp\n");
>> - }
>> -- if (!elems->vht_operation && bss_elems.vht_operation &&
>> -+ if (!elems->vht_operation && bss_elems->vht_operation &&
>> - !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) {
>> -- elems->vht_operation = bss_elems.vht_operation;
>> -+ elems->vht_operation = bss_elems->vht_operation;
>> - sdata_info(sdata,
>> - "AP bug: VHT operation missing from AssocResp\n");
>> - }
>> -+
>> -+ kfree(bss_elems);
>> - }
>> -
>> - /*
>> -@@ -3662,6 +3672,7 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
>> -
>> - ret = true;
>> - out:
>> -+ kfree(elems);
>> - kfree(bss_ies);
>> - return ret;
>> - }
>> -@@ -3673,7 +3684,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
>> - struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
>> - struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
>> - u16 capab_info, status_code, aid;
>> -- struct ieee802_11_elems elems;
>> -+ struct ieee802_11_elems *elems;
>> - int ac, uapsd_queues = -1;
>> - u8 *pos;
>> - bool reassoc;
>> -@@ -3730,14 +3741,16 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
>> - fils_decrypt_assoc_resp(sdata, (u8 *)mgmt, &len, assoc_data) < 0)
>> - return;
>> -
>> -- ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems,
>> -- mgmt->bssid, assoc_data->bss->bssid);
>> -+ elems = ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false,
>> -+ mgmt->bssid, assoc_data->bss->bssid);
>> -+ if (!elems)
>> -+ goto notify_driver;
>> -
>> - if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY &&
>> -- elems.timeout_int &&
>> -- elems.timeout_int->type == WLAN_TIMEOUT_ASSOC_COMEBACK) {
>> -+ elems->timeout_int &&
>> -+ elems->timeout_int->type == WLAN_TIMEOUT_ASSOC_COMEBACK) {
>> - u32 tu, ms;
>> -- tu = le32_to_cpu(elems.timeout_int->value);
>> -+ tu = le32_to_cpu(elems->timeout_int->value);
>> - ms = tu * 1024 / 1000;
>> - sdata_info(sdata,
>> - "%pM rejected association temporarily; comeback duration %u TU (%u ms)\n",
>> -@@ -3757,7 +3770,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
>> - event.u.mlme.reason = status_code;
>> - drv_event_callback(sdata->local, sdata, &event);
>> - } else {
>> -- if (!ieee80211_assoc_success(sdata, cbss, mgmt, len, &elems)) {
>> -+ if (!ieee80211_assoc_success(sdata, cbss, mgmt, len, elems)) {
>> - /* oops -- internal error -- send timeout for now */
>> - ieee80211_destroy_assoc_data(sdata, false, false);
>> - cfg80211_assoc_timeout(sdata->dev, cbss);
>> -@@ -3787,6 +3800,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
>> - ifmgd->assoc_req_ies, ifmgd->assoc_req_ies_len);
>> - notify_driver:
>> - drv_mgd_complete_tx(sdata->local, sdata, &info);
>> -+ kfree(elems);
>> - }
>> -
>> - static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
>> -@@ -3991,7 +4005,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>> - struct ieee80211_bss_conf *bss_conf = &sdata->vif.bss_conf;
>> - struct ieee80211_mgmt *mgmt = (void *) hdr;
>> - size_t baselen;
>> -- struct ieee802_11_elems elems;
>> -+ struct ieee802_11_elems *elems;
>> - struct ieee80211_local *local = sdata->local;
>> - struct ieee80211_chanctx_conf *chanctx_conf;
>> - struct ieee80211_channel *chan;
>> -@@ -4037,15 +4051,16 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>> -
>> - if (ifmgd->assoc_data && ifmgd->assoc_data->need_beacon &&
>> - ieee80211_rx_our_beacon(bssid, ifmgd->assoc_data->bss)) {
>> -- ieee802_11_parse_elems(variable,
>> -- len - baselen, false, &elems,
>> -- bssid,
>> -- ifmgd->assoc_data->bss->bssid);
>> -+ elems = ieee802_11_parse_elems(variable, len - baselen, false,
>> -+ bssid,
>> -+ ifmgd->assoc_data->bss->bssid);
>> -+ if (!elems)
>> -+ return;
>> -
>> - ieee80211_rx_bss_info(sdata, mgmt, len, rx_status);
>> -
>> -- if (elems.dtim_period)
>> -- ifmgd->dtim_period = elems.dtim_period;
>> -+ if (elems->dtim_period)
>> -+ ifmgd->dtim_period = elems->dtim_period;
>> - ifmgd->have_beacon = true;
>> - ifmgd->assoc_data->need_beacon = false;
>> - if (ieee80211_hw_check(&local->hw, TIMING_BEACON_ONLY)) {
>> -@@ -4053,17 +4068,17 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>> - le64_to_cpu(mgmt->u.beacon.timestamp);
>> - sdata->vif.bss_conf.sync_device_ts =
>> - rx_status->device_timestamp;
>> -- sdata->vif.bss_conf.sync_dtim_count = elems.dtim_count;
>> -+ sdata->vif.bss_conf.sync_dtim_count = elems->dtim_count;
>> - }
>> -
>> -- if (elems.mbssid_config_ie)
>> -+ if (elems->mbssid_config_ie)
>> - bss_conf->profile_periodicity =
>> -- elems.mbssid_config_ie->profile_periodicity;
>> -+ elems->mbssid_config_ie->profile_periodicity;
>> - else
>> - bss_conf->profile_periodicity = 0;
>> -
>> -- if (elems.ext_capab_len >= 11 &&
>> -- (elems.ext_capab[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
>> -+ if (elems->ext_capab_len >= 11 &&
>> -+ (elems->ext_capab[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
>> - bss_conf->ema_ap = true;
>> - else
>> - bss_conf->ema_ap = false;
>> -@@ -4072,6 +4087,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>> - ifmgd->assoc_data->timeout = jiffies;
>> - ifmgd->assoc_data->timeout_started = true;
>> - run_again(sdata, ifmgd->assoc_data->timeout);
>> -+ kfree(elems);
>> - return;
>> - }
>> -
>> -@@ -4103,14 +4119,15 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>> - */
>> - if (!ieee80211_is_s1g_beacon(hdr->frame_control))
>> - ncrc = crc32_be(0, (void *)&mgmt->u.beacon.beacon_int, 4);
>> -- ieee802_11_parse_elems_crc(variable,
>> -- len - baselen, false, &elems,
>> -- care_about_ies, ncrc,
>> -- mgmt->bssid, bssid);
>> -- ncrc = elems.crc;
>> -+ elems = ieee802_11_parse_elems_crc(variable, len - baselen,
>> -+ false, care_about_ies, ncrc,
>> -+ mgmt->bssid, bssid);
>> -+ if (!elems)
>> -+ return;
>> -+ ncrc = elems->crc;
>> -
>> - if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) &&
>> -- ieee80211_check_tim(elems.tim, elems.tim_len, bss_conf->aid)) {
>> -+ ieee80211_check_tim(elems->tim, elems->tim_len, bss_conf->aid)) {
>> - if (local->hw.conf.dynamic_ps_timeout > 0) {
>> - if (local->hw.conf.flags & IEEE80211_CONF_PS) {
>> - local->hw.conf.flags &= ~IEEE80211_CONF_PS;
>> -@@ -4180,12 +4197,12 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>> - le64_to_cpu(mgmt->u.beacon.timestamp);
>> - sdata->vif.bss_conf.sync_device_ts =
>> - rx_status->device_timestamp;
>> -- sdata->vif.bss_conf.sync_dtim_count = elems.dtim_count;
>> -+ sdata->vif.bss_conf.sync_dtim_count = elems->dtim_count;
>> - }
>> -
>> - if ((ncrc == ifmgd->beacon_crc && ifmgd->beacon_crc_valid) ||
>> - ieee80211_is_s1g_short_beacon(mgmt->frame_control))
>> -- return;
>> -+ goto free;
>> - ifmgd->beacon_crc = ncrc;
>> - ifmgd->beacon_crc_valid = true;
>> -
>> -@@ -4193,12 +4210,12 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>> -
>> - ieee80211_sta_process_chanswitch(sdata, rx_status->mactime,
>> - rx_status->device_timestamp,
>> -- &elems, true);
>> -+ elems, true);
>> -
>> - if (!(ifmgd->flags & IEEE80211_STA_DISABLE_WMM) &&
>> -- ieee80211_sta_wmm_params(local, sdata, elems.wmm_param,
>> -- elems.wmm_param_len,
>> -- elems.mu_edca_param_set))
>> -+ ieee80211_sta_wmm_params(local, sdata, elems->wmm_param,
>> -+ elems->wmm_param_len,
>> -+ elems->mu_edca_param_set))
>> - changed |= BSS_CHANGED_QOS;
>> -
>> - /*
>> -@@ -4207,7 +4224,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>> - */
>> - if (!ifmgd->have_beacon) {
>> - /* a few bogus AP send dtim_period = 0 or no TIM IE */
>> -- bss_conf->dtim_period = elems.dtim_period ?: 1;
>> -+ bss_conf->dtim_period = elems->dtim_period ?: 1;
>> -
>> - changed |= BSS_CHANGED_BEACON_INFO;
>> - ifmgd->have_beacon = true;
>> -@@ -4219,9 +4236,9 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>> - ieee80211_recalc_ps_vif(sdata);
>> - }
>> -
>> -- if (elems.erp_info) {
>> -+ if (elems->erp_info) {
>> - erp_valid = true;
>> -- erp_value = elems.erp_info[0];
>> -+ erp_value = elems->erp_info[0];
>> - } else {
>> - erp_valid = false;
>> - }
>> -@@ -4234,12 +4251,12 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>> - mutex_lock(&local->sta_mtx);
>> - sta = sta_info_get(sdata, bssid);
>> -
>> -- changed |= ieee80211_recalc_twt_req(sdata, sta, &elems);
>> -+ changed |= ieee80211_recalc_twt_req(sdata, sta, elems);
>> -
>> -- if (ieee80211_config_bw(sdata, sta, elems.ht_cap_elem,
>> -- elems.vht_cap_elem, elems.ht_operation,
>> -- elems.vht_operation, elems.he_operation,
>> -- elems.s1g_oper, bssid, &changed)) {
>> -+ if (ieee80211_config_bw(sdata, sta, elems->ht_cap_elem,
>> -+ elems->vht_cap_elem, elems->ht_operation,
>> -+ elems->vht_operation, elems->he_operation,
>> -+ elems->s1g_oper, bssid, &changed)) {
>> - mutex_unlock(&local->sta_mtx);
>> - sdata_info(sdata,
>> - "failed to follow AP %pM bandwidth change, disconnect\n",
>> -@@ -4251,21 +4268,23 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>> - sizeof(deauth_buf), true,
>> - WLAN_REASON_DEAUTH_LEAVING,
>> - false);
>> -- return;
>> -+ goto free;
>> - }
>> -
>> -- if (sta && elems.opmode_notif)
>> -- ieee80211_vht_handle_opmode(sdata, sta, *elems.opmode_notif,
>> -+ if (sta && elems->opmode_notif)
>> -+ ieee80211_vht_handle_opmode(sdata, sta, *elems->opmode_notif,
>> - rx_status->band);
>> - mutex_unlock(&local->sta_mtx);
>> -
>> - changed |= ieee80211_handle_pwr_constr(sdata, chan, mgmt,
>> -- elems.country_elem,
>> -- elems.country_elem_len,
>> -- elems.pwr_constr_elem,
>> -- elems.cisco_dtpc_elem);
>> -+ elems->country_elem,
>> -+ elems->country_elem_len,
>> -+ elems->pwr_constr_elem,
>> -+ elems->cisco_dtpc_elem);
>> -
>> - ieee80211_bss_info_change_notify(sdata, changed);
>> -+free:
>> -+ kfree(elems);
>> - }
>> -
>> - void ieee80211_sta_rx_queued_ext(struct ieee80211_sub_if_data *sdata,
>> -@@ -4294,7 +4313,6 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>> - struct ieee80211_rx_status *rx_status;
>> - struct ieee80211_mgmt *mgmt;
>> - u16 fc;
>> -- struct ieee802_11_elems elems;
>> - int ies_len;
>> -
>> - rx_status = (struct ieee80211_rx_status *) skb->cb;
>> -@@ -4326,6 +4344,8 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>> - break;
>> - case IEEE80211_STYPE_ACTION:
>> - if (mgmt->u.action.category == WLAN_CATEGORY_SPECTRUM_MGMT) {
>> -+ struct ieee802_11_elems *elems;
>> -+
>> - ies_len = skb->len -
>> - offsetof(struct ieee80211_mgmt,
>> - u.action.u.chan_switch.variable);
>> -@@ -4334,18 +4354,21 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>> - break;
>> -
>> - /* CSA IE cannot be overridden, no need for BSSID */
>> -- ieee802_11_parse_elems(
>> -- mgmt->u.action.u.chan_switch.variable,
>> -- ies_len, true, &elems, mgmt->bssid, NULL);
>> -+ elems = ieee802_11_parse_elems(
>> -+ mgmt->u.action.u.chan_switch.variable,
>> -+ ies_len, true, mgmt->bssid, NULL);
>> -
>> -- if (elems.parse_error)
>> -+ if (!elems || elems->parse_error)
>> - break;
>> -
>> - ieee80211_sta_process_chanswitch(sdata,
>> - rx_status->mactime,
>> - rx_status->device_timestamp,
>> -- &elems, false);
>> -+ elems, false);
>> -+ kfree(elems);
>> - } else if (mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) {
>> -+ struct ieee802_11_elems *elems;
>> -+
>> - ies_len = skb->len -
>> - offsetof(struct ieee80211_mgmt,
>> - u.action.u.ext_chan_switch.variable);
>> -@@ -4357,21 +4380,22 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>> - * extended CSA IE can't be overridden, no need for
>> - * BSSID
>> - */
>> -- ieee802_11_parse_elems(
>> -- mgmt->u.action.u.ext_chan_switch.variable,
>> -- ies_len, true, &elems, mgmt->bssid, NULL);
>> -+ elems = ieee802_11_parse_elems(
>> -+ mgmt->u.action.u.ext_chan_switch.variable,
>> -+ ies_len, true, mgmt->bssid, NULL);
>> -
>> -- if (elems.parse_error)
>> -+ if (!elems || elems->parse_error)
>> - break;
>> -
>> - /* for the handling code pretend this was also an IE */
>> -- elems.ext_chansw_ie =
>> -+ elems->ext_chansw_ie =
>> - &mgmt->u.action.u.ext_chan_switch.data;
>> -
>> - ieee80211_sta_process_chanswitch(sdata,
>> - rx_status->mactime,
>> - rx_status->device_timestamp,
>> -- &elems, false);
>> -+ elems, false);
>> -+ kfree(elems);
>> - }
>> - break;
>> - }
>> -diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
>> -index d6afaacaf7ef..e692a2487eb5 100644
>> ---- a/net/mac80211/scan.c
>> -+++ b/net/mac80211/scan.c
>> -@@ -9,7 +9,7 @@
>> - * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
>> - * Copyright 2013-2015 Intel Mobile Communications GmbH
>> - * Copyright 2016-2017 Intel Deutschland GmbH
>> -- * Copyright (C) 2018-2020 Intel Corporation
>> -+ * Copyright (C) 2018-2021 Intel Corporation
>> - */
>> -
>> - #include <linux/if_arp.h>
>> -@@ -155,7 +155,7 @@ ieee80211_bss_info_update(struct ieee80211_local *local,
>> - };
>> - bool signal_valid;
>> - struct ieee80211_sub_if_data *scan_sdata;
>> -- struct ieee802_11_elems elems;
>> -+ struct ieee802_11_elems *elems;
>> - size_t baselen;
>> - u8 *elements;
>> -
>> -@@ -209,8 +209,10 @@ ieee80211_bss_info_update(struct ieee80211_local *local,
>> - if (baselen > len)
>> - return NULL;
>> -
>> -- ieee802_11_parse_elems(elements, len - baselen, false, &elems,
>> -- mgmt->bssid, cbss->bssid);
>> -+ elems = ieee802_11_parse_elems(elements, len - baselen, false,
>> -+ mgmt->bssid, cbss->bssid);
>> -+ if (!elems)
>> -+ return NULL;
>> -
>> - /* In case the signal is invalid update the status */
>> - signal_valid = channel == cbss->channel;
>> -@@ -218,15 +220,17 @@ ieee80211_bss_info_update(struct ieee80211_local *local,
>> - rx_status->flag |= RX_FLAG_NO_SIGNAL_VAL;
>> -
>> - bss = (void *)cbss->priv;
>> -- ieee80211_update_bss_from_elems(local, bss, &elems, rx_status, beacon);
>> -+ ieee80211_update_bss_from_elems(local, bss, elems, rx_status, beacon);
>> -
>> - list_for_each_entry(non_tx_cbss, &cbss->nontrans_list, nontrans_list) {
>> - non_tx_bss = (void *)non_tx_cbss->priv;
>> -
>> -- ieee80211_update_bss_from_elems(local, non_tx_bss, &elems,
>> -+ ieee80211_update_bss_from_elems(local, non_tx_bss, elems,
>> - rx_status, beacon);
>> - }
>> -
>> -+ kfree(elems);
>> -+
>> - return bss;
>> - }
>> -
>> -diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
>> -index 45e532ad1215..137be9ec94af 100644
>> ---- a/net/mac80211/tdls.c
>> -+++ b/net/mac80211/tdls.c
>> -@@ -6,7 +6,7 @@
>> - * Copyright 2014, Intel Corporation
>> - * Copyright 2014 Intel Mobile Communications GmbH
>> - * Copyright 2015 - 2016 Intel Deutschland GmbH
>> -- * Copyright (C) 2019 Intel Corporation
>> -+ * Copyright (C) 2019, 2021 Intel Corporation
>> - */
>> -
>> - #include <linux/ieee80211.h>
>> -@@ -1684,7 +1684,7 @@ ieee80211_process_tdls_channel_switch_resp(struct ieee80211_sub_if_data *sdata,
>> - struct sk_buff *skb)
>> - {
>> - struct ieee80211_local *local = sdata->local;
>> -- struct ieee802_11_elems elems;
>> -+ struct ieee802_11_elems *elems = NULL;
>> - struct sta_info *sta;
>> - struct ieee80211_tdls_data *tf = (void *)skb->data;
>> - bool local_initiator;
>> -@@ -1718,16 +1718,20 @@ ieee80211_process_tdls_channel_switch_resp(struct ieee80211_sub_if_data *sdata,
>> - goto call_drv;
>> - }
>> -
>> -- ieee802_11_parse_elems(tf->u.chan_switch_resp.variable,
>> -- skb->len - baselen, false, &elems,
>> -- NULL, NULL);
>> -- if (elems.parse_error) {
>> -+ elems = ieee802_11_parse_elems(tf->u.chan_switch_resp.variable,
>> -+ skb->len - baselen, false, NULL, NULL);
>> -+ if (!elems) {
>> -+ ret = -ENOMEM;
>> -+ goto out;
>> -+ }
>> -+
>> -+ if (elems->parse_error) {
>> - tdls_dbg(sdata, "Invalid IEs in TDLS channel switch resp\n");
>> - ret = -EINVAL;
>> - goto out;
>> - }
>> -
>> -- if (!elems.ch_sw_timing || !elems.lnk_id) {
>> -+ if (!elems->ch_sw_timing || !elems->lnk_id) {
>> - tdls_dbg(sdata, "TDLS channel switch resp - missing IEs\n");
>> - ret = -EINVAL;
>> - goto out;
>> -@@ -1735,15 +1739,15 @@ ieee80211_process_tdls_channel_switch_resp(struct ieee80211_sub_if_data *sdata,
>> -
>> - /* validate the initiator is set correctly */
>> - local_initiator =
>> -- !memcmp(elems.lnk_id->init_sta, sdata->vif.addr, ETH_ALEN);
>> -+ !memcmp(elems->lnk_id->init_sta, sdata->vif.addr, ETH_ALEN);
>> - if (local_initiator == sta->sta.tdls_initiator) {
>> - tdls_dbg(sdata, "TDLS chan switch invalid lnk-id initiator\n");
>> - ret = -EINVAL;
>> - goto out;
>> - }
>> -
>> -- params.switch_time = le16_to_cpu(elems.ch_sw_timing->switch_time);
>> -- params.switch_timeout = le16_to_cpu(elems.ch_sw_timing->switch_timeout);
>> -+ params.switch_time = le16_to_cpu(elems->ch_sw_timing->switch_time);
>> -+ params.switch_timeout = le16_to_cpu(elems->ch_sw_timing->switch_timeout);
>> -
>> - params.tmpl_skb =
>> - ieee80211_tdls_ch_sw_resp_tmpl_get(sta, ¶ms.ch_sw_tm_ie);
>> -@@ -1763,6 +1767,7 @@ call_drv:
>> - out:
>> - mutex_unlock(&local->sta_mtx);
>> - dev_kfree_skb_any(params.tmpl_skb);
>> -+ kfree(elems);
>> - return ret;
>> - }
>> -
>> -@@ -1771,7 +1776,7 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
>> - struct sk_buff *skb)
>> - {
>> - struct ieee80211_local *local = sdata->local;
>> -- struct ieee802_11_elems elems;
>> -+ struct ieee802_11_elems *elems;
>> - struct cfg80211_chan_def chandef;
>> - struct ieee80211_channel *chan;
>> - enum nl80211_channel_type chan_type;
>> -@@ -1831,22 +1836,27 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
>> - return -EINVAL;
>> - }
>> -
>> -- ieee802_11_parse_elems(tf->u.chan_switch_req.variable,
>> -- skb->len - baselen, false, &elems, NULL, NULL);
>> -- if (elems.parse_error) {
>> -+ elems = ieee802_11_parse_elems(tf->u.chan_switch_req.variable,
>> -+ skb->len - baselen, false, NULL, NULL);
>> -+ if (!elems)
>> -+ return -ENOMEM;
>> -+
>> -+ if (elems->parse_error) {
>> - tdls_dbg(sdata, "Invalid IEs in TDLS channel switch req\n");
>> -- return -EINVAL;
>> -+ ret = -EINVAL;
>> -+ goto free;
>> - }
>> -
>> -- if (!elems.ch_sw_timing || !elems.lnk_id) {
>> -+ if (!elems->ch_sw_timing || !elems->lnk_id) {
>> - tdls_dbg(sdata, "TDLS channel switch req - missing IEs\n");
>> -- return -EINVAL;
>> -+ ret = -EINVAL;
>> -+ goto free;
>> - }
>> -
>> -- if (!elems.sec_chan_offs) {
>> -+ if (!elems->sec_chan_offs) {
>> - chan_type = NL80211_CHAN_HT20;
>> - } else {
>> -- switch (elems.sec_chan_offs->sec_chan_offs) {
>> -+ switch (elems->sec_chan_offs->sec_chan_offs) {
>> - case IEEE80211_HT_PARAM_CHA_SEC_ABOVE:
>> - chan_type = NL80211_CHAN_HT40PLUS;
>> - break;
>> -@@ -1865,7 +1875,8 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
>> - if (!cfg80211_reg_can_beacon_relax(sdata->local->hw.wiphy, &chandef,
>> - sdata->wdev.iftype)) {
>> - tdls_dbg(sdata, "TDLS chan switch to forbidden channel\n");
>> -- return -EINVAL;
>> -+ ret = -EINVAL;
>> -+ goto free;
>> - }
>> -
>> - mutex_lock(&local->sta_mtx);
>> -@@ -1881,7 +1892,7 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
>> -
>> - /* validate the initiator is set correctly */
>> - local_initiator =
>> -- !memcmp(elems.lnk_id->init_sta, sdata->vif.addr, ETH_ALEN);
>> -+ !memcmp(elems->lnk_id->init_sta, sdata->vif.addr, ETH_ALEN);
>> - if (local_initiator == sta->sta.tdls_initiator) {
>> - tdls_dbg(sdata, "TDLS chan switch invalid lnk-id initiator\n");
>> - ret = -EINVAL;
>> -@@ -1889,16 +1900,16 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
>> - }
>> -
>> - /* peer should have known better */
>> -- if (!sta->sta.ht_cap.ht_supported && elems.sec_chan_offs &&
>> -- elems.sec_chan_offs->sec_chan_offs) {
>> -+ if (!sta->sta.ht_cap.ht_supported && elems->sec_chan_offs &&
>> -+ elems->sec_chan_offs->sec_chan_offs) {
>> - tdls_dbg(sdata, "TDLS chan switch - wide chan unsupported\n");
>> - ret = -ENOTSUPP;
>> - goto out;
>> - }
>> -
>> - params.chandef = &chandef;
>> -- params.switch_time = le16_to_cpu(elems.ch_sw_timing->switch_time);
>> -- params.switch_timeout = le16_to_cpu(elems.ch_sw_timing->switch_timeout);
>> -+ params.switch_time = le16_to_cpu(elems->ch_sw_timing->switch_time);
>> -+ params.switch_timeout = le16_to_cpu(elems->ch_sw_timing->switch_timeout);
>> -
>> - params.tmpl_skb =
>> - ieee80211_tdls_ch_sw_resp_tmpl_get(sta,
>> -@@ -1917,6 +1928,8 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
>> - out:
>> - mutex_unlock(&local->sta_mtx);
>> - dev_kfree_skb_any(params.tmpl_skb);
>> -+free:
>> -+ kfree(elems);
>> - return ret;
>> - }
>> -
>> -diff --git a/net/mac80211/util.c b/net/mac80211/util.c
>> -index 664c32b6db19..2ac61e68b6b4 100644
>> ---- a/net/mac80211/util.c
>> -+++ b/net/mac80211/util.c
>> -@@ -1396,8 +1396,8 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
>> -
>> - static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
>> - struct ieee802_11_elems *elems,
>> -- u8 *transmitter_bssid,
>> -- u8 *bss_bssid,
>> -+ const u8 *transmitter_bssid,
>> -+ const u8 *bss_bssid,
>> - u8 *nontransmitted_profile)
>> - {
>> - const struct element *elem, *sub;
>> -@@ -1464,16 +1464,20 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
>> - return found ? profile_len : 0;
>> - }
>> -
>> --void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
>> -- struct ieee802_11_elems *elems,
>> -- u64 filter, u32 crc, u8 *transmitter_bssid,
>> -- u8 *bss_bssid)
>> -+struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,
>> -+ bool action, u64 filter,
>> -+ u32 crc,
>> -+ const u8 *transmitter_bssid,
>> -+ const u8 *bss_bssid)
>> - {
>> -+ struct ieee802_11_elems *elems;
>> - const struct element *non_inherit = NULL;
>> - u8 *nontransmitted_profile;
>> - int nontransmitted_profile_len = 0;
>> -
>> -- memset(elems, 0, sizeof(*elems));
>> -+ elems = kzalloc(sizeof(*elems), GFP_ATOMIC);
>> -+ if (!elems)
>> -+ return NULL;
>> - elems->ie_start = start;
>> - elems->total_len = len;
>> -
>> -@@ -1520,6 +1524,8 @@ void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
>> - kfree(nontransmitted_profile);
>> -
>> - elems->crc = crc;
>> -+
>> -+ return elems;
>> - }
>> -
>> - void ieee80211_regulatory_limit_wmm_params(struct ieee80211_sub_if_data *sdata,
>> ---
>> -2.30.2
>> -
>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-13.patch b/src/patches/linux/linux-5.15-wifi-security-patches-13.patch
>> deleted file mode 100644
>> index 1d167c19a..000000000
>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-13.patch
>> +++ /dev/null
>> @@ -1,130 +0,0 @@
>> -From 7d998f6b7365d50a9905bf57fd28b41c7ebe8e9d Mon Sep 17 00:00:00 2001
>> -From: Johannes Berg <johannes.berg@intel.com>
>> -Date: Thu, 13 Oct 2022 20:16:00 +0200
>> -Subject: [PATCH] mac80211: fix memory leaks with element parsing
>> -
>> -commit 8223ac199a3849257e86ec27865dc63f034b1cf1 upstream.
>> -
>> -My previous commit 5d24828d05f3 ("mac80211: always allocate
>> -struct ieee802_11_elems") had a few bugs and leaked the new
>> -allocated struct in a few error cases, fix that.
>> -
>> -Fixes: 5d24828d05f3 ("mac80211: always allocate struct ieee802_11_elems")
>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>> -Link: https://lore.kernel.org/r/20211001211108.9839928e42e0.Ib81ca187d3d3af7ed1bfeac2e00d08a4637c8025@changeid
>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>> -Cc: Felix Fietkau <nbd@nbd.name>
>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> ----
>> - net/mac80211/agg-rx.c | 3 ++-
>> - net/mac80211/ibss.c | 10 +++++-----
>> - net/mac80211/mlme.c | 36 ++++++++++++++++++------------------
>> - 3 files changed, 25 insertions(+), 24 deletions(-)
>> -
>> -diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
>> -index ffa4f31f6c2b..0d2bab9d351c 100644
>> ---- a/net/mac80211/agg-rx.c
>> -+++ b/net/mac80211/agg-rx.c
>> -@@ -499,13 +499,14 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
>> - elems = ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable,
>> - ies_len, true, mgmt->bssid, NULL);
>> - if (!elems || elems->parse_error)
>> -- return;
>> -+ goto free;
>> - }
>> -
>> - __ieee80211_start_rx_ba_session(sta, dialog_token, timeout,
>> - start_seq_num, ba_policy, tid,
>> - buf_size, true, false,
>> - elems ? elems->addba_ext_ie : NULL);
>> -+free:
>> - kfree(elems);
>> - }
>> -
>> -diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
>> -index 4b721b48f86a..48e0260f3424 100644
>> ---- a/net/mac80211/ibss.c
>> -+++ b/net/mac80211/ibss.c
>> -@@ -1663,11 +1663,11 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>> - mgmt->u.action.u.chan_switch.variable,
>> - ies_len, true, mgmt->bssid, NULL);
>> -
>> -- if (!elems || elems->parse_error)
>> -- break;
>> --
>> -- ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt, skb->len,
>> -- rx_status, elems);
>> -+ if (elems && !elems->parse_error)
>> -+ ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt,
>> -+ skb->len,
>> -+ rx_status,
>> -+ elems);
>> - kfree(elems);
>> - break;
>> - }
>> -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
>> -index 45efa1d1c550..cc6d38a2e6d5 100644
>> ---- a/net/mac80211/mlme.c
>> -+++ b/net/mac80211/mlme.c
>> -@@ -3374,8 +3374,10 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
>> - bss_ies = kmemdup(ies, sizeof(*ies) + ies->len,
>> - GFP_ATOMIC);
>> - rcu_read_unlock();
>> -- if (!bss_ies)
>> -- return false;
>> -+ if (!bss_ies) {
>> -+ ret = false;
>> -+ goto out;
>> -+ }
>> -
>> - bss_elems = ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
>> - false, mgmt->bssid,
>> -@@ -4358,13 +4360,11 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>> - mgmt->u.action.u.chan_switch.variable,
>> - ies_len, true, mgmt->bssid, NULL);
>> -
>> -- if (!elems || elems->parse_error)
>> -- break;
>> --
>> -- ieee80211_sta_process_chanswitch(sdata,
>> -- rx_status->mactime,
>> -- rx_status->device_timestamp,
>> -- elems, false);
>> -+ if (elems && !elems->parse_error)
>> -+ ieee80211_sta_process_chanswitch(sdata,
>> -+ rx_status->mactime,
>> -+ rx_status->device_timestamp,
>> -+ elems, false);
>> - kfree(elems);
>> - } else if (mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) {
>> - struct ieee802_11_elems *elems;
>> -@@ -4384,17 +4384,17 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>> - mgmt->u.action.u.ext_chan_switch.variable,
>> - ies_len, true, mgmt->bssid, NULL);
>> -
>> -- if (!elems || elems->parse_error)
>> -- break;
>> -+ if (elems && !elems->parse_error) {
>> -+ /* for the handling code pretend it was an IE */
>> -+ elems->ext_chansw_ie =
>> -+ &mgmt->u.action.u.ext_chan_switch.data;
>> -
>> -- /* for the handling code pretend this was also an IE */
>> -- elems->ext_chansw_ie =
>> -- &mgmt->u.action.u.ext_chan_switch.data;
>> -+ ieee80211_sta_process_chanswitch(sdata,
>> -+ rx_status->mactime,
>> -+ rx_status->device_timestamp,
>> -+ elems, false);
>> -+ }
>> -
>> -- ieee80211_sta_process_chanswitch(sdata,
>> -- rx_status->mactime,
>> -- rx_status->device_timestamp,
>> -- elems, false);
>> - kfree(elems);
>> - }
>> - break;
>> ---
>> -2.30.2
>> -
>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-14.patch b/src/patches/linux/linux-5.15-wifi-security-patches-14.patch
>> deleted file mode 100644
>> index f0ccc0b6a..000000000
>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-14.patch
>> +++ /dev/null
>> @@ -1,107 +0,0 @@
>> -From de124365a7d2deed22cf706583930f28d537ff0f Mon Sep 17 00:00:00 2001
>> -From: Johannes Berg <johannes.berg@intel.com>
>> -Date: Thu, 13 Oct 2022 20:16:01 +0200
>> -Subject: [PATCH] wifi: mac80211: fix MBSSID parsing use-after-free
>> -
>> -commit ff05d4b45dd89b922578dac497dcabf57cf771c6
>> -
>> -When we parse a multi-BSSID element, we might point some
>> -element pointers into the allocated nontransmitted_profile.
>> -However, we free this before returning, causing UAF when the
>> -relevant pointers in the parsed elements are accessed.
>> -
>> -Fix this by not allocating the scratch buffer separately but
>> -as part of the returned structure instead, that way, there
>> -are no lifetime issues with it.
>> -
>> -The scratch buffer introduction as part of the returned data
>> -here is taken from MLO feature work done by Ilan.
>> -
>> -This fixes CVE-2022-42719.
>> -
>> -Fixes: 5023b14cf4df ("mac80211: support profile split between elements")
>> -Co-developed-by: Ilan Peer <ilan.peer@intel.com>
>> -Signed-off-by: Ilan Peer <ilan.peer@intel.com>
>> -Reviewed-by: Kees Cook <keescook@chromium.org>
>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>> -Cc: Felix Fietkau <nbd@nbd.name>
>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> ----
>> - net/mac80211/ieee80211_i.h | 8 ++++++++
>> - net/mac80211/util.c | 29 ++++++++++++++---------------
>> - 2 files changed, 22 insertions(+), 15 deletions(-)
>> -
>> -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
>> -index 3633e49239c7..21549a440b38 100644
>> ---- a/net/mac80211/ieee80211_i.h
>> -+++ b/net/mac80211/ieee80211_i.h
>> -@@ -1613,6 +1613,14 @@ struct ieee802_11_elems {
>> -
>> - /* whether a parse error occurred while retrieving these elements */
>> - bool parse_error;
>> -+
>> -+ /*
>> -+ * scratch buffer that can be used for various element parsing related
>> -+ * tasks, e.g., element de-fragmentation etc.
>> -+ */
>> -+ size_t scratch_len;
>> -+ u8 *scratch_pos;
>> -+ u8 scratch[];
>> - };
>> -
>> - static inline struct ieee80211_local *hw_to_local(
>> -diff --git a/net/mac80211/util.c b/net/mac80211/util.c
>> -index 2ac61e68b6b4..354badd32793 100644
>> ---- a/net/mac80211/util.c
>> -+++ b/net/mac80211/util.c
>> -@@ -1475,24 +1475,25 @@ struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,
>> - u8 *nontransmitted_profile;
>> - int nontransmitted_profile_len = 0;
>> -
>> -- elems = kzalloc(sizeof(*elems), GFP_ATOMIC);
>> -+ elems = kzalloc(sizeof(*elems) + len, GFP_ATOMIC);
>> - if (!elems)
>> - return NULL;
>> - elems->ie_start = start;
>> - elems->total_len = len;
>> -
>> -- nontransmitted_profile = kmalloc(len, GFP_ATOMIC);
>> -- if (nontransmitted_profile) {
>> -- nontransmitted_profile_len =
>> -- ieee802_11_find_bssid_profile(start, len, elems,
>> -- transmitter_bssid,
>> -- bss_bssid,
>> -- nontransmitted_profile);
>> -- non_inherit =
>> -- cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
>> -- nontransmitted_profile,
>> -- nontransmitted_profile_len);
>> -- }
>> -+ elems->scratch_len = len;
>> -+ elems->scratch_pos = elems->scratch;
>> -+
>> -+ nontransmitted_profile = elems->scratch_pos;
>> -+ nontransmitted_profile_len =
>> -+ ieee802_11_find_bssid_profile(start, len, elems,
>> -+ transmitter_bssid,
>> -+ bss_bssid,
>> -+ nontransmitted_profile);
>> -+ non_inherit =
>> -+ cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
>> -+ nontransmitted_profile,
>> -+ nontransmitted_profile_len);
>> -
>> - crc = _ieee802_11_parse_elems_crc(start, len, action, elems, filter,
>> - crc, non_inherit);
>> -@@ -1521,8 +1522,6 @@ struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,
>> - offsetofend(struct ieee80211_bssid_index, dtim_count))
>> - elems->dtim_count = elems->bssid_index->dtim_count;
>> -
>> -- kfree(nontransmitted_profile);
>> --
>> - elems->crc = crc;
>> -
>> - return elems;
>> ---
>> -2.30.2
>> -
>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-2.patch b/src/patches/linux/linux-5.15-wifi-security-patches-2.patch
>> deleted file mode 100644
>> index d2a04e717..000000000
>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-2.patch
>> +++ /dev/null
>> @@ -1,59 +0,0 @@
>> -From 0a861bd25dad508e492c48169509d8c6b9246895 Mon Sep 17 00:00:00 2001
>> -From: Johannes Berg <johannes.berg@intel.com>
>> -Date: Wed, 28 Sep 2022 22:01:37 +0200
>> -Subject: [PATCH] wifi: cfg80211/mac80211: reject bad MBSSID elements
>> -
>> -commit 8f033d2becc24aa6bfd2a5c104407963560caabc upstream.
>> -
>> -Per spec, the maximum value for the MaxBSSID ('n') indicator is 8,
>> -and the minimum is 1 since a multiple BSSID set with just one BSSID
>> -doesn't make sense (the # of BSSIDs is limited by 2^n).
>> -
>> -Limit this in the parsing in both cfg80211 and mac80211, rejecting
>> -any elements with an invalid value.
>> -
>> -This fixes potentially bad shifts in the processing of these inside
>> -the cfg80211_gen_new_bssid() function later.
>> -
>> -I found this during the investigation of CVE-2022-41674 fixed by the
>> -previous patch.
>> -
>> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
>> -Fixes: 78ac51f81532 ("mac80211: support multi-bssid")
>> -Reviewed-by: Kees Cook <keescook@chromium.org>
>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> ----
>> - net/mac80211/util.c | 2 ++
>> - net/wireless/scan.c | 2 ++
>> - 2 files changed, 4 insertions(+)
>> -
>> -diff --git a/net/mac80211/util.c b/net/mac80211/util.c
>> -index be1911d8089f..00543ea9c6b5 100644
>> ---- a/net/mac80211/util.c
>> -+++ b/net/mac80211/util.c
>> -@@ -1414,6 +1414,8 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
>> - for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) {
>> - if (elem->datalen < 2)
>> - continue;
>> -+ if (elem->data[0] < 1 || elem->data[0] > 8)
>> -+ continue;
>> -
>> - for_each_element(sub, elem->data + 1, elem->datalen - 1) {
>> - u8 new_bssid[ETH_ALEN];
>> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c
>> -index d9ab37a798f4..84c642eae4d8 100644
>> ---- a/net/wireless/scan.c
>> -+++ b/net/wireless/scan.c
>> -@@ -2103,6 +2103,8 @@ static void cfg80211_parse_mbssid_data(struct wiphy *wiphy,
>> - for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) {
>> - if (elem->datalen < 4)
>> - continue;
>> -+ if (elem->data[0] < 1 || (int)elem->data[0] > 8)
>> -+ continue;
>> - for_each_element(sub, elem->data + 1, elem->datalen - 1) {
>> - u8 profile_len;
>> -
>> ---
>> -2.30.2
>> -
>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-3.patch b/src/patches/linux/linux-5.15-wifi-security-patches-3.patch
>> deleted file mode 100644
>> index 60be08214..000000000
>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-3.patch
>> +++ /dev/null
>> @@ -1,49 +0,0 @@
>> -From 9e99ca59ed3976921f8891c103d503b6da3e78af Mon Sep 17 00:00:00 2001
>> -From: Johannes Berg <johannes.berg@intel.com>
>> -Date: Thu, 29 Sep 2022 21:50:44 +0200
>> -Subject: [PATCH] wifi: cfg80211: ensure length byte is present before access
>> -
>> -commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream.
>> -
>> -When iterating the elements here, ensure the length byte is
>> -present before checking it to see if the entire element will
>> -fit into the buffer.
>> -
>> -Longer term, we should rewrite this code using the type-safe
>> -element iteration macros that check all of this.
>> -
>> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
>> -Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> ----
>> - net/wireless/scan.c | 6 ++++--
>> - 1 file changed, 4 insertions(+), 2 deletions(-)
>> -
>> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c
>> -index 84c642eae4d8..04c9b78b3fec 100644
>> ---- a/net/wireless/scan.c
>> -+++ b/net/wireless/scan.c
>> -@@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
>> - tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen);
>> - tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie;
>> -
>> -- while (tmp_old + tmp_old[1] + 2 - ie <= ielen) {
>> -+ while (tmp_old + 2 - ie <= ielen &&
>> -+ tmp_old + tmp_old[1] + 2 - ie <= ielen) {
>> - if (tmp_old[0] == 0) {
>> - tmp_old++;
>> - continue;
>> -@@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
>> - * copied to new ie, skip ssid, capability, bssid-index ie
>> - */
>> - tmp_new = sub_copy;
>> -- while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
>> -+ while (tmp_new + 2 - sub_copy <= subie_len &&
>> -+ tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
>> - if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP ||
>> - tmp_new[0] == WLAN_EID_SSID)) {
>> - memcpy(pos, tmp_new, tmp_new[1] + 2);
>> ---
>> -2.30.2
>> -
>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-4.patch b/src/patches/linux/linux-5.15-wifi-security-patches-4.patch
>> deleted file mode 100644
>> index bd2439041..000000000
>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-4.patch
>> +++ /dev/null
>> @@ -1,96 +0,0 @@
>> -From bfe29873454f38eb1a511a76144ad1a4848ca176 Mon Sep 17 00:00:00 2001
>> -From: Johannes Berg <johannes.berg@intel.com>
>> -Date: Fri, 30 Sep 2022 23:44:23 +0200
>> -Subject: [PATCH] wifi: cfg80211: fix BSS refcounting bugs
>> -MIME-Version: 1.0
>> -Content-Type: text/plain; charset=utf8
>> -Content-Transfer-Encoding: 8bit
>> -
>> -commit 0b7808818cb9df6680f98996b8e9a439fa7bcc2f upstream.
>> -
>> -There are multiple refcounting bugs related to multi-BSSID:
>> - - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then
>> - the bss pointer is overwritten before checking for the
>> - transmitted BSS, which is clearly wrong. Fix this by using
>> - the bss_from_pub() macro.
>> -
>> - - In cfg80211_bss_update() we copy the transmitted_bss pointer
>> - from tmp into new, but then if we release new, we'll unref
>> - it erroneously. We already set the pointer and ref it, but
>> - need to NULL it since it was copied from the tmp data.
>> -
>> - - In cfg80211_inform_single_bss_data(), if adding to the non-
>> - transmitted list fails, we unlink the BSS and yet still we
>> - return it, but this results in returning an entry without
>> - a reference. We shouldn't return it anyway if it was broken
>> - enough to not get added there.
>> -
>> -This fixes CVE-2022-42720.
>> -
>> -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
>> -Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
>> -Fixes: a3584f56de1c ("cfg80211: Properly track transmitting and non-transmitting BSS")
>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> ----
>> - net/wireless/scan.c | 27 ++++++++++++++-------------
>> - 1 file changed, 14 insertions(+), 13 deletions(-)
>> -
>> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c
>> -index 04c9b78b3fec..2e576714e989 100644
>> ---- a/net/wireless/scan.c
>> -+++ b/net/wireless/scan.c
>> -@@ -143,18 +143,12 @@ static inline void bss_ref_get(struct cfg80211_registered_device *rdev,
>> - lockdep_assert_held(&rdev->bss_lock);
>> -
>> - bss->refcount++;
>> -- if (bss->pub.hidden_beacon_bss) {
>> -- bss = container_of(bss->pub.hidden_beacon_bss,
>> -- struct cfg80211_internal_bss,
>> -- pub);
>> -- bss->refcount++;
>> -- }
>> -- if (bss->pub.transmitted_bss) {
>> -- bss = container_of(bss->pub.transmitted_bss,
>> -- struct cfg80211_internal_bss,
>> -- pub);
>> -- bss->refcount++;
>> -- }
>> -+
>> -+ if (bss->pub.hidden_beacon_bss)
>> -+ bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++;
>> -+
>> -+ if (bss->pub.transmitted_bss)
>> -+ bss_from_pub(bss->pub.transmitted_bss)->refcount++;
>> - }
>> -
>> - static inline void bss_ref_put(struct cfg80211_registered_device *rdev,
>> -@@ -1743,6 +1737,8 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev,
>> - new->refcount = 1;
>> - INIT_LIST_HEAD(&new->hidden_list);
>> - INIT_LIST_HEAD(&new->pub.nontrans_list);
>> -+ /* we'll set this later if it was non-NULL */
>> -+ new->pub.transmitted_bss = NULL;
>> -
>> - if (rcu_access_pointer(tmp->pub.proberesp_ies)) {
>> - hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN);
>> -@@ -1983,10 +1979,15 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy,
>> - spin_lock_bh(&rdev->bss_lock);
>> - if (cfg80211_add_nontrans_list(non_tx_data->tx_bss,
>> - &res->pub)) {
>> -- if (__cfg80211_unlink_bss(rdev, res))
>> -+ if (__cfg80211_unlink_bss(rdev, res)) {
>> - rdev->bss_generation++;
>> -+ res = NULL;
>> -+ }
>> - }
>> - spin_unlock_bh(&rdev->bss_lock);
>> -+
>> -+ if (!res)
>> -+ return NULL;
>> - }
>> -
>> - trace_cfg80211_return_bss(&res->pub);
>> ---
>> -2.30.2
>> -
>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-5.patch b/src/patches/linux/linux-5.15-wifi-security-patches-5.patch
>> deleted file mode 100644
>> index c0c4dadd3..000000000
>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-5.patch
>> +++ /dev/null
>> @@ -1,56 +0,0 @@
>> -From 0a8ee682e4f992eccce226b012bba600bb2251e2 Mon Sep 17 00:00:00 2001
>> -From: Johannes Berg <johannes.berg@intel.com>
>> -Date: Sat, 1 Oct 2022 00:01:44 +0200
>> -Subject: [PATCH] wifi: cfg80211: avoid nontransmitted BSS list corruption
>> -MIME-Version: 1.0
>> -Content-Type: text/plain; charset=utf8
>> -Content-Transfer-Encoding: 8bit
>> -
>> -commit bcca852027e5878aec911a347407ecc88d6fff7f upstream.
>> -
>> -If a non-transmitted BSS shares enough information (both
>> -SSID and BSSID!) with another non-transmitted BSS of a
>> -different AP, then we can find and update it, and then
>> -try to add it to the non-transmitted BSS list. We do a
>> -search for it on the transmitted BSS, but if it's not
>> -there (but belongs to another transmitted BSS), the list
>> -gets corrupted.
>> -
>> -Since this is an erroneous situation, simply fail the
>> -list insertion in this case and free the non-transmitted
>> -BSS.
>> -
>> -This fixes CVE-2022-42721.
>> -
>> -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
>> -Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
>> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> ----
>> - net/wireless/scan.c | 9 +++++++++
>> - 1 file changed, 9 insertions(+)
>> -
>> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c
>> -index 2e576714e989..a21baf7b3612 100644
>> ---- a/net/wireless/scan.c
>> -+++ b/net/wireless/scan.c
>> -@@ -425,6 +425,15 @@ cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss,
>> -
>> - rcu_read_unlock();
>> -
>> -+ /*
>> -+ * This is a bit weird - it's not on the list, but already on another
>> -+ * one! The only way that could happen is if there's some BSSID/SSID
>> -+ * shared by multiple APs in their multi-BSSID profiles, potentially
>> -+ * with hidden SSID mixed in ... ignore it.
>> -+ */
>> -+ if (!list_empty(&nontrans_bss->nontrans_list))
>> -+ return -EINVAL;
>> -+
>> - /* add to the list */
>> - list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list);
>> - return 0;
>> ---
>> -2.30.2
>> -
>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-6.patch b/src/patches/linux/linux-5.15-wifi-security-patches-6.patch
>> deleted file mode 100644
>> index caa380de8..000000000
>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-6.patch
>> +++ /dev/null
>> @@ -1,39 +0,0 @@
>> -From fff244e9171b2ca692469d41c68b36607bd73ab0 Mon Sep 17 00:00:00 2001
>> -From: Johannes Berg <johannes.berg@intel.com>
>> -Date: Wed, 5 Oct 2022 15:10:09 +0200
>> -Subject: [PATCH] wifi: mac80211_hwsim: avoid mac80211 warning on bad rate
>> -MIME-Version: 1.0
>> -Content-Type: text/plain; charset=utf8
>> -Content-Transfer-Encoding: 8bit
>> -
>> -commit 1833b6f46d7e2830251a063935ab464256defe22 upstream.
>> -
>> -If the tool on the other side (e.g. wmediumd) gets confused
>> -about the rate, we hit a warning in mac80211. Silence that
>> -by effectively duplicating the check here and dropping the
>> -frame silently (in mac80211 it's dropped with the warning).
>> -
>> -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
>> -Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> ----
>> - drivers/net/wireless/mac80211_hwsim.c | 2 ++
>> - 1 file changed, 2 insertions(+)
>> -
>> -diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
>> -index 52a2574b7d13..b228567b2a73 100644
>> ---- a/drivers/net/wireless/mac80211_hwsim.c
>> -+++ b/drivers/net/wireless/mac80211_hwsim.c
>> -@@ -3749,6 +3749,8 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
>> -
>> - rx_status.band = channel->band;
>> - rx_status.rate_idx = nla_get_u32(info->attrs[HWSIM_ATTR_RX_RATE]);
>> -+ if (rx_status.rate_idx >= data2->hw->wiphy->bands[rx_status.band]->n_bitrates)
>> -+ goto out;
>> - rx_status.signal = nla_get_u32(info->attrs[HWSIM_ATTR_SIGNAL]);
>> -
>> - hdr = (void *)skb->data;
>> ---
>> -2.30.2
>> -
>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-7.patch b/src/patches/linux/linux-5.15-wifi-security-patches-7.patch
>> deleted file mode 100644
>> index b5cb2ad12..000000000
>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-7.patch
>> +++ /dev/null
>> @@ -1,60 +0,0 @@
>> -From 93a3a32554079432b49cf87f326607b2a2fab4f2 Mon Sep 17 00:00:00 2001
>> -From: Johannes Berg <johannes.berg@intel.com>
>> -Date: Wed, 5 Oct 2022 21:24:10 +0200
>> -Subject: [PATCH] wifi: mac80211: fix crash in beacon protection for P2P-device
>> -MIME-Version: 1.0
>> -Content-Type: text/plain; charset=utf8
>> -Content-Transfer-Encoding: 8bit
>> -
>> -commit b2d03cabe2b2e150ff5a381731ea0355459be09f upstream.
>> -
>> -If beacon protection is active but the beacon cannot be
>> -decrypted or is otherwise malformed, we call the cfg80211
>> -API to report this to userspace, but that uses a netdev
>> -pointer, which isn't present for P2P-Device. Fix this to
>> -call it only conditionally to ensure cfg80211 won't crash
>> -in the case of P2P-Device.
>> -
>> -This fixes CVE-2022-42722.
>> -
>> -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
>> -Fixes: 9eaf183af741 ("mac80211: Report beacon protection failures to user space")
>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> ----
>> - net/mac80211/rx.c | 12 +++++++-----
>> - 1 file changed, 7 insertions(+), 5 deletions(-)
>> -
>> -diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
>> -index 743e97ba352c..175ead6b19cb 100644
>> ---- a/net/mac80211/rx.c
>> -+++ b/net/mac80211/rx.c
>> -@@ -1982,10 +1982,11 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
>> -
>> - if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS ||
>> - mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS +
>> -- NUM_DEFAULT_BEACON_KEYS) {
>> -- cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
>> -- skb->data,
>> -- skb->len);
>> -+ NUM_DEFAULT_BEACON_KEYS) {
>> -+ if (rx->sdata->dev)
>> -+ cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
>> -+ skb->data,
>> -+ skb->len);
>> - return RX_DROP_MONITOR; /* unexpected BIP keyidx */
>> - }
>> -
>> -@@ -2133,7 +2134,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
>> - /* either the frame has been decrypted or will be dropped */
>> - status->flag |= RX_FLAG_DECRYPTED;
>> -
>> -- if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE))
>> -+ if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE &&
>> -+ rx->sdata->dev))
>> - cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
>> - skb->data, skb->len);
>> -
>> ---
>> -2.30.2
>> -
>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-8.patch b/src/patches/linux/linux-5.15-wifi-security-patches-8.patch
>> deleted file mode 100644
>> index 8099f3a72..000000000
>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-8.patch
>> +++ /dev/null
>> @@ -1,94 +0,0 @@
>> -From d15bb1f6dabe1d2a4155958111bea47db72b599c Mon Sep 17 00:00:00 2001
>> -From: Johannes Berg <johannes.berg@intel.com>
>> -Date: Wed, 5 Oct 2022 23:11:43 +0200
>> -Subject: [PATCH] wifi: cfg80211: update hidden BSSes to avoid WARN_ON
>> -MIME-Version: 1.0
>> -Content-Type: text/plain; charset=utf8
>> -Content-Transfer-Encoding: 8bit
>> -
>> -commit c90b93b5b782891ebfda49d4e5da36632fefd5d1 upstream.
>> -
>> -When updating beacon elements in a non-transmitted BSS,
>> -also update the hidden sub-entries to the same beacon
>> -elements, so that a future update through other paths
>> -won't trigger a WARN_ON().
>> -
>> -The warning is triggered because the beacon elements in
>> -the hidden BSSes that are children of the BSS should
>> -always be the same as in the parent.
>> -
>> -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
>> -Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
>> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> ----
>> - net/wireless/scan.c | 31 ++++++++++++++++++++-----------
>> - 1 file changed, 20 insertions(+), 11 deletions(-)
>> -
>> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c
>> -index a21baf7b3612..f0de22a6caf7 100644
>> ---- a/net/wireless/scan.c
>> -+++ b/net/wireless/scan.c
>> -@@ -1609,6 +1609,23 @@ struct cfg80211_non_tx_bss {
>> - u8 bssid_index;
>> - };
>> -
>> -+static void cfg80211_update_hidden_bsses(struct cfg80211_internal_bss *known,
>> -+ const struct cfg80211_bss_ies *new_ies,
>> -+ const struct cfg80211_bss_ies *old_ies)
>> -+{
>> -+ struct cfg80211_internal_bss *bss;
>> -+
>> -+ /* Assign beacon IEs to all sub entries */
>> -+ list_for_each_entry(bss, &known->hidden_list, hidden_list) {
>> -+ const struct cfg80211_bss_ies *ies;
>> -+
>> -+ ies = rcu_access_pointer(bss->pub.beacon_ies);
>> -+ WARN_ON(ies != old_ies);
>> -+
>> -+ rcu_assign_pointer(bss->pub.beacon_ies, new_ies);
>> -+ }
>> -+}
>> -+
>> - static bool
>> - cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
>> - struct cfg80211_internal_bss *known,
>> -@@ -1632,7 +1649,6 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
>> - kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head);
>> - } else if (rcu_access_pointer(new->pub.beacon_ies)) {
>> - const struct cfg80211_bss_ies *old;
>> -- struct cfg80211_internal_bss *bss;
>> -
>> - if (known->pub.hidden_beacon_bss &&
>> - !list_empty(&known->hidden_list)) {
>> -@@ -1660,16 +1676,7 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
>> - if (old == rcu_access_pointer(known->pub.ies))
>> - rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies);
>> -
>> -- /* Assign beacon IEs to all sub entries */
>> -- list_for_each_entry(bss, &known->hidden_list, hidden_list) {
>> -- const struct cfg80211_bss_ies *ies;
>> --
>> -- ies = rcu_access_pointer(bss->pub.beacon_ies);
>> -- WARN_ON(ies != old);
>> --
>> -- rcu_assign_pointer(bss->pub.beacon_ies,
>> -- new->pub.beacon_ies);
>> -- }
>> -+ cfg80211_update_hidden_bsses(known, new->pub.beacon_ies, old);
>> -
>> - if (old)
>> - kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head);
>> -@@ -2319,6 +2326,8 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
>> - } else {
>> - old = rcu_access_pointer(nontrans_bss->beacon_ies);
>> - rcu_assign_pointer(nontrans_bss->beacon_ies, new_ies);
>> -+ cfg80211_update_hidden_bsses(bss_from_pub(nontrans_bss),
>> -+ new_ies, old);
>> - rcu_assign_pointer(nontrans_bss->ies, new_ies);
>> - if (old)
>> - kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head);
>> ---
>> -2.30.2
>> -
>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-9.patch b/src/patches/linux/linux-5.15-wifi-security-patches-9.patch
>> deleted file mode 100644
>> index 5781b077d..000000000
>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-9.patch
>> +++ /dev/null
>> @@ -1,126 +0,0 @@
>> -From 864f2d3482f4bd0c62b355e35ee8300be8ef488e Mon Sep 17 00:00:00 2001
>> -From: Johannes Berg <johannes.berg@intel.com>
>> -Date: Thu, 13 Oct 2022 20:15:56 +0200
>> -Subject: [PATCH] mac80211: mesh: clean up rx_bcn_presp API
>> -
>> -commit a5b983c6073140b624f64e79fea6d33c3e4315a0 upstream.
>> -
>> -We currently pass the entire elements to the rx_bcn_presp()
>> -method, but only need mesh_config. Additionally, we use the
>> -length of the elements to calculate back the entire frame's
>> -length, but that's confusing - just pass the length of the
>> -frame instead.
>> -
>> -Link: https://lore.kernel.org/r/20210920154009.a18ed3d2da6c.I1824b773a0fbae4453e1433c184678ca14e8df45@changeid
>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>> -Cc: Felix Fietkau <nbd@nbd.name>
>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> ----
>> - net/mac80211/ieee80211_i.h | 7 +++----
>> - net/mac80211/mesh.c | 4 ++--
>> - net/mac80211/mesh_sync.c | 26 ++++++++++++--------------
>> - 3 files changed, 17 insertions(+), 20 deletions(-)
>> -
>> -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
>> -index f7bea4af2ddb..4bd55af184b2 100644
>> ---- a/net/mac80211/ieee80211_i.h
>> -+++ b/net/mac80211/ieee80211_i.h
>> -@@ -631,10 +631,9 @@ struct ieee80211_if_ocb {
>> - */
>> - struct ieee802_11_elems;
>> - struct ieee80211_mesh_sync_ops {
>> -- void (*rx_bcn_presp)(struct ieee80211_sub_if_data *sdata,
>> -- u16 stype,
>> -- struct ieee80211_mgmt *mgmt,
>> -- struct ieee802_11_elems *elems,
>> -+ void (*rx_bcn_presp)(struct ieee80211_sub_if_data *sdata, u16 stype,
>> -+ struct ieee80211_mgmt *mgmt, unsigned int len,
>> -+ const struct ieee80211_meshconf_ie *mesh_cfg,
>> - struct ieee80211_rx_status *rx_status);
>> -
>> - /* should be called with beacon_data under RCU read lock */
>> -diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
>> -index 42bd81a30310..9f6414a68d71 100644
>> ---- a/net/mac80211/mesh.c
>> -+++ b/net/mac80211/mesh.c
>> -@@ -1354,8 +1354,8 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
>> - }
>> -
>> - if (ifmsh->sync_ops)
>> -- ifmsh->sync_ops->rx_bcn_presp(sdata,
>> -- stype, mgmt, &elems, rx_status);
>> -+ ifmsh->sync_ops->rx_bcn_presp(sdata, stype, mgmt, len,
>> -+ elems.mesh_config, rx_status);
>> - }
>> -
>> - int ieee80211_mesh_finish_csa(struct ieee80211_sub_if_data *sdata)
>> -diff --git a/net/mac80211/mesh_sync.c b/net/mac80211/mesh_sync.c
>> -index fde93de2b80a..9e342cc2504c 100644
>> ---- a/net/mac80211/mesh_sync.c
>> -+++ b/net/mac80211/mesh_sync.c
>> -@@ -3,6 +3,7 @@
>> - * Copyright 2011-2012, Pavel Zubarev <pavel.zubarev@gmail.com>
>> - * Copyright 2011-2012, Marco Porsch <marco.porsch@s2005.tu-chemnitz.de>
>> - * Copyright 2011-2012, cozybit Inc.
>> -+ * Copyright (C) 2021 Intel Corporation
>> - */
>> -
>> - #include "ieee80211_i.h"
>> -@@ -35,12 +36,12 @@ struct sync_method {
>> - /**
>> - * mesh_peer_tbtt_adjusting - check if an mp is currently adjusting its TBTT
>> - *
>> -- * @ie: information elements of a management frame from the mesh peer
>> -+ * @cfg: mesh config element from the mesh peer (or %NULL)
>> - */
>> --static bool mesh_peer_tbtt_adjusting(struct ieee802_11_elems *ie)
>> -+static bool mesh_peer_tbtt_adjusting(const struct ieee80211_meshconf_ie *cfg)
>> - {
>> -- return (ie->mesh_config->meshconf_cap &
>> -- IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING) != 0;
>> -+ return cfg &&
>> -+ (cfg->meshconf_cap & IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING);
>> - }
>> -
>> - void mesh_sync_adjust_tsf(struct ieee80211_sub_if_data *sdata)
>> -@@ -76,11 +77,11 @@ void mesh_sync_adjust_tsf(struct ieee80211_sub_if_data *sdata)
>> - }
>> - }
>> -
>> --static void mesh_sync_offset_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
>> -- u16 stype,
>> -- struct ieee80211_mgmt *mgmt,
>> -- struct ieee802_11_elems *elems,
>> -- struct ieee80211_rx_status *rx_status)
>> -+static void
>> -+mesh_sync_offset_rx_bcn_presp(struct ieee80211_sub_if_data *sdata, u16 stype,
>> -+ struct ieee80211_mgmt *mgmt, unsigned int len,
>> -+ const struct ieee80211_meshconf_ie *mesh_cfg,
>> -+ struct ieee80211_rx_status *rx_status)
>> - {
>> - struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
>> - struct ieee80211_local *local = sdata->local;
>> -@@ -101,10 +102,7 @@ static void mesh_sync_offset_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
>> - */
>> - if (ieee80211_have_rx_timestamp(rx_status))
>> - t_r = ieee80211_calculate_rx_timestamp(local, rx_status,
>> -- 24 + 12 +
>> -- elems->total_len +
>> -- FCS_LEN,
>> -- 24);
>> -+ len + FCS_LEN, 24);
>> - else
>> - t_r = drv_get_tsf(local, sdata);
>> -
>> -@@ -119,7 +117,7 @@ static void mesh_sync_offset_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
>> - * dot11MeshNbrOffsetMaxNeighbor non-peer non-MBSS neighbors
>> - */
>> -
>> -- if (elems->mesh_config && mesh_peer_tbtt_adjusting(elems)) {
>> -+ if (mesh_peer_tbtt_adjusting(mesh_cfg)) {
>> - msync_dbg(sdata, "STA %pM : is adjusting TBTT\n",
>> - sta->sta.addr);
>> - goto no_sync;
>> ---
>> -2.30.2
>> -
>> --
>> 2.35.3
>
Hello,
> On 29 Dec 2022, at 11:14, Peter Müller <peter.mueller@ipfire.org> wrote:
>
> Hello Michael,
>
>> Hello,
>>
>>> On 26 Dec 2022, at 20:24, Peter Müller <peter.mueller@ipfire.org> wrote:
>>>
>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>>> ---
>>> config/kernel/kernel.config.x86_64-ipfire | 5 +-
>>> config/rootfiles/common/x86_64/linux | 16 +-
>>> lfs/linux | 9 +-
>>> .../linux-5.15-wifi-security-patches-1.patch | 50 -
>>> .../linux-5.15-wifi-security-patches-10.patch | 98 --
>>> .../linux-5.15-wifi-security-patches-11.patch | 96 --
>>> .../linux-5.15-wifi-security-patches-12.patch | 1179 -----------------
>>> .../linux-5.15-wifi-security-patches-13.patch | 130 --
>>> .../linux-5.15-wifi-security-patches-14.patch | 107 --
>>> .../linux-5.15-wifi-security-patches-2.patch | 59 -
>>> .../linux-5.15-wifi-security-patches-3.patch | 49 -
>>> .../linux-5.15-wifi-security-patches-4.patch | 96 --
>>> .../linux-5.15-wifi-security-patches-5.patch | 56 -
>>> .../linux-5.15-wifi-security-patches-6.patch | 39 -
>>> .../linux-5.15-wifi-security-patches-7.patch | 60 -
>>> .../linux-5.15-wifi-security-patches-8.patch | 94 --
>>> .../linux-5.15-wifi-security-patches-9.patch | 126 --
>>> 17 files changed, 10 insertions(+), 2259 deletions(-)
>>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-1.patch
>>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-10.patch
>>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-11.patch
>>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-12.patch
>>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-13.patch
>>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-14.patch
>>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-2.patch
>>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-3.patch
>>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-4.patch
>>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-5.patch
>>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-6.patch
>>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-7.patch
>>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-8.patch
>>> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-9.patch
>>>
>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>>> index bb4655a99..b160322cf 100644
>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>> @@ -1,6 +1,6 @@
>>> #
>>> # Automatically generated file; DO NOT EDIT.
>>> -# Linux/x86 5.15.68-ipfire Kernel Configuration
>>> +# Linux/x86 5.15.85-ipfire Kernel Configuration
>>> #
>>> CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.3.0"
>>> CONFIG_CC_IS_GCC=y
>>> @@ -1036,6 +1036,7 @@ CONFIG_INET_ESP=m
>>> CONFIG_INET_ESP_OFFLOAD=m
>>> # CONFIG_INET_ESPINTCP is not set
>>> CONFIG_INET_IPCOMP=m
>>> +CONFIG_INET_TABLE_PERTURB_ORDER=16
>>
>> Why didn’t this change in the other architecture’s configuration files?
>>
>> This hardly looks like a architecture-dependent configuration option to me.
>
> ah, this is because I only intended to update the ARM configuration files in one
> go in this patchset (#21/21). If it's okay to you, I would like to merge this patch
> for Core Update 173 nevertheless, and conduct the necessary config/rootfile updates
> for ARM manually.
I don’t think it is generally a good idea to just update x86_64 and then update the rest accordingly. We will always miss out on some things.
-Michael
>
> Thanks, and best regards,
> Peter Müller
>
>>
>>> CONFIG_INET_XFRM_TUNNEL=m
>>> CONFIG_INET_TUNNEL=m
>>> CONFIG_INET_DIAG=m
>>> @@ -7393,6 +7394,8 @@ CONFIG_SYMBOLIC_ERRNAME=y
>>> CONFIG_DEBUG_BUGVERBOSE=y
>>> # end of printk and dmesg options
>>>
>>> +CONFIG_AS_HAS_NON_CONST_LEB128=y
>>
>> This looks more arch-dependent.
>>
>>> +
>>> #
>>> # Compile-time checks and compiler options
>>> #
>>> diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux
>>> index 518230b39..d71fa4142 100644
>>> --- a/config/rootfiles/common/x86_64/linux
>>> +++ b/config/rootfiles/common/x86_64/linux
>>> @@ -6525,6 +6525,7 @@ etc/modprobe.d/ipv6.conf
>>> #lib/modules/KVER-ipfire/build/include/config/ASYNC_TX_DMA
>>> #lib/modules/KVER-ipfire/build/include/config/ASYNC_XOR
>>> #lib/modules/KVER-ipfire/build/include/config/AS_AVX512
>>> +#lib/modules/KVER-ipfire/build/include/config/AS_HAS_NON_CONST_LEB128
>>> #lib/modules/KVER-ipfire/build/include/config/AS_IS_GNU
>>> #lib/modules/KVER-ipfire/build/include/config/AS_SHA1_NI
>>> #lib/modules/KVER-ipfire/build/include/config/AS_SHA256_NI
>>> @@ -6668,8 +6669,6 @@ etc/modprobe.d/ipv6.conf
>>> #lib/modules/KVER-ipfire/build/include/config/BITREVERSE
>>> #lib/modules/KVER-ipfire/build/include/config/BLK_CGROUP
>>> #lib/modules/KVER-ipfire/build/include/config/BLK_CGROUP_RWSTAT
>>> -#lib/modules/KVER-ipfire/build/include/config/BLK_DEBUG_FS
>>> -#lib/modules/KVER-ipfire/build/include/config/BLK_DEBUG_FS_ZONED
>>> #lib/modules/KVER-ipfire/build/include/config/BLK_DEV
>>> #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_3W_XXXX_RAID
>>> #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_BSG
>>> @@ -7089,8 +7088,6 @@ etc/modprobe.d/ipv6.conf
>>> #lib/modules/KVER-ipfire/build/include/config/DE2104X_DSL
>>> #lib/modules/KVER-ipfire/build/include/config/DE4X5
>>> #lib/modules/KVER-ipfire/build/include/config/DEBUG_BUGVERBOSE
>>> -#lib/modules/KVER-ipfire/build/include/config/DEBUG_FS
>>> -#lib/modules/KVER-ipfire/build/include/config/DEBUG_FS_ALLOW_ALL
>>> #lib/modules/KVER-ipfire/build/include/config/DEBUG_KERNEL
>>> #lib/modules/KVER-ipfire/build/include/config/DEBUG_MISC
>>> #lib/modules/KVER-ipfire/build/include/config/DEBUG_WX
>>> @@ -7422,7 +7419,6 @@ etc/modprobe.d/ipv6.conf
>>> #lib/modules/KVER-ipfire/build/include/config/DW_XDATA_PCIE
>>> #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_DEBUG
>>> #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_DEBUG_CORE
>>> -#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_EVENTS
>>> #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE
>>> #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_ARGS
>>> #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_DIRECT_CALLS
>>> @@ -8024,6 +8020,7 @@ etc/modprobe.d/ipv6.conf
>>> #lib/modules/KVER-ipfire/build/include/config/INET_IPCOMP
>>> #lib/modules/KVER-ipfire/build/include/config/INET_RAW_DIAG
>>> #lib/modules/KVER-ipfire/build/include/config/INET_SCTP_DIAG
>>> +#lib/modules/KVER-ipfire/build/include/config/INET_TABLE_PERTURB_ORDER
>>> #lib/modules/KVER-ipfire/build/include/config/INET_TCP_DIAG
>>> #lib/modules/KVER-ipfire/build/include/config/INET_TUNNEL
>>> #lib/modules/KVER-ipfire/build/include/config/INET_UDP_DIAG
>>> @@ -8424,7 +8421,6 @@ etc/modprobe.d/ipv6.conf
>>> #lib/modules/KVER-ipfire/build/include/config/LOCKUP_DETECTOR
>>> #lib/modules/KVER-ipfire/build/include/config/LOCK_DEBUGGING_SUPPORT
>>> #lib/modules/KVER-ipfire/build/include/config/LOCK_DOWN_KERNEL_FORCE_NONE
>>> -#lib/modules/KVER-ipfire/build/include/config/LOCK_EVENT_COUNTS
>>> #lib/modules/KVER-ipfire/build/include/config/LOCK_SPIN_ON_OWNER
>>> #lib/modules/KVER-ipfire/build/include/config/LOGO
>>> #lib/modules/KVER-ipfire/build/include/config/LOGO_LINUX_CLUT224
>>> @@ -9490,7 +9486,6 @@ etc/modprobe.d/ipv6.conf
>>> #lib/modules/KVER-ipfire/build/include/config/PRINTER
>>> #lib/modules/KVER-ipfire/build/include/config/PRINTK
>>> #lib/modules/KVER-ipfire/build/include/config/PRINTK_SAFE_LOG_BUF_SHIFT
>>> -#lib/modules/KVER-ipfire/build/include/config/PROBE_EVENTS
>>> #lib/modules/KVER-ipfire/build/include/config/PROC_EVENTS
>>> #lib/modules/KVER-ipfire/build/include/config/PROC_FS
>>> #lib/modules/KVER-ipfire/build/include/config/PROC_PAGE_MONITOR
>>> @@ -9848,7 +9843,6 @@ etc/modprobe.d/ipv6.conf
>>> #lib/modules/KVER-ipfire/build/include/config/SCSI_SCAN_ASYNC
>>> #lib/modules/KVER-ipfire/build/include/config/SCSI_SMARTPQI
>>> #lib/modules/KVER-ipfire/build/include/config/SCSI_SNIC
>>> -#lib/modules/KVER-ipfire/build/include/config/SCSI_SNIC_DEBUG_FS
>>> #lib/modules/KVER-ipfire/build/include/config/SCSI_SPI_ATTRS
>>> #lib/modules/KVER-ipfire/build/include/config/SCSI_SRP_ATTRS
>>> #lib/modules/KVER-ipfire/build/include/config/SCSI_STEX
>>> @@ -10385,7 +10379,6 @@ etc/modprobe.d/ipv6.conf
>>> #lib/modules/KVER-ipfire/build/include/config/SWIOTLB
>>> #lib/modules/KVER-ipfire/build/include/config/SWIOTLB_XEN
>>> #lib/modules/KVER-ipfire/build/include/config/SWPHY
>>> -#lib/modules/KVER-ipfire/build/include/config/SW_SYNC
>>> #lib/modules/KVER-ipfire/build/include/config/SXGBE_ETH
>>> #lib/modules/KVER-ipfire/build/include/config/SYMBOLIC_ERRNAME
>>> #lib/modules/KVER-ipfire/build/include/config/SYNCLINK_GT
>>> @@ -10533,8 +10526,6 @@ etc/modprobe.d/ipv6.conf
>>> #lib/modules/KVER-ipfire/build/include/config/UNIX_DIAG
>>> #lib/modules/KVER-ipfire/build/include/config/UNIX_SCM
>>> #lib/modules/KVER-ipfire/build/include/config/UNWINDER_ORC
>>> -#lib/modules/KVER-ipfire/build/include/config/UPROBES
>>> -#lib/modules/KVER-ipfire/build/include/config/UPROBE_EVENTS
>>> #lib/modules/KVER-ipfire/build/include/config/USB
>>> #lib/modules/KVER-ipfire/build/include/config/USBIP_CORE
>>> #lib/modules/KVER-ipfire/build/include/config/USBIP_HOST
>>> @@ -11105,7 +11096,6 @@ etc/modprobe.d/ipv6.conf
>>> #lib/modules/KVER-ipfire/build/include/config/XEN_BLKDEV_BACKEND
>>> #lib/modules/KVER-ipfire/build/include/config/XEN_BLKDEV_FRONTEND
>>> #lib/modules/KVER-ipfire/build/include/config/XEN_COMPAT_XENFS
>>> -#lib/modules/KVER-ipfire/build/include/config/XEN_DEBUG_FS
>>> #lib/modules/KVER-ipfire/build/include/config/XEN_DEV_EVTCHN
>>> #lib/modules/KVER-ipfire/build/include/config/XEN_DOM0
>>> #lib/modules/KVER-ipfire/build/include/config/XEN_EFI
>>> @@ -16866,6 +16856,8 @@ etc/modprobe.d/ipv6.conf
>>> #lib/modules/KVER-ipfire/build/init
>>> #lib/modules/KVER-ipfire/build/init/Kconfig
>>> #lib/modules/KVER-ipfire/build/init/Makefile
>>> +#lib/modules/KVER-ipfire/build/io_uring
>>> +#lib/modules/KVER-ipfire/build/io_uring/Makefile
>>> #lib/modules/KVER-ipfire/build/ipc
>>> #lib/modules/KVER-ipfire/build/ipc/Makefile
>>> #lib/modules/KVER-ipfire/build/kernel
>>> diff --git a/lfs/linux b/lfs/linux
>>> index b628307fd..59238049c 100644
>>> --- a/lfs/linux
>>> +++ b/lfs/linux
>>> @@ -24,7 +24,7 @@
>>>
>>> include Config
>>>
>>> -VER = 5.15.71
>>> +VER = 5.15.85
>>> ARM_PATCHES = 5.15-ipfire5
>>>
>>> THISAPP = linux-$(VER)
>>> @@ -78,7 +78,7 @@ objects =$(DL_FILE) \
>>> $(DL_FILE) = $(URL_IPFIRE)/$(DL_FILE)
>>> arm-multi-patches-$(ARM_PATCHES).patch.xz = $(URL_IPFIRE)/arm-multi-patches-$(ARM_PATCHES).patch.xz
>>>
>>> -$(DL_FILE)_BLAKE2 = 77da2393a31b6c6fed7cdfef61a112ae49fcdfce96968daf8c7a690a6e65025c7238c1fe084d0bfda403dc56db877b6db99def12803e840cacf318da40327d7b
>>> +$(DL_FILE)_BLAKE2 = 481cea334dee4146d72704ecb88f654bd38ca62a5a28540f365a57f5cd522551c4b7f854c09380ec614098a9efa5dff4cef70c9cafe6277a410d3d2099eca1cc
>>> arm-multi-patches-$(ARM_PATCHES).patch.xz_BLAKE2 = 58a70e757a9121a0aac83604a37aa787ec7ac0ee4970c5a3ac3bcb2dbaca32b00089cae6c0da5cf2fe0a2e156427b5165c6a86e0371a3e896f4c7cdd699c34a0
>>>
>>> install : $(TARGET)
>>> @@ -146,11 +146,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>> # https://bugzilla.ipfire.org/show_bug.cgi?id=12889
>>> cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch
>>>
>>> - # https://lists.ipfire.org/pipermail/development/2022-October/014562.html
>>> - for i in $$(seq 1 14); do \
>>> - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15-wifi-security-patches-$$i.patch || exit 1; \
>>> - done
>>> -
>>> ifeq "$(BUILD_ARCH)" "armv6l"
>>> # Apply Arm-multiarch kernel patches.
>>> cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
>>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-1.patch b/src/patches/linux/linux-5.15-wifi-security-patches-1.patch
>>> deleted file mode 100644
>>> index b646eea49..000000000
>>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-1.patch
>>> +++ /dev/null
>>> @@ -1,50 +0,0 @@
>>> -From 9a8ef2030510a9d6ce86fd535b8d10720230811f Mon Sep 17 00:00:00 2001
>>> -From: Johannes Berg <johannes.berg@intel.com>
>>> -Date: Wed, 28 Sep 2022 21:56:15 +0200
>>> -Subject: [PATCH] wifi: cfg80211: fix u8 overflow in
>>> - cfg80211_update_notlisted_nontrans()
>>> -
>>> -commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream.
>>> -
>>> -In the copy code of the elements, we do the following calculation
>>> -to reach the end of the MBSSID element:
>>> -
>>> - /* copy the IEs after MBSSID */
>>> - cpy_len = mbssid[1] + 2;
>>> -
>>> -This looks fine, however, cpy_len is a u8, the same as mbssid[1],
>>> -so the addition of two can overflow. In this case the subsequent
>>> -memcpy() will overflow the allocated buffer, since it copies 256
>>> -bytes too much due to the way the allocation and memcpy() sizes
>>> -are calculated.
>>> -
>>> -Fix this by using size_t for the cpy_len variable.
>>> -
>>> -This fixes CVE-2022-41674.
>>> -
>>> -Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
>>> -Tested-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
>>> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
>>> -Reviewed-by: Kees Cook <keescook@chromium.org>
>>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>> ----
>>> - net/wireless/scan.c | 2 +-
>>> - 1 file changed, 1 insertion(+), 1 deletion(-)
>>> -
>>> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c
>>> -index 1a8b76c9dd56..d9ab37a798f4 100644
>>> ---- a/net/wireless/scan.c
>>> -+++ b/net/wireless/scan.c
>>> -@@ -2238,7 +2238,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
>>> - size_t new_ie_len;
>>> - struct cfg80211_bss_ies *new_ies;
>>> - const struct cfg80211_bss_ies *old;
>>> -- u8 cpy_len;
>>> -+ size_t cpy_len;
>>> -
>>> - lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock);
>>> -
>>> ---
>>> -2.30.2
>>> -
>>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-10.patch b/src/patches/linux/linux-5.15-wifi-security-patches-10.patch
>>> deleted file mode 100644
>>> index 51986afe7..000000000
>>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-10.patch
>>> +++ /dev/null
>>> @@ -1,98 +0,0 @@
>>> -From 21df3a583e8e03d8f74fa2eedbcd7a2b3f5cabc1 Mon Sep 17 00:00:00 2001
>>> -From: Johannes Berg <johannes.berg@intel.com>
>>> -Date: Thu, 13 Oct 2022 20:15:57 +0200
>>> -Subject: [PATCH] mac80211: move CRC into struct ieee802_11_elems
>>> -
>>> -commit c6e37ed498f958254b5459253199e816b6bfc52f upstream.
>>> -
>>> -We're currently returning this value, but to prepare for
>>> -returning the allocated structure, move it into there.
>>> -
>>> -Link: https://lore.kernel.org/r/20210920154009.479b8ebf999d.If0d4ba75ee38998dc3eeae25058aa748efcb2fc9@changeid
>>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>>> -Cc: Felix Fietkau <nbd@nbd.name>
>>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>> ----
>>> - net/mac80211/ieee80211_i.h | 9 +++++----
>>> - net/mac80211/mlme.c | 9 +++++----
>>> - net/mac80211/util.c | 10 +++++-----
>>> - 3 files changed, 15 insertions(+), 13 deletions(-)
>>> -
>>> -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
>>> -index 4bd55af184b2..5ea38ae65809 100644
>>> ---- a/net/mac80211/ieee80211_i.h
>>> -+++ b/net/mac80211/ieee80211_i.h
>>> -@@ -1532,6 +1532,7 @@ struct ieee80211_csa_ie {
>>> - struct ieee802_11_elems {
>>> - const u8 *ie_start;
>>> - size_t total_len;
>>> -+ u32 crc;
>>> -
>>> - /* pointers to IEs */
>>> - const struct ieee80211_tdls_lnkie *lnk_id;
>>> -@@ -2218,10 +2219,10 @@ static inline void ieee80211_tx_skb(struct ieee80211_sub_if_data *sdata,
>>> - ieee80211_tx_skb_tid(sdata, skb, 7);
>>> - }
>>> -
>>> --u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
>>> -- struct ieee802_11_elems *elems,
>>> -- u64 filter, u32 crc, u8 *transmitter_bssid,
>>> -- u8 *bss_bssid);
>>> -+void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
>>> -+ struct ieee802_11_elems *elems,
>>> -+ u64 filter, u32 crc, u8 *transmitter_bssid,
>>> -+ u8 *bss_bssid);
>>> - static inline void ieee802_11_parse_elems(const u8 *start, size_t len,
>>> - bool action,
>>> - struct ieee802_11_elems *elems,
>>> -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
>>> -index 1548f532dc1a..4414e82e71d1 100644
>>> ---- a/net/mac80211/mlme.c
>>> -+++ b/net/mac80211/mlme.c
>>> -@@ -4102,10 +4102,11 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>>> - */
>>> - if (!ieee80211_is_s1g_beacon(hdr->frame_control))
>>> - ncrc = crc32_be(0, (void *)&mgmt->u.beacon.beacon_int, 4);
>>> -- ncrc = ieee802_11_parse_elems_crc(variable,
>>> -- len - baselen, false, &elems,
>>> -- care_about_ies, ncrc,
>>> -- mgmt->bssid, bssid);
>>> -+ ieee802_11_parse_elems_crc(variable,
>>> -+ len - baselen, false, &elems,
>>> -+ care_about_ies, ncrc,
>>> -+ mgmt->bssid, bssid);
>>> -+ ncrc = elems.crc;
>>> -
>>> - if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) &&
>>> - ieee80211_check_tim(elems.tim, elems.tim_len, bss_conf->aid)) {
>>> -diff --git a/net/mac80211/util.c b/net/mac80211/util.c
>>> -index 00543ea9c6b5..ceb6894381e4 100644
>>> ---- a/net/mac80211/util.c
>>> -+++ b/net/mac80211/util.c
>>> -@@ -1468,10 +1468,10 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
>>> - return found ? profile_len : 0;
>>> - }
>>> -
>>> --u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
>>> -- struct ieee802_11_elems *elems,
>>> -- u64 filter, u32 crc, u8 *transmitter_bssid,
>>> -- u8 *bss_bssid)
>>> -+void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
>>> -+ struct ieee802_11_elems *elems,
>>> -+ u64 filter, u32 crc, u8 *transmitter_bssid,
>>> -+ u8 *bss_bssid)
>>> - {
>>> - const struct element *non_inherit = NULL;
>>> - u8 *nontransmitted_profile;
>>> -@@ -1523,7 +1523,7 @@ u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
>>> -
>>> - kfree(nontransmitted_profile);
>>> -
>>> -- return crc;
>>> -+ elems->crc = crc;
>>> - }
>>> -
>>> - void ieee80211_regulatory_limit_wmm_params(struct ieee80211_sub_if_data *sdata,
>>> ---
>>> -2.30.2
>>> -
>>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-11.patch b/src/patches/linux/linux-5.15-wifi-security-patches-11.patch
>>> deleted file mode 100644
>>> index ae639c696..000000000
>>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-11.patch
>>> +++ /dev/null
>>> @@ -1,96 +0,0 @@
>>> -From 630060f1175676b9cb3a032767f20dbce93616c9 Mon Sep 17 00:00:00 2001
>>> -From: Johannes Berg <johannes.berg@intel.com>
>>> -Date: Thu, 13 Oct 2022 20:15:58 +0200
>>> -Subject: [PATCH] mac80211: mlme: find auth challenge directly
>>> -
>>> -commit 49a765d6785e99157ff5091cc37485732496864e upstream.
>>> -
>>> -There's no need to parse all elements etc. just to find the
>>> -authentication challenge - use cfg80211_find_elem() instead.
>>> -This also allows us to remove WLAN_EID_CHALLENGE handling
>>> -from the element parsing entirely.
>>> -
>>> -Link: https://lore.kernel.org/r/20210920154009.45f9b3a15722.Ice3159ffad03a007d6154cbf1fb3a8c48489e86f@changeid
>>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>>> -Cc: Felix Fietkau <nbd@nbd.name>
>>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>> ----
>>> - net/mac80211/ieee80211_i.h | 2 --
>>> - net/mac80211/mlme.c | 11 ++++++-----
>>> - net/mac80211/util.c | 4 ----
>>> - 3 files changed, 6 insertions(+), 11 deletions(-)
>>> -
>>> -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
>>> -index 5ea38ae65809..c5f0ff805010 100644
>>> ---- a/net/mac80211/ieee80211_i.h
>>> -+++ b/net/mac80211/ieee80211_i.h
>>> -@@ -1542,7 +1542,6 @@ struct ieee802_11_elems {
>>> - const u8 *supp_rates;
>>> - const u8 *ds_params;
>>> - const struct ieee80211_tim_ie *tim;
>>> -- const u8 *challenge;
>>> - const u8 *rsn;
>>> - const u8 *rsnx;
>>> - const u8 *erp_info;
>>> -@@ -1596,7 +1595,6 @@ struct ieee802_11_elems {
>>> - u8 ssid_len;
>>> - u8 supp_rates_len;
>>> - u8 tim_len;
>>> -- u8 challenge_len;
>>> - u8 rsn_len;
>>> - u8 rsnx_len;
>>> - u8 ext_supp_rates_len;
>>> -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
>>> -index 4414e82e71d1..548cd14c5503 100644
>>> ---- a/net/mac80211/mlme.c
>>> -+++ b/net/mac80211/mlme.c
>>> -@@ -2889,17 +2889,17 @@ static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata,
>>> - {
>>> - struct ieee80211_local *local = sdata->local;
>>> - struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data;
>>> -+ const struct element *challenge;
>>> - u8 *pos;
>>> -- struct ieee802_11_elems elems;
>>> - u32 tx_flags = 0;
>>> - struct ieee80211_prep_tx_info info = {
>>> - .subtype = IEEE80211_STYPE_AUTH,
>>> - };
>>> -
>>> - pos = mgmt->u.auth.variable;
>>> -- ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems,
>>> -- mgmt->bssid, auth_data->bss->bssid);
>>> -- if (!elems.challenge)
>>> -+ challenge = cfg80211_find_elem(WLAN_EID_CHALLENGE, pos,
>>> -+ len - (pos - (u8 *)mgmt));
>>> -+ if (!challenge)
>>> - return;
>>> - auth_data->expected_transaction = 4;
>>> - drv_mgd_prepare_tx(sdata->local, sdata, &info);
>>> -@@ -2907,7 +2907,8 @@ static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata,
>>> - tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
>>> - IEEE80211_TX_INTFL_MLME_CONN_TX;
>>> - ieee80211_send_auth(sdata, 3, auth_data->algorithm, 0,
>>> -- elems.challenge - 2, elems.challenge_len + 2,
>>> -+ (void *)challenge,
>>> -+ challenge->datalen + sizeof(*challenge),
>>> - auth_data->bss->bssid, auth_data->bss->bssid,
>>> - auth_data->key, auth_data->key_len,
>>> - auth_data->key_idx, tx_flags);
>>> -diff --git a/net/mac80211/util.c b/net/mac80211/util.c
>>> -index ceb6894381e4..664c32b6db19 100644
>>> ---- a/net/mac80211/util.c
>>> -+++ b/net/mac80211/util.c
>>> -@@ -1117,10 +1117,6 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
>>> - } else
>>> - elem_parse_failed = true;
>>> - break;
>>> -- case WLAN_EID_CHALLENGE:
>>> -- elems->challenge = pos;
>>> -- elems->challenge_len = elen;
>>> -- break;
>>> - case WLAN_EID_VENDOR_SPECIFIC:
>>> - if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 &&
>>> - pos[2] == 0xf2) {
>>> ---
>>> -2.30.2
>>> -
>>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-12.patch b/src/patches/linux/linux-5.15-wifi-security-patches-12.patch
>>> deleted file mode 100644
>>> index 4dea89e4c..000000000
>>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-12.patch
>>> +++ /dev/null
>>> @@ -1,1179 +0,0 @@
>>> -From fee48f3bdd7516bb63da507213916227cf147211 Mon Sep 17 00:00:00 2001
>>> -From: Johannes Berg <johannes.berg@intel.com>
>>> -Date: Thu, 13 Oct 2022 20:15:59 +0200
>>> -Subject: [PATCH] mac80211: always allocate struct ieee802_11_elems
>>> -
>>> -As the 802.11 spec evolves, we need to parse more and more
>>> -elements. This is causing the struct to grow, and we can no
>>> -longer get away with putting it on the stack.
>>> -
>>> -Change the API to always dynamically allocate and return an
>>> -allocated pointer that must be kfree()d later.
>>> -
>>> -As an alternative, I contemplated a scheme whereby we'd say
>>> -in the code which elements we needed, e.g.
>>> -
>>> - DECLARE_ELEMENT_PARSER(elems,
>>> - SUPPORTED_CHANNELS,
>>> - CHANNEL_SWITCH,
>>> - EXT(KEY_DELIVERY));
>>> -
>>> - ieee802_11_parse_elems(..., &elems, ...);
>>> -
>>> -and while I think this is possible and will save us a lot
>>> -since most individual places only care about a small subset
>>> -of the elements, it ended up being a bit more work since a
>>> -lot of places do the parsing and then pass the struct to
>>> -other functions, sometimes with multiple levels.
>>> -
>>> -Link: https://lore.kernel.org/r/20210920154009.26caff6b5998.I05ae58768e990e611aee8eca8abefd9d7bc15e05@changeid
>>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>>> -Cc: Felix Fietkau <nbd@nbd.name>
>>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>> ----
>>> - net/mac80211/agg-rx.c | 11 +--
>>> - net/mac80211/ibss.c | 25 +++---
>>> - net/mac80211/ieee80211_i.h | 22 ++---
>>> - net/mac80211/mesh.c | 85 ++++++++++--------
>>> - net/mac80211/mesh_hwmp.c | 44 +++++-----
>>> - net/mac80211/mesh_plink.c | 11 +--
>>> - net/mac80211/mlme.c | 176 +++++++++++++++++++++----------------
>>> - net/mac80211/scan.c | 16 ++--
>>> - net/mac80211/tdls.c | 63 +++++++------
>>> - net/mac80211/util.c | 20 +++--
>>> - 10 files changed, 272 insertions(+), 201 deletions(-)
>>> -
>>> -diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
>>> -index e43176794149..ffa4f31f6c2b 100644
>>> ---- a/net/mac80211/agg-rx.c
>>> -+++ b/net/mac80211/agg-rx.c
>>> -@@ -478,7 +478,7 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
>>> - size_t len)
>>> - {
>>> - u16 capab, tid, timeout, ba_policy, buf_size, start_seq_num;
>>> -- struct ieee802_11_elems elems = { };
>>> -+ struct ieee802_11_elems *elems = NULL;
>>> - u8 dialog_token;
>>> - int ies_len;
>>> -
>>> -@@ -496,16 +496,17 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
>>> - ies_len = len - offsetof(struct ieee80211_mgmt,
>>> - u.action.u.addba_req.variable);
>>> - if (ies_len) {
>>> -- ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable,
>>> -- ies_len, true, &elems, mgmt->bssid, NULL);
>>> -- if (elems.parse_error)
>>> -+ elems = ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable,
>>> -+ ies_len, true, mgmt->bssid, NULL);
>>> -+ if (!elems || elems->parse_error)
>>> - return;
>>> - }
>>> -
>>> - __ieee80211_start_rx_ba_session(sta, dialog_token, timeout,
>>> - start_seq_num, ba_policy, tid,
>>> - buf_size, true, false,
>>> -- elems.addba_ext_ie);
>>> -+ elems ? elems->addba_ext_ie : NULL);
>>> -+ kfree(elems);
>>> - }
>>> -
>>> - void ieee80211_manage_rx_ba_offl(struct ieee80211_vif *vif,
>>> -diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
>>> -index 1e133ca58e78..4b721b48f86a 100644
>>> ---- a/net/mac80211/ibss.c
>>> -+++ b/net/mac80211/ibss.c
>>> -@@ -9,7 +9,7 @@
>>> - * Copyright 2009, Johannes Berg <johannes@sipsolutions.net>
>>> - * Copyright 2013-2014 Intel Mobile Communications GmbH
>>> - * Copyright(c) 2016 Intel Deutschland GmbH
>>> -- * Copyright(c) 2018-2020 Intel Corporation
>>> -+ * Copyright(c) 2018-2021 Intel Corporation
>>> - */
>>> -
>>> - #include <linux/delay.h>
>>> -@@ -1593,7 +1593,7 @@ void ieee80211_rx_mgmt_probe_beacon(struct ieee80211_sub_if_data *sdata,
>>> - struct ieee80211_rx_status *rx_status)
>>> - {
>>> - size_t baselen;
>>> -- struct ieee802_11_elems elems;
>>> -+ struct ieee802_11_elems *elems;
>>> -
>>> - BUILD_BUG_ON(offsetof(typeof(mgmt->u.probe_resp), variable) !=
>>> - offsetof(typeof(mgmt->u.beacon), variable));
>>> -@@ -1606,10 +1606,14 @@ void ieee80211_rx_mgmt_probe_beacon(struct ieee80211_sub_if_data *sdata,
>>> - if (baselen > len)
>>> - return;
>>> -
>>> -- ieee802_11_parse_elems(mgmt->u.probe_resp.variable, len - baselen,
>>> -- false, &elems, mgmt->bssid, NULL);
>>> -+ elems = ieee802_11_parse_elems(mgmt->u.probe_resp.variable,
>>> -+ len - baselen, false,
>>> -+ mgmt->bssid, NULL);
>>> -
>>> -- ieee80211_rx_bss_info(sdata, mgmt, len, rx_status, &elems);
>>> -+ if (elems) {
>>> -+ ieee80211_rx_bss_info(sdata, mgmt, len, rx_status, elems);
>>> -+ kfree(elems);
>>> -+ }
>>> - }
>>> -
>>> - void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>>> -@@ -1618,7 +1622,7 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>>> - struct ieee80211_rx_status *rx_status;
>>> - struct ieee80211_mgmt *mgmt;
>>> - u16 fc;
>>> -- struct ieee802_11_elems elems;
>>> -+ struct ieee802_11_elems *elems;
>>> - int ies_len;
>>> -
>>> - rx_status = IEEE80211_SKB_RXCB(skb);
>>> -@@ -1655,15 +1659,16 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>>> - if (ies_len < 0)
>>> - break;
>>> -
>>> -- ieee802_11_parse_elems(
>>> -+ elems = ieee802_11_parse_elems(
>>> - mgmt->u.action.u.chan_switch.variable,
>>> -- ies_len, true, &elems, mgmt->bssid, NULL);
>>> -+ ies_len, true, mgmt->bssid, NULL);
>>> -
>>> -- if (elems.parse_error)
>>> -+ if (!elems || elems->parse_error)
>>> - break;
>>> -
>>> - ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt, skb->len,
>>> -- rx_status, &elems);
>>> -+ rx_status, elems);
>>> -+ kfree(elems);
>>> - break;
>>> - }
>>> - }
>>> -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
>>> -index c5f0ff805010..3633e49239c7 100644
>>> ---- a/net/mac80211/ieee80211_i.h
>>> -+++ b/net/mac80211/ieee80211_i.h
>>> -@@ -2217,18 +2217,18 @@ static inline void ieee80211_tx_skb(struct ieee80211_sub_if_data *sdata,
>>> - ieee80211_tx_skb_tid(sdata, skb, 7);
>>> - }
>>> -
>>> --void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
>>> -- struct ieee802_11_elems *elems,
>>> -- u64 filter, u32 crc, u8 *transmitter_bssid,
>>> -- u8 *bss_bssid);
>>> --static inline void ieee802_11_parse_elems(const u8 *start, size_t len,
>>> -- bool action,
>>> -- struct ieee802_11_elems *elems,
>>> -- u8 *transmitter_bssid,
>>> -- u8 *bss_bssid)
>>> -+struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,
>>> -+ bool action,
>>> -+ u64 filter, u32 crc,
>>> -+ const u8 *transmitter_bssid,
>>> -+ const u8 *bss_bssid);
>>> -+static inline struct ieee802_11_elems *
>>> -+ieee802_11_parse_elems(const u8 *start, size_t len, bool action,
>>> -+ const u8 *transmitter_bssid,
>>> -+ const u8 *bss_bssid)
>>> - {
>>> -- ieee802_11_parse_elems_crc(start, len, action, elems, 0, 0,
>>> -- transmitter_bssid, bss_bssid);
>>> -+ return ieee802_11_parse_elems_crc(start, len, action, 0, 0,
>>> -+ transmitter_bssid, bss_bssid);
>>> - }
>>> -
>>> -
>>> -diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
>>> -index 9f6414a68d71..6847fdf93439 100644
>>> ---- a/net/mac80211/mesh.c
>>> -+++ b/net/mac80211/mesh.c
>>> -@@ -1247,7 +1247,7 @@ ieee80211_mesh_rx_probe_req(struct ieee80211_sub_if_data *sdata,
>>> - struct sk_buff *presp;
>>> - struct beacon_data *bcn;
>>> - struct ieee80211_mgmt *hdr;
>>> -- struct ieee802_11_elems elems;
>>> -+ struct ieee802_11_elems *elems;
>>> - size_t baselen;
>>> - u8 *pos;
>>> -
>>> -@@ -1256,22 +1256,24 @@ ieee80211_mesh_rx_probe_req(struct ieee80211_sub_if_data *sdata,
>>> - if (baselen > len)
>>> - return;
>>> -
>>> -- ieee802_11_parse_elems(pos, len - baselen, false, &elems, mgmt->bssid,
>>> -- NULL);
>>> --
>>> -- if (!elems.mesh_id)
>>> -+ elems = ieee802_11_parse_elems(pos, len - baselen, false, mgmt->bssid,
>>> -+ NULL);
>>> -+ if (!elems)
>>> - return;
>>> -
>>> -+ if (!elems->mesh_id)
>>> -+ goto free;
>>> -+
>>> - /* 802.11-2012 10.1.4.3.2 */
>>> - if ((!ether_addr_equal(mgmt->da, sdata->vif.addr) &&
>>> - !is_broadcast_ether_addr(mgmt->da)) ||
>>> -- elems.ssid_len != 0)
>>> -- return;
>>> -+ elems->ssid_len != 0)
>>> -+ goto free;
>>> -
>>> -- if (elems.mesh_id_len != 0 &&
>>> -- (elems.mesh_id_len != ifmsh->mesh_id_len ||
>>> -- memcmp(elems.mesh_id, ifmsh->mesh_id, ifmsh->mesh_id_len)))
>>> -- return;
>>> -+ if (elems->mesh_id_len != 0 &&
>>> -+ (elems->mesh_id_len != ifmsh->mesh_id_len ||
>>> -+ memcmp(elems->mesh_id, ifmsh->mesh_id, ifmsh->mesh_id_len)))
>>> -+ goto free;
>>> -
>>> - rcu_read_lock();
>>> - bcn = rcu_dereference(ifmsh->beacon);
>>> -@@ -1295,6 +1297,8 @@ ieee80211_mesh_rx_probe_req(struct ieee80211_sub_if_data *sdata,
>>> - ieee80211_tx_skb(sdata, presp);
>>> - out:
>>> - rcu_read_unlock();
>>> -+free:
>>> -+ kfree(elems);
>>> - }
>>> -
>>> - static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
>>> -@@ -1305,7 +1309,7 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
>>> - {
>>> - struct ieee80211_local *local = sdata->local;
>>> - struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
>>> -- struct ieee802_11_elems elems;
>>> -+ struct ieee802_11_elems *elems;
>>> - struct ieee80211_channel *channel;
>>> - size_t baselen;
>>> - int freq;
>>> -@@ -1320,42 +1324,47 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
>>> - if (baselen > len)
>>> - return;
>>> -
>>> -- ieee802_11_parse_elems(mgmt->u.probe_resp.variable, len - baselen,
>>> -- false, &elems, mgmt->bssid, NULL);
>>> -+ elems = ieee802_11_parse_elems(mgmt->u.probe_resp.variable,
>>> -+ len - baselen,
>>> -+ false, mgmt->bssid, NULL);
>>> -+ if (!elems)
>>> -+ return;
>>> -
>>> - /* ignore non-mesh or secure / unsecure mismatch */
>>> -- if ((!elems.mesh_id || !elems.mesh_config) ||
>>> -- (elems.rsn && sdata->u.mesh.security == IEEE80211_MESH_SEC_NONE) ||
>>> -- (!elems.rsn && sdata->u.mesh.security != IEEE80211_MESH_SEC_NONE))
>>> -- return;
>>> -+ if ((!elems->mesh_id || !elems->mesh_config) ||
>>> -+ (elems->rsn && sdata->u.mesh.security == IEEE80211_MESH_SEC_NONE) ||
>>> -+ (!elems->rsn && sdata->u.mesh.security != IEEE80211_MESH_SEC_NONE))
>>> -+ goto free;
>>> -
>>> -- if (elems.ds_params)
>>> -- freq = ieee80211_channel_to_frequency(elems.ds_params[0], band);
>>> -+ if (elems->ds_params)
>>> -+ freq = ieee80211_channel_to_frequency(elems->ds_params[0], band);
>>> - else
>>> - freq = rx_status->freq;
>>> -
>>> - channel = ieee80211_get_channel(local->hw.wiphy, freq);
>>> -
>>> - if (!channel || channel->flags & IEEE80211_CHAN_DISABLED)
>>> -- return;
>>> -+ goto free;
>>> -
>>> -- if (mesh_matches_local(sdata, &elems)) {
>>> -+ if (mesh_matches_local(sdata, elems)) {
>>> - mpl_dbg(sdata, "rssi_threshold=%d,rx_status->signal=%d\n",
>>> - sdata->u.mesh.mshcfg.rssi_threshold, rx_status->signal);
>>> - if (!sdata->u.mesh.user_mpm ||
>>> - sdata->u.mesh.mshcfg.rssi_threshold == 0 ||
>>> - sdata->u.mesh.mshcfg.rssi_threshold < rx_status->signal)
>>> -- mesh_neighbour_update(sdata, mgmt->sa, &elems,
>>> -+ mesh_neighbour_update(sdata, mgmt->sa, elems,
>>> - rx_status);
>>> -
>>> - if (ifmsh->csa_role != IEEE80211_MESH_CSA_ROLE_INIT &&
>>> - !sdata->vif.csa_active)
>>> -- ieee80211_mesh_process_chnswitch(sdata, &elems, true);
>>> -+ ieee80211_mesh_process_chnswitch(sdata, elems, true);
>>> - }
>>> -
>>> - if (ifmsh->sync_ops)
>>> - ifmsh->sync_ops->rx_bcn_presp(sdata, stype, mgmt, len,
>>> -- elems.mesh_config, rx_status);
>>> -+ elems->mesh_config, rx_status);
>>> -+free:
>>> -+ kfree(elems);
>>> - }
>>> -
>>> - int ieee80211_mesh_finish_csa(struct ieee80211_sub_if_data *sdata)
>>> -@@ -1447,7 +1456,7 @@ static void mesh_rx_csa_frame(struct ieee80211_sub_if_data *sdata,
>>> - struct ieee80211_mgmt *mgmt, size_t len)
>>> - {
>>> - struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
>>> -- struct ieee802_11_elems elems;
>>> -+ struct ieee802_11_elems *elems;
>>> - u16 pre_value;
>>> - bool fwd_csa = true;
>>> - size_t baselen;
>>> -@@ -1460,33 +1469,37 @@ static void mesh_rx_csa_frame(struct ieee80211_sub_if_data *sdata,
>>> - pos = mgmt->u.action.u.chan_switch.variable;
>>> - baselen = offsetof(struct ieee80211_mgmt,
>>> - u.action.u.chan_switch.variable);
>>> -- ieee802_11_parse_elems(pos, len - baselen, true, &elems,
>>> -- mgmt->bssid, NULL);
>>> --
>>> -- if (!mesh_matches_local(sdata, &elems))
>>> -+ elems = ieee802_11_parse_elems(pos, len - baselen, true,
>>> -+ mgmt->bssid, NULL);
>>> -+ if (!elems)
>>> - return;
>>> -
>>> -- ifmsh->chsw_ttl = elems.mesh_chansw_params_ie->mesh_ttl;
>>> -+ if (!mesh_matches_local(sdata, elems))
>>> -+ goto free;
>>> -+
>>> -+ ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;
>>> - if (!--ifmsh->chsw_ttl)
>>> - fwd_csa = false;
>>> -
>>> -- pre_value = le16_to_cpu(elems.mesh_chansw_params_ie->mesh_pre_value);
>>> -+ pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);
>>> - if (ifmsh->pre_value >= pre_value)
>>> -- return;
>>> -+ goto free;
>>> -
>>> - ifmsh->pre_value = pre_value;
>>> -
>>> - if (!sdata->vif.csa_active &&
>>> -- !ieee80211_mesh_process_chnswitch(sdata, &elems, false)) {
>>> -+ !ieee80211_mesh_process_chnswitch(sdata, elems, false)) {
>>> - mcsa_dbg(sdata, "Failed to process CSA action frame");
>>> -- return;
>>> -+ goto free;
>>> - }
>>> -
>>> - /* forward or re-broadcast the CSA frame */
>>> - if (fwd_csa) {
>>> -- if (mesh_fwd_csa_frame(sdata, mgmt, len, &elems) < 0)
>>> -+ if (mesh_fwd_csa_frame(sdata, mgmt, len, elems) < 0)
>>> - mcsa_dbg(sdata, "Failed to forward the CSA frame");
>>> - }
>>> -+free:
>>> -+ kfree(elems);
>>> - }
>>> -
>>> - static void ieee80211_mesh_rx_mgmt_action(struct ieee80211_sub_if_data *sdata,
>>> -diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
>>> -index a05b615deb51..44a6fdb6efbd 100644
>>> ---- a/net/mac80211/mesh_hwmp.c
>>> -+++ b/net/mac80211/mesh_hwmp.c
>>> -@@ -1,7 +1,7 @@
>>> - // SPDX-License-Identifier: GPL-2.0-only
>>> - /*
>>> - * Copyright (c) 2008, 2009 open80211s Ltd.
>>> -- * Copyright (C) 2019 Intel Corporation
>>> -+ * Copyright (C) 2019, 2021 Intel Corporation
>>> - * Author: Luis Carlos Cobo <luisca@cozybit.com>
>>> - */
>>> -
>>> -@@ -908,7 +908,7 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata,
>>> - void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata,
>>> - struct ieee80211_mgmt *mgmt, size_t len)
>>> - {
>>> -- struct ieee802_11_elems elems;
>>> -+ struct ieee802_11_elems *elems;
>>> - size_t baselen;
>>> - u32 path_metric;
>>> - struct sta_info *sta;
>>> -@@ -926,37 +926,41 @@ void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata,
>>> - rcu_read_unlock();
>>> -
>>> - baselen = (u8 *) mgmt->u.action.u.mesh_action.variable - (u8 *) mgmt;
>>> -- ieee802_11_parse_elems(mgmt->u.action.u.mesh_action.variable,
>>> -- len - baselen, false, &elems, mgmt->bssid, NULL);
>>> -+ elems = ieee802_11_parse_elems(mgmt->u.action.u.mesh_action.variable,
>>> -+ len - baselen, false, mgmt->bssid, NULL);
>>> -+ if (!elems)
>>> -+ return;
>>> -
>>> -- if (elems.preq) {
>>> -- if (elems.preq_len != 37)
>>> -+ if (elems->preq) {
>>> -+ if (elems->preq_len != 37)
>>> - /* Right now we support just 1 destination and no AE */
>>> -- return;
>>> -- path_metric = hwmp_route_info_get(sdata, mgmt, elems.preq,
>>> -+ goto free;
>>> -+ path_metric = hwmp_route_info_get(sdata, mgmt, elems->preq,
>>> - MPATH_PREQ);
>>> - if (path_metric)
>>> -- hwmp_preq_frame_process(sdata, mgmt, elems.preq,
>>> -+ hwmp_preq_frame_process(sdata, mgmt, elems->preq,
>>> - path_metric);
>>> - }
>>> -- if (elems.prep) {
>>> -- if (elems.prep_len != 31)
>>> -+ if (elems->prep) {
>>> -+ if (elems->prep_len != 31)
>>> - /* Right now we support no AE */
>>> -- return;
>>> -- path_metric = hwmp_route_info_get(sdata, mgmt, elems.prep,
>>> -+ goto free;
>>> -+ path_metric = hwmp_route_info_get(sdata, mgmt, elems->prep,
>>> - MPATH_PREP);
>>> - if (path_metric)
>>> -- hwmp_prep_frame_process(sdata, mgmt, elems.prep,
>>> -+ hwmp_prep_frame_process(sdata, mgmt, elems->prep,
>>> - path_metric);
>>> - }
>>> -- if (elems.perr) {
>>> -- if (elems.perr_len != 15)
>>> -+ if (elems->perr) {
>>> -+ if (elems->perr_len != 15)
>>> - /* Right now we support only one destination per PERR */
>>> -- return;
>>> -- hwmp_perr_frame_process(sdata, mgmt, elems.perr);
>>> -+ goto free;
>>> -+ hwmp_perr_frame_process(sdata, mgmt, elems->perr);
>>> - }
>>> -- if (elems.rann)
>>> -- hwmp_rann_frame_process(sdata, mgmt, elems.rann);
>>> -+ if (elems->rann)
>>> -+ hwmp_rann_frame_process(sdata, mgmt, elems->rann);
>>> -+free:
>>> -+ kfree(elems);
>>> - }
>>> -
>>> - /**
>>> -diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
>>> -index a6915847d78a..a829470dd59e 100644
>>> ---- a/net/mac80211/mesh_plink.c
>>> -+++ b/net/mac80211/mesh_plink.c
>>> -@@ -1,7 +1,7 @@
>>> - // SPDX-License-Identifier: GPL-2.0-only
>>> - /*
>>> - * Copyright (c) 2008, 2009 open80211s Ltd.
>>> -- * Copyright (C) 2019 Intel Corporation
>>> -+ * Copyright (C) 2019, 2021 Intel Corporation
>>> - * Author: Luis Carlos Cobo <luisca@cozybit.com>
>>> - */
>>> - #include <linux/gfp.h>
>>> -@@ -1200,7 +1200,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata,
>>> - struct ieee80211_mgmt *mgmt, size_t len,
>>> - struct ieee80211_rx_status *rx_status)
>>> - {
>>> -- struct ieee802_11_elems elems;
>>> -+ struct ieee802_11_elems *elems;
>>> - size_t baselen;
>>> - u8 *baseaddr;
>>> -
>>> -@@ -1228,7 +1228,8 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata,
>>> - if (baselen > len)
>>> - return;
>>> - }
>>> -- ieee802_11_parse_elems(baseaddr, len - baselen, true, &elems,
>>> -- mgmt->bssid, NULL);
>>> -- mesh_process_plink_frame(sdata, mgmt, &elems, rx_status);
>>> -+ elems = ieee802_11_parse_elems(baseaddr, len - baselen, true,
>>> -+ mgmt->bssid, NULL);
>>> -+ mesh_process_plink_frame(sdata, mgmt, elems, rx_status);
>>> -+ kfree(elems);
>>> - }
>>> -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
>>> -index 548cd14c5503..45efa1d1c550 100644
>>> ---- a/net/mac80211/mlme.c
>>> -+++ b/net/mac80211/mlme.c
>>> -@@ -3317,8 +3317,11 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
>>> - aid = 0; /* TODO */
>>> - }
>>> - capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
>>> -- ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, elems,
>>> -- mgmt->bssid, assoc_data->bss->bssid);
>>> -+ elems = ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false,
>>> -+ mgmt->bssid, assoc_data->bss->bssid);
>>> -+
>>> -+ if (!elems)
>>> -+ return false;
>>> -
>>> - if (elems->aid_resp)
>>> - aid = le16_to_cpu(elems->aid_resp->aid);
>>> -@@ -3340,7 +3343,8 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
>>> -
>>> - if (!is_s1g && !elems->supp_rates) {
>>> - sdata_info(sdata, "no SuppRates element in AssocResp\n");
>>> -- return false;
>>> -+ ret = false;
>>> -+ goto out;
>>> - }
>>> -
>>> - sdata->vif.bss_conf.aid = aid;
>>> -@@ -3362,7 +3366,7 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
>>> - (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT) &&
>>> - (!elems->vht_cap_elem || !elems->vht_operation)))) {
>>> - const struct cfg80211_bss_ies *ies;
>>> -- struct ieee802_11_elems bss_elems;
>>> -+ struct ieee802_11_elems *bss_elems;
>>> -
>>> - rcu_read_lock();
>>> - ies = rcu_dereference(cbss->ies);
>>> -@@ -3373,13 +3377,17 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
>>> - if (!bss_ies)
>>> - return false;
>>> -
>>> -- ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
>>> -- false, &bss_elems,
>>> -- mgmt->bssid,
>>> -- assoc_data->bss->bssid);
>>> -+ bss_elems = ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
>>> -+ false, mgmt->bssid,
>>> -+ assoc_data->bss->bssid);
>>> -+ if (!bss_elems) {
>>> -+ ret = false;
>>> -+ goto out;
>>> -+ }
>>> -+
>>> - if (assoc_data->wmm &&
>>> -- !elems->wmm_param && bss_elems.wmm_param) {
>>> -- elems->wmm_param = bss_elems.wmm_param;
>>> -+ !elems->wmm_param && bss_elems->wmm_param) {
>>> -+ elems->wmm_param = bss_elems->wmm_param;
>>> - sdata_info(sdata,
>>> - "AP bug: WMM param missing from AssocResp\n");
>>> - }
>>> -@@ -3388,30 +3396,32 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
>>> - * Also check if we requested HT/VHT, otherwise the AP doesn't
>>> - * have to include the IEs in the (re)association response.
>>> - */
>>> -- if (!elems->ht_cap_elem && bss_elems.ht_cap_elem &&
>>> -+ if (!elems->ht_cap_elem && bss_elems->ht_cap_elem &&
>>> - !(ifmgd->flags & IEEE80211_STA_DISABLE_HT)) {
>>> -- elems->ht_cap_elem = bss_elems.ht_cap_elem;
>>> -+ elems->ht_cap_elem = bss_elems->ht_cap_elem;
>>> - sdata_info(sdata,
>>> - "AP bug: HT capability missing from AssocResp\n");
>>> - }
>>> -- if (!elems->ht_operation && bss_elems.ht_operation &&
>>> -+ if (!elems->ht_operation && bss_elems->ht_operation &&
>>> - !(ifmgd->flags & IEEE80211_STA_DISABLE_HT)) {
>>> -- elems->ht_operation = bss_elems.ht_operation;
>>> -+ elems->ht_operation = bss_elems->ht_operation;
>>> - sdata_info(sdata,
>>> - "AP bug: HT operation missing from AssocResp\n");
>>> - }
>>> -- if (!elems->vht_cap_elem && bss_elems.vht_cap_elem &&
>>> -+ if (!elems->vht_cap_elem && bss_elems->vht_cap_elem &&
>>> - !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) {
>>> -- elems->vht_cap_elem = bss_elems.vht_cap_elem;
>>> -+ elems->vht_cap_elem = bss_elems->vht_cap_elem;
>>> - sdata_info(sdata,
>>> - "AP bug: VHT capa missing from AssocResp\n");
>>> - }
>>> -- if (!elems->vht_operation && bss_elems.vht_operation &&
>>> -+ if (!elems->vht_operation && bss_elems->vht_operation &&
>>> - !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) {
>>> -- elems->vht_operation = bss_elems.vht_operation;
>>> -+ elems->vht_operation = bss_elems->vht_operation;
>>> - sdata_info(sdata,
>>> - "AP bug: VHT operation missing from AssocResp\n");
>>> - }
>>> -+
>>> -+ kfree(bss_elems);
>>> - }
>>> -
>>> - /*
>>> -@@ -3662,6 +3672,7 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
>>> -
>>> - ret = true;
>>> - out:
>>> -+ kfree(elems);
>>> - kfree(bss_ies);
>>> - return ret;
>>> - }
>>> -@@ -3673,7 +3684,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
>>> - struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
>>> - struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
>>> - u16 capab_info, status_code, aid;
>>> -- struct ieee802_11_elems elems;
>>> -+ struct ieee802_11_elems *elems;
>>> - int ac, uapsd_queues = -1;
>>> - u8 *pos;
>>> - bool reassoc;
>>> -@@ -3730,14 +3741,16 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
>>> - fils_decrypt_assoc_resp(sdata, (u8 *)mgmt, &len, assoc_data) < 0)
>>> - return;
>>> -
>>> -- ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems,
>>> -- mgmt->bssid, assoc_data->bss->bssid);
>>> -+ elems = ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false,
>>> -+ mgmt->bssid, assoc_data->bss->bssid);
>>> -+ if (!elems)
>>> -+ goto notify_driver;
>>> -
>>> - if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY &&
>>> -- elems.timeout_int &&
>>> -- elems.timeout_int->type == WLAN_TIMEOUT_ASSOC_COMEBACK) {
>>> -+ elems->timeout_int &&
>>> -+ elems->timeout_int->type == WLAN_TIMEOUT_ASSOC_COMEBACK) {
>>> - u32 tu, ms;
>>> -- tu = le32_to_cpu(elems.timeout_int->value);
>>> -+ tu = le32_to_cpu(elems->timeout_int->value);
>>> - ms = tu * 1024 / 1000;
>>> - sdata_info(sdata,
>>> - "%pM rejected association temporarily; comeback duration %u TU (%u ms)\n",
>>> -@@ -3757,7 +3770,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
>>> - event.u.mlme.reason = status_code;
>>> - drv_event_callback(sdata->local, sdata, &event);
>>> - } else {
>>> -- if (!ieee80211_assoc_success(sdata, cbss, mgmt, len, &elems)) {
>>> -+ if (!ieee80211_assoc_success(sdata, cbss, mgmt, len, elems)) {
>>> - /* oops -- internal error -- send timeout for now */
>>> - ieee80211_destroy_assoc_data(sdata, false, false);
>>> - cfg80211_assoc_timeout(sdata->dev, cbss);
>>> -@@ -3787,6 +3800,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
>>> - ifmgd->assoc_req_ies, ifmgd->assoc_req_ies_len);
>>> - notify_driver:
>>> - drv_mgd_complete_tx(sdata->local, sdata, &info);
>>> -+ kfree(elems);
>>> - }
>>> -
>>> - static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
>>> -@@ -3991,7 +4005,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>>> - struct ieee80211_bss_conf *bss_conf = &sdata->vif.bss_conf;
>>> - struct ieee80211_mgmt *mgmt = (void *) hdr;
>>> - size_t baselen;
>>> -- struct ieee802_11_elems elems;
>>> -+ struct ieee802_11_elems *elems;
>>> - struct ieee80211_local *local = sdata->local;
>>> - struct ieee80211_chanctx_conf *chanctx_conf;
>>> - struct ieee80211_channel *chan;
>>> -@@ -4037,15 +4051,16 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>>> -
>>> - if (ifmgd->assoc_data && ifmgd->assoc_data->need_beacon &&
>>> - ieee80211_rx_our_beacon(bssid, ifmgd->assoc_data->bss)) {
>>> -- ieee802_11_parse_elems(variable,
>>> -- len - baselen, false, &elems,
>>> -- bssid,
>>> -- ifmgd->assoc_data->bss->bssid);
>>> -+ elems = ieee802_11_parse_elems(variable, len - baselen, false,
>>> -+ bssid,
>>> -+ ifmgd->assoc_data->bss->bssid);
>>> -+ if (!elems)
>>> -+ return;
>>> -
>>> - ieee80211_rx_bss_info(sdata, mgmt, len, rx_status);
>>> -
>>> -- if (elems.dtim_period)
>>> -- ifmgd->dtim_period = elems.dtim_period;
>>> -+ if (elems->dtim_period)
>>> -+ ifmgd->dtim_period = elems->dtim_period;
>>> - ifmgd->have_beacon = true;
>>> - ifmgd->assoc_data->need_beacon = false;
>>> - if (ieee80211_hw_check(&local->hw, TIMING_BEACON_ONLY)) {
>>> -@@ -4053,17 +4068,17 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>>> - le64_to_cpu(mgmt->u.beacon.timestamp);
>>> - sdata->vif.bss_conf.sync_device_ts =
>>> - rx_status->device_timestamp;
>>> -- sdata->vif.bss_conf.sync_dtim_count = elems.dtim_count;
>>> -+ sdata->vif.bss_conf.sync_dtim_count = elems->dtim_count;
>>> - }
>>> -
>>> -- if (elems.mbssid_config_ie)
>>> -+ if (elems->mbssid_config_ie)
>>> - bss_conf->profile_periodicity =
>>> -- elems.mbssid_config_ie->profile_periodicity;
>>> -+ elems->mbssid_config_ie->profile_periodicity;
>>> - else
>>> - bss_conf->profile_periodicity = 0;
>>> -
>>> -- if (elems.ext_capab_len >= 11 &&
>>> -- (elems.ext_capab[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
>>> -+ if (elems->ext_capab_len >= 11 &&
>>> -+ (elems->ext_capab[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
>>> - bss_conf->ema_ap = true;
>>> - else
>>> - bss_conf->ema_ap = false;
>>> -@@ -4072,6 +4087,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>>> - ifmgd->assoc_data->timeout = jiffies;
>>> - ifmgd->assoc_data->timeout_started = true;
>>> - run_again(sdata, ifmgd->assoc_data->timeout);
>>> -+ kfree(elems);
>>> - return;
>>> - }
>>> -
>>> -@@ -4103,14 +4119,15 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>>> - */
>>> - if (!ieee80211_is_s1g_beacon(hdr->frame_control))
>>> - ncrc = crc32_be(0, (void *)&mgmt->u.beacon.beacon_int, 4);
>>> -- ieee802_11_parse_elems_crc(variable,
>>> -- len - baselen, false, &elems,
>>> -- care_about_ies, ncrc,
>>> -- mgmt->bssid, bssid);
>>> -- ncrc = elems.crc;
>>> -+ elems = ieee802_11_parse_elems_crc(variable, len - baselen,
>>> -+ false, care_about_ies, ncrc,
>>> -+ mgmt->bssid, bssid);
>>> -+ if (!elems)
>>> -+ return;
>>> -+ ncrc = elems->crc;
>>> -
>>> - if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) &&
>>> -- ieee80211_check_tim(elems.tim, elems.tim_len, bss_conf->aid)) {
>>> -+ ieee80211_check_tim(elems->tim, elems->tim_len, bss_conf->aid)) {
>>> - if (local->hw.conf.dynamic_ps_timeout > 0) {
>>> - if (local->hw.conf.flags & IEEE80211_CONF_PS) {
>>> - local->hw.conf.flags &= ~IEEE80211_CONF_PS;
>>> -@@ -4180,12 +4197,12 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>>> - le64_to_cpu(mgmt->u.beacon.timestamp);
>>> - sdata->vif.bss_conf.sync_device_ts =
>>> - rx_status->device_timestamp;
>>> -- sdata->vif.bss_conf.sync_dtim_count = elems.dtim_count;
>>> -+ sdata->vif.bss_conf.sync_dtim_count = elems->dtim_count;
>>> - }
>>> -
>>> - if ((ncrc == ifmgd->beacon_crc && ifmgd->beacon_crc_valid) ||
>>> - ieee80211_is_s1g_short_beacon(mgmt->frame_control))
>>> -- return;
>>> -+ goto free;
>>> - ifmgd->beacon_crc = ncrc;
>>> - ifmgd->beacon_crc_valid = true;
>>> -
>>> -@@ -4193,12 +4210,12 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>>> -
>>> - ieee80211_sta_process_chanswitch(sdata, rx_status->mactime,
>>> - rx_status->device_timestamp,
>>> -- &elems, true);
>>> -+ elems, true);
>>> -
>>> - if (!(ifmgd->flags & IEEE80211_STA_DISABLE_WMM) &&
>>> -- ieee80211_sta_wmm_params(local, sdata, elems.wmm_param,
>>> -- elems.wmm_param_len,
>>> -- elems.mu_edca_param_set))
>>> -+ ieee80211_sta_wmm_params(local, sdata, elems->wmm_param,
>>> -+ elems->wmm_param_len,
>>> -+ elems->mu_edca_param_set))
>>> - changed |= BSS_CHANGED_QOS;
>>> -
>>> - /*
>>> -@@ -4207,7 +4224,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>>> - */
>>> - if (!ifmgd->have_beacon) {
>>> - /* a few bogus AP send dtim_period = 0 or no TIM IE */
>>> -- bss_conf->dtim_period = elems.dtim_period ?: 1;
>>> -+ bss_conf->dtim_period = elems->dtim_period ?: 1;
>>> -
>>> - changed |= BSS_CHANGED_BEACON_INFO;
>>> - ifmgd->have_beacon = true;
>>> -@@ -4219,9 +4236,9 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>>> - ieee80211_recalc_ps_vif(sdata);
>>> - }
>>> -
>>> -- if (elems.erp_info) {
>>> -+ if (elems->erp_info) {
>>> - erp_valid = true;
>>> -- erp_value = elems.erp_info[0];
>>> -+ erp_value = elems->erp_info[0];
>>> - } else {
>>> - erp_valid = false;
>>> - }
>>> -@@ -4234,12 +4251,12 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>>> - mutex_lock(&local->sta_mtx);
>>> - sta = sta_info_get(sdata, bssid);
>>> -
>>> -- changed |= ieee80211_recalc_twt_req(sdata, sta, &elems);
>>> -+ changed |= ieee80211_recalc_twt_req(sdata, sta, elems);
>>> -
>>> -- if (ieee80211_config_bw(sdata, sta, elems.ht_cap_elem,
>>> -- elems.vht_cap_elem, elems.ht_operation,
>>> -- elems.vht_operation, elems.he_operation,
>>> -- elems.s1g_oper, bssid, &changed)) {
>>> -+ if (ieee80211_config_bw(sdata, sta, elems->ht_cap_elem,
>>> -+ elems->vht_cap_elem, elems->ht_operation,
>>> -+ elems->vht_operation, elems->he_operation,
>>> -+ elems->s1g_oper, bssid, &changed)) {
>>> - mutex_unlock(&local->sta_mtx);
>>> - sdata_info(sdata,
>>> - "failed to follow AP %pM bandwidth change, disconnect\n",
>>> -@@ -4251,21 +4268,23 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
>>> - sizeof(deauth_buf), true,
>>> - WLAN_REASON_DEAUTH_LEAVING,
>>> - false);
>>> -- return;
>>> -+ goto free;
>>> - }
>>> -
>>> -- if (sta && elems.opmode_notif)
>>> -- ieee80211_vht_handle_opmode(sdata, sta, *elems.opmode_notif,
>>> -+ if (sta && elems->opmode_notif)
>>> -+ ieee80211_vht_handle_opmode(sdata, sta, *elems->opmode_notif,
>>> - rx_status->band);
>>> - mutex_unlock(&local->sta_mtx);
>>> -
>>> - changed |= ieee80211_handle_pwr_constr(sdata, chan, mgmt,
>>> -- elems.country_elem,
>>> -- elems.country_elem_len,
>>> -- elems.pwr_constr_elem,
>>> -- elems.cisco_dtpc_elem);
>>> -+ elems->country_elem,
>>> -+ elems->country_elem_len,
>>> -+ elems->pwr_constr_elem,
>>> -+ elems->cisco_dtpc_elem);
>>> -
>>> - ieee80211_bss_info_change_notify(sdata, changed);
>>> -+free:
>>> -+ kfree(elems);
>>> - }
>>> -
>>> - void ieee80211_sta_rx_queued_ext(struct ieee80211_sub_if_data *sdata,
>>> -@@ -4294,7 +4313,6 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>>> - struct ieee80211_rx_status *rx_status;
>>> - struct ieee80211_mgmt *mgmt;
>>> - u16 fc;
>>> -- struct ieee802_11_elems elems;
>>> - int ies_len;
>>> -
>>> - rx_status = (struct ieee80211_rx_status *) skb->cb;
>>> -@@ -4326,6 +4344,8 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>>> - break;
>>> - case IEEE80211_STYPE_ACTION:
>>> - if (mgmt->u.action.category == WLAN_CATEGORY_SPECTRUM_MGMT) {
>>> -+ struct ieee802_11_elems *elems;
>>> -+
>>> - ies_len = skb->len -
>>> - offsetof(struct ieee80211_mgmt,
>>> - u.action.u.chan_switch.variable);
>>> -@@ -4334,18 +4354,21 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>>> - break;
>>> -
>>> - /* CSA IE cannot be overridden, no need for BSSID */
>>> -- ieee802_11_parse_elems(
>>> -- mgmt->u.action.u.chan_switch.variable,
>>> -- ies_len, true, &elems, mgmt->bssid, NULL);
>>> -+ elems = ieee802_11_parse_elems(
>>> -+ mgmt->u.action.u.chan_switch.variable,
>>> -+ ies_len, true, mgmt->bssid, NULL);
>>> -
>>> -- if (elems.parse_error)
>>> -+ if (!elems || elems->parse_error)
>>> - break;
>>> -
>>> - ieee80211_sta_process_chanswitch(sdata,
>>> - rx_status->mactime,
>>> - rx_status->device_timestamp,
>>> -- &elems, false);
>>> -+ elems, false);
>>> -+ kfree(elems);
>>> - } else if (mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) {
>>> -+ struct ieee802_11_elems *elems;
>>> -+
>>> - ies_len = skb->len -
>>> - offsetof(struct ieee80211_mgmt,
>>> - u.action.u.ext_chan_switch.variable);
>>> -@@ -4357,21 +4380,22 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>>> - * extended CSA IE can't be overridden, no need for
>>> - * BSSID
>>> - */
>>> -- ieee802_11_parse_elems(
>>> -- mgmt->u.action.u.ext_chan_switch.variable,
>>> -- ies_len, true, &elems, mgmt->bssid, NULL);
>>> -+ elems = ieee802_11_parse_elems(
>>> -+ mgmt->u.action.u.ext_chan_switch.variable,
>>> -+ ies_len, true, mgmt->bssid, NULL);
>>> -
>>> -- if (elems.parse_error)
>>> -+ if (!elems || elems->parse_error)
>>> - break;
>>> -
>>> - /* for the handling code pretend this was also an IE */
>>> -- elems.ext_chansw_ie =
>>> -+ elems->ext_chansw_ie =
>>> - &mgmt->u.action.u.ext_chan_switch.data;
>>> -
>>> - ieee80211_sta_process_chanswitch(sdata,
>>> - rx_status->mactime,
>>> - rx_status->device_timestamp,
>>> -- &elems, false);
>>> -+ elems, false);
>>> -+ kfree(elems);
>>> - }
>>> - break;
>>> - }
>>> -diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
>>> -index d6afaacaf7ef..e692a2487eb5 100644
>>> ---- a/net/mac80211/scan.c
>>> -+++ b/net/mac80211/scan.c
>>> -@@ -9,7 +9,7 @@
>>> - * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
>>> - * Copyright 2013-2015 Intel Mobile Communications GmbH
>>> - * Copyright 2016-2017 Intel Deutschland GmbH
>>> -- * Copyright (C) 2018-2020 Intel Corporation
>>> -+ * Copyright (C) 2018-2021 Intel Corporation
>>> - */
>>> -
>>> - #include <linux/if_arp.h>
>>> -@@ -155,7 +155,7 @@ ieee80211_bss_info_update(struct ieee80211_local *local,
>>> - };
>>> - bool signal_valid;
>>> - struct ieee80211_sub_if_data *scan_sdata;
>>> -- struct ieee802_11_elems elems;
>>> -+ struct ieee802_11_elems *elems;
>>> - size_t baselen;
>>> - u8 *elements;
>>> -
>>> -@@ -209,8 +209,10 @@ ieee80211_bss_info_update(struct ieee80211_local *local,
>>> - if (baselen > len)
>>> - return NULL;
>>> -
>>> -- ieee802_11_parse_elems(elements, len - baselen, false, &elems,
>>> -- mgmt->bssid, cbss->bssid);
>>> -+ elems = ieee802_11_parse_elems(elements, len - baselen, false,
>>> -+ mgmt->bssid, cbss->bssid);
>>> -+ if (!elems)
>>> -+ return NULL;
>>> -
>>> - /* In case the signal is invalid update the status */
>>> - signal_valid = channel == cbss->channel;
>>> -@@ -218,15 +220,17 @@ ieee80211_bss_info_update(struct ieee80211_local *local,
>>> - rx_status->flag |= RX_FLAG_NO_SIGNAL_VAL;
>>> -
>>> - bss = (void *)cbss->priv;
>>> -- ieee80211_update_bss_from_elems(local, bss, &elems, rx_status, beacon);
>>> -+ ieee80211_update_bss_from_elems(local, bss, elems, rx_status, beacon);
>>> -
>>> - list_for_each_entry(non_tx_cbss, &cbss->nontrans_list, nontrans_list) {
>>> - non_tx_bss = (void *)non_tx_cbss->priv;
>>> -
>>> -- ieee80211_update_bss_from_elems(local, non_tx_bss, &elems,
>>> -+ ieee80211_update_bss_from_elems(local, non_tx_bss, elems,
>>> - rx_status, beacon);
>>> - }
>>> -
>>> -+ kfree(elems);
>>> -+
>>> - return bss;
>>> - }
>>> -
>>> -diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
>>> -index 45e532ad1215..137be9ec94af 100644
>>> ---- a/net/mac80211/tdls.c
>>> -+++ b/net/mac80211/tdls.c
>>> -@@ -6,7 +6,7 @@
>>> - * Copyright 2014, Intel Corporation
>>> - * Copyright 2014 Intel Mobile Communications GmbH
>>> - * Copyright 2015 - 2016 Intel Deutschland GmbH
>>> -- * Copyright (C) 2019 Intel Corporation
>>> -+ * Copyright (C) 2019, 2021 Intel Corporation
>>> - */
>>> -
>>> - #include <linux/ieee80211.h>
>>> -@@ -1684,7 +1684,7 @@ ieee80211_process_tdls_channel_switch_resp(struct ieee80211_sub_if_data *sdata,
>>> - struct sk_buff *skb)
>>> - {
>>> - struct ieee80211_local *local = sdata->local;
>>> -- struct ieee802_11_elems elems;
>>> -+ struct ieee802_11_elems *elems = NULL;
>>> - struct sta_info *sta;
>>> - struct ieee80211_tdls_data *tf = (void *)skb->data;
>>> - bool local_initiator;
>>> -@@ -1718,16 +1718,20 @@ ieee80211_process_tdls_channel_switch_resp(struct ieee80211_sub_if_data *sdata,
>>> - goto call_drv;
>>> - }
>>> -
>>> -- ieee802_11_parse_elems(tf->u.chan_switch_resp.variable,
>>> -- skb->len - baselen, false, &elems,
>>> -- NULL, NULL);
>>> -- if (elems.parse_error) {
>>> -+ elems = ieee802_11_parse_elems(tf->u.chan_switch_resp.variable,
>>> -+ skb->len - baselen, false, NULL, NULL);
>>> -+ if (!elems) {
>>> -+ ret = -ENOMEM;
>>> -+ goto out;
>>> -+ }
>>> -+
>>> -+ if (elems->parse_error) {
>>> - tdls_dbg(sdata, "Invalid IEs in TDLS channel switch resp\n");
>>> - ret = -EINVAL;
>>> - goto out;
>>> - }
>>> -
>>> -- if (!elems.ch_sw_timing || !elems.lnk_id) {
>>> -+ if (!elems->ch_sw_timing || !elems->lnk_id) {
>>> - tdls_dbg(sdata, "TDLS channel switch resp - missing IEs\n");
>>> - ret = -EINVAL;
>>> - goto out;
>>> -@@ -1735,15 +1739,15 @@ ieee80211_process_tdls_channel_switch_resp(struct ieee80211_sub_if_data *sdata,
>>> -
>>> - /* validate the initiator is set correctly */
>>> - local_initiator =
>>> -- !memcmp(elems.lnk_id->init_sta, sdata->vif.addr, ETH_ALEN);
>>> -+ !memcmp(elems->lnk_id->init_sta, sdata->vif.addr, ETH_ALEN);
>>> - if (local_initiator == sta->sta.tdls_initiator) {
>>> - tdls_dbg(sdata, "TDLS chan switch invalid lnk-id initiator\n");
>>> - ret = -EINVAL;
>>> - goto out;
>>> - }
>>> -
>>> -- params.switch_time = le16_to_cpu(elems.ch_sw_timing->switch_time);
>>> -- params.switch_timeout = le16_to_cpu(elems.ch_sw_timing->switch_timeout);
>>> -+ params.switch_time = le16_to_cpu(elems->ch_sw_timing->switch_time);
>>> -+ params.switch_timeout = le16_to_cpu(elems->ch_sw_timing->switch_timeout);
>>> -
>>> - params.tmpl_skb =
>>> - ieee80211_tdls_ch_sw_resp_tmpl_get(sta, ¶ms.ch_sw_tm_ie);
>>> -@@ -1763,6 +1767,7 @@ call_drv:
>>> - out:
>>> - mutex_unlock(&local->sta_mtx);
>>> - dev_kfree_skb_any(params.tmpl_skb);
>>> -+ kfree(elems);
>>> - return ret;
>>> - }
>>> -
>>> -@@ -1771,7 +1776,7 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
>>> - struct sk_buff *skb)
>>> - {
>>> - struct ieee80211_local *local = sdata->local;
>>> -- struct ieee802_11_elems elems;
>>> -+ struct ieee802_11_elems *elems;
>>> - struct cfg80211_chan_def chandef;
>>> - struct ieee80211_channel *chan;
>>> - enum nl80211_channel_type chan_type;
>>> -@@ -1831,22 +1836,27 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
>>> - return -EINVAL;
>>> - }
>>> -
>>> -- ieee802_11_parse_elems(tf->u.chan_switch_req.variable,
>>> -- skb->len - baselen, false, &elems, NULL, NULL);
>>> -- if (elems.parse_error) {
>>> -+ elems = ieee802_11_parse_elems(tf->u.chan_switch_req.variable,
>>> -+ skb->len - baselen, false, NULL, NULL);
>>> -+ if (!elems)
>>> -+ return -ENOMEM;
>>> -+
>>> -+ if (elems->parse_error) {
>>> - tdls_dbg(sdata, "Invalid IEs in TDLS channel switch req\n");
>>> -- return -EINVAL;
>>> -+ ret = -EINVAL;
>>> -+ goto free;
>>> - }
>>> -
>>> -- if (!elems.ch_sw_timing || !elems.lnk_id) {
>>> -+ if (!elems->ch_sw_timing || !elems->lnk_id) {
>>> - tdls_dbg(sdata, "TDLS channel switch req - missing IEs\n");
>>> -- return -EINVAL;
>>> -+ ret = -EINVAL;
>>> -+ goto free;
>>> - }
>>> -
>>> -- if (!elems.sec_chan_offs) {
>>> -+ if (!elems->sec_chan_offs) {
>>> - chan_type = NL80211_CHAN_HT20;
>>> - } else {
>>> -- switch (elems.sec_chan_offs->sec_chan_offs) {
>>> -+ switch (elems->sec_chan_offs->sec_chan_offs) {
>>> - case IEEE80211_HT_PARAM_CHA_SEC_ABOVE:
>>> - chan_type = NL80211_CHAN_HT40PLUS;
>>> - break;
>>> -@@ -1865,7 +1875,8 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
>>> - if (!cfg80211_reg_can_beacon_relax(sdata->local->hw.wiphy, &chandef,
>>> - sdata->wdev.iftype)) {
>>> - tdls_dbg(sdata, "TDLS chan switch to forbidden channel\n");
>>> -- return -EINVAL;
>>> -+ ret = -EINVAL;
>>> -+ goto free;
>>> - }
>>> -
>>> - mutex_lock(&local->sta_mtx);
>>> -@@ -1881,7 +1892,7 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
>>> -
>>> - /* validate the initiator is set correctly */
>>> - local_initiator =
>>> -- !memcmp(elems.lnk_id->init_sta, sdata->vif.addr, ETH_ALEN);
>>> -+ !memcmp(elems->lnk_id->init_sta, sdata->vif.addr, ETH_ALEN);
>>> - if (local_initiator == sta->sta.tdls_initiator) {
>>> - tdls_dbg(sdata, "TDLS chan switch invalid lnk-id initiator\n");
>>> - ret = -EINVAL;
>>> -@@ -1889,16 +1900,16 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
>>> - }
>>> -
>>> - /* peer should have known better */
>>> -- if (!sta->sta.ht_cap.ht_supported && elems.sec_chan_offs &&
>>> -- elems.sec_chan_offs->sec_chan_offs) {
>>> -+ if (!sta->sta.ht_cap.ht_supported && elems->sec_chan_offs &&
>>> -+ elems->sec_chan_offs->sec_chan_offs) {
>>> - tdls_dbg(sdata, "TDLS chan switch - wide chan unsupported\n");
>>> - ret = -ENOTSUPP;
>>> - goto out;
>>> - }
>>> -
>>> - params.chandef = &chandef;
>>> -- params.switch_time = le16_to_cpu(elems.ch_sw_timing->switch_time);
>>> -- params.switch_timeout = le16_to_cpu(elems.ch_sw_timing->switch_timeout);
>>> -+ params.switch_time = le16_to_cpu(elems->ch_sw_timing->switch_time);
>>> -+ params.switch_timeout = le16_to_cpu(elems->ch_sw_timing->switch_timeout);
>>> -
>>> - params.tmpl_skb =
>>> - ieee80211_tdls_ch_sw_resp_tmpl_get(sta,
>>> -@@ -1917,6 +1928,8 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
>>> - out:
>>> - mutex_unlock(&local->sta_mtx);
>>> - dev_kfree_skb_any(params.tmpl_skb);
>>> -+free:
>>> -+ kfree(elems);
>>> - return ret;
>>> - }
>>> -
>>> -diff --git a/net/mac80211/util.c b/net/mac80211/util.c
>>> -index 664c32b6db19..2ac61e68b6b4 100644
>>> ---- a/net/mac80211/util.c
>>> -+++ b/net/mac80211/util.c
>>> -@@ -1396,8 +1396,8 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
>>> -
>>> - static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
>>> - struct ieee802_11_elems *elems,
>>> -- u8 *transmitter_bssid,
>>> -- u8 *bss_bssid,
>>> -+ const u8 *transmitter_bssid,
>>> -+ const u8 *bss_bssid,
>>> - u8 *nontransmitted_profile)
>>> - {
>>> - const struct element *elem, *sub;
>>> -@@ -1464,16 +1464,20 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
>>> - return found ? profile_len : 0;
>>> - }
>>> -
>>> --void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
>>> -- struct ieee802_11_elems *elems,
>>> -- u64 filter, u32 crc, u8 *transmitter_bssid,
>>> -- u8 *bss_bssid)
>>> -+struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,
>>> -+ bool action, u64 filter,
>>> -+ u32 crc,
>>> -+ const u8 *transmitter_bssid,
>>> -+ const u8 *bss_bssid)
>>> - {
>>> -+ struct ieee802_11_elems *elems;
>>> - const struct element *non_inherit = NULL;
>>> - u8 *nontransmitted_profile;
>>> - int nontransmitted_profile_len = 0;
>>> -
>>> -- memset(elems, 0, sizeof(*elems));
>>> -+ elems = kzalloc(sizeof(*elems), GFP_ATOMIC);
>>> -+ if (!elems)
>>> -+ return NULL;
>>> - elems->ie_start = start;
>>> - elems->total_len = len;
>>> -
>>> -@@ -1520,6 +1524,8 @@ void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
>>> - kfree(nontransmitted_profile);
>>> -
>>> - elems->crc = crc;
>>> -+
>>> -+ return elems;
>>> - }
>>> -
>>> - void ieee80211_regulatory_limit_wmm_params(struct ieee80211_sub_if_data *sdata,
>>> ---
>>> -2.30.2
>>> -
>>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-13.patch b/src/patches/linux/linux-5.15-wifi-security-patches-13.patch
>>> deleted file mode 100644
>>> index 1d167c19a..000000000
>>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-13.patch
>>> +++ /dev/null
>>> @@ -1,130 +0,0 @@
>>> -From 7d998f6b7365d50a9905bf57fd28b41c7ebe8e9d Mon Sep 17 00:00:00 2001
>>> -From: Johannes Berg <johannes.berg@intel.com>
>>> -Date: Thu, 13 Oct 2022 20:16:00 +0200
>>> -Subject: [PATCH] mac80211: fix memory leaks with element parsing
>>> -
>>> -commit 8223ac199a3849257e86ec27865dc63f034b1cf1 upstream.
>>> -
>>> -My previous commit 5d24828d05f3 ("mac80211: always allocate
>>> -struct ieee802_11_elems") had a few bugs and leaked the new
>>> -allocated struct in a few error cases, fix that.
>>> -
>>> -Fixes: 5d24828d05f3 ("mac80211: always allocate struct ieee802_11_elems")
>>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>>> -Link: https://lore.kernel.org/r/20211001211108.9839928e42e0.Ib81ca187d3d3af7ed1bfeac2e00d08a4637c8025@changeid
>>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>>> -Cc: Felix Fietkau <nbd@nbd.name>
>>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>> ----
>>> - net/mac80211/agg-rx.c | 3 ++-
>>> - net/mac80211/ibss.c | 10 +++++-----
>>> - net/mac80211/mlme.c | 36 ++++++++++++++++++------------------
>>> - 3 files changed, 25 insertions(+), 24 deletions(-)
>>> -
>>> -diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
>>> -index ffa4f31f6c2b..0d2bab9d351c 100644
>>> ---- a/net/mac80211/agg-rx.c
>>> -+++ b/net/mac80211/agg-rx.c
>>> -@@ -499,13 +499,14 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
>>> - elems = ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable,
>>> - ies_len, true, mgmt->bssid, NULL);
>>> - if (!elems || elems->parse_error)
>>> -- return;
>>> -+ goto free;
>>> - }
>>> -
>>> - __ieee80211_start_rx_ba_session(sta, dialog_token, timeout,
>>> - start_seq_num, ba_policy, tid,
>>> - buf_size, true, false,
>>> - elems ? elems->addba_ext_ie : NULL);
>>> -+free:
>>> - kfree(elems);
>>> - }
>>> -
>>> -diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
>>> -index 4b721b48f86a..48e0260f3424 100644
>>> ---- a/net/mac80211/ibss.c
>>> -+++ b/net/mac80211/ibss.c
>>> -@@ -1663,11 +1663,11 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>>> - mgmt->u.action.u.chan_switch.variable,
>>> - ies_len, true, mgmt->bssid, NULL);
>>> -
>>> -- if (!elems || elems->parse_error)
>>> -- break;
>>> --
>>> -- ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt, skb->len,
>>> -- rx_status, elems);
>>> -+ if (elems && !elems->parse_error)
>>> -+ ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt,
>>> -+ skb->len,
>>> -+ rx_status,
>>> -+ elems);
>>> - kfree(elems);
>>> - break;
>>> - }
>>> -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
>>> -index 45efa1d1c550..cc6d38a2e6d5 100644
>>> ---- a/net/mac80211/mlme.c
>>> -+++ b/net/mac80211/mlme.c
>>> -@@ -3374,8 +3374,10 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
>>> - bss_ies = kmemdup(ies, sizeof(*ies) + ies->len,
>>> - GFP_ATOMIC);
>>> - rcu_read_unlock();
>>> -- if (!bss_ies)
>>> -- return false;
>>> -+ if (!bss_ies) {
>>> -+ ret = false;
>>> -+ goto out;
>>> -+ }
>>> -
>>> - bss_elems = ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
>>> - false, mgmt->bssid,
>>> -@@ -4358,13 +4360,11 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>>> - mgmt->u.action.u.chan_switch.variable,
>>> - ies_len, true, mgmt->bssid, NULL);
>>> -
>>> -- if (!elems || elems->parse_error)
>>> -- break;
>>> --
>>> -- ieee80211_sta_process_chanswitch(sdata,
>>> -- rx_status->mactime,
>>> -- rx_status->device_timestamp,
>>> -- elems, false);
>>> -+ if (elems && !elems->parse_error)
>>> -+ ieee80211_sta_process_chanswitch(sdata,
>>> -+ rx_status->mactime,
>>> -+ rx_status->device_timestamp,
>>> -+ elems, false);
>>> - kfree(elems);
>>> - } else if (mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) {
>>> - struct ieee802_11_elems *elems;
>>> -@@ -4384,17 +4384,17 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
>>> - mgmt->u.action.u.ext_chan_switch.variable,
>>> - ies_len, true, mgmt->bssid, NULL);
>>> -
>>> -- if (!elems || elems->parse_error)
>>> -- break;
>>> -+ if (elems && !elems->parse_error) {
>>> -+ /* for the handling code pretend it was an IE */
>>> -+ elems->ext_chansw_ie =
>>> -+ &mgmt->u.action.u.ext_chan_switch.data;
>>> -
>>> -- /* for the handling code pretend this was also an IE */
>>> -- elems->ext_chansw_ie =
>>> -- &mgmt->u.action.u.ext_chan_switch.data;
>>> -+ ieee80211_sta_process_chanswitch(sdata,
>>> -+ rx_status->mactime,
>>> -+ rx_status->device_timestamp,
>>> -+ elems, false);
>>> -+ }
>>> -
>>> -- ieee80211_sta_process_chanswitch(sdata,
>>> -- rx_status->mactime,
>>> -- rx_status->device_timestamp,
>>> -- elems, false);
>>> - kfree(elems);
>>> - }
>>> - break;
>>> ---
>>> -2.30.2
>>> -
>>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-14.patch b/src/patches/linux/linux-5.15-wifi-security-patches-14.patch
>>> deleted file mode 100644
>>> index f0ccc0b6a..000000000
>>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-14.patch
>>> +++ /dev/null
>>> @@ -1,107 +0,0 @@
>>> -From de124365a7d2deed22cf706583930f28d537ff0f Mon Sep 17 00:00:00 2001
>>> -From: Johannes Berg <johannes.berg@intel.com>
>>> -Date: Thu, 13 Oct 2022 20:16:01 +0200
>>> -Subject: [PATCH] wifi: mac80211: fix MBSSID parsing use-after-free
>>> -
>>> -commit ff05d4b45dd89b922578dac497dcabf57cf771c6
>>> -
>>> -When we parse a multi-BSSID element, we might point some
>>> -element pointers into the allocated nontransmitted_profile.
>>> -However, we free this before returning, causing UAF when the
>>> -relevant pointers in the parsed elements are accessed.
>>> -
>>> -Fix this by not allocating the scratch buffer separately but
>>> -as part of the returned structure instead, that way, there
>>> -are no lifetime issues with it.
>>> -
>>> -The scratch buffer introduction as part of the returned data
>>> -here is taken from MLO feature work done by Ilan.
>>> -
>>> -This fixes CVE-2022-42719.
>>> -
>>> -Fixes: 5023b14cf4df ("mac80211: support profile split between elements")
>>> -Co-developed-by: Ilan Peer <ilan.peer@intel.com>
>>> -Signed-off-by: Ilan Peer <ilan.peer@intel.com>
>>> -Reviewed-by: Kees Cook <keescook@chromium.org>
>>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>>> -Cc: Felix Fietkau <nbd@nbd.name>
>>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>> ----
>>> - net/mac80211/ieee80211_i.h | 8 ++++++++
>>> - net/mac80211/util.c | 29 ++++++++++++++---------------
>>> - 2 files changed, 22 insertions(+), 15 deletions(-)
>>> -
>>> -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
>>> -index 3633e49239c7..21549a440b38 100644
>>> ---- a/net/mac80211/ieee80211_i.h
>>> -+++ b/net/mac80211/ieee80211_i.h
>>> -@@ -1613,6 +1613,14 @@ struct ieee802_11_elems {
>>> -
>>> - /* whether a parse error occurred while retrieving these elements */
>>> - bool parse_error;
>>> -+
>>> -+ /*
>>> -+ * scratch buffer that can be used for various element parsing related
>>> -+ * tasks, e.g., element de-fragmentation etc.
>>> -+ */
>>> -+ size_t scratch_len;
>>> -+ u8 *scratch_pos;
>>> -+ u8 scratch[];
>>> - };
>>> -
>>> - static inline struct ieee80211_local *hw_to_local(
>>> -diff --git a/net/mac80211/util.c b/net/mac80211/util.c
>>> -index 2ac61e68b6b4..354badd32793 100644
>>> ---- a/net/mac80211/util.c
>>> -+++ b/net/mac80211/util.c
>>> -@@ -1475,24 +1475,25 @@ struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,
>>> - u8 *nontransmitted_profile;
>>> - int nontransmitted_profile_len = 0;
>>> -
>>> -- elems = kzalloc(sizeof(*elems), GFP_ATOMIC);
>>> -+ elems = kzalloc(sizeof(*elems) + len, GFP_ATOMIC);
>>> - if (!elems)
>>> - return NULL;
>>> - elems->ie_start = start;
>>> - elems->total_len = len;
>>> -
>>> -- nontransmitted_profile = kmalloc(len, GFP_ATOMIC);
>>> -- if (nontransmitted_profile) {
>>> -- nontransmitted_profile_len =
>>> -- ieee802_11_find_bssid_profile(start, len, elems,
>>> -- transmitter_bssid,
>>> -- bss_bssid,
>>> -- nontransmitted_profile);
>>> -- non_inherit =
>>> -- cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
>>> -- nontransmitted_profile,
>>> -- nontransmitted_profile_len);
>>> -- }
>>> -+ elems->scratch_len = len;
>>> -+ elems->scratch_pos = elems->scratch;
>>> -+
>>> -+ nontransmitted_profile = elems->scratch_pos;
>>> -+ nontransmitted_profile_len =
>>> -+ ieee802_11_find_bssid_profile(start, len, elems,
>>> -+ transmitter_bssid,
>>> -+ bss_bssid,
>>> -+ nontransmitted_profile);
>>> -+ non_inherit =
>>> -+ cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
>>> -+ nontransmitted_profile,
>>> -+ nontransmitted_profile_len);
>>> -
>>> - crc = _ieee802_11_parse_elems_crc(start, len, action, elems, filter,
>>> - crc, non_inherit);
>>> -@@ -1521,8 +1522,6 @@ struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,
>>> - offsetofend(struct ieee80211_bssid_index, dtim_count))
>>> - elems->dtim_count = elems->bssid_index->dtim_count;
>>> -
>>> -- kfree(nontransmitted_profile);
>>> --
>>> - elems->crc = crc;
>>> -
>>> - return elems;
>>> ---
>>> -2.30.2
>>> -
>>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-2.patch b/src/patches/linux/linux-5.15-wifi-security-patches-2.patch
>>> deleted file mode 100644
>>> index d2a04e717..000000000
>>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-2.patch
>>> +++ /dev/null
>>> @@ -1,59 +0,0 @@
>>> -From 0a861bd25dad508e492c48169509d8c6b9246895 Mon Sep 17 00:00:00 2001
>>> -From: Johannes Berg <johannes.berg@intel.com>
>>> -Date: Wed, 28 Sep 2022 22:01:37 +0200
>>> -Subject: [PATCH] wifi: cfg80211/mac80211: reject bad MBSSID elements
>>> -
>>> -commit 8f033d2becc24aa6bfd2a5c104407963560caabc upstream.
>>> -
>>> -Per spec, the maximum value for the MaxBSSID ('n') indicator is 8,
>>> -and the minimum is 1 since a multiple BSSID set with just one BSSID
>>> -doesn't make sense (the # of BSSIDs is limited by 2^n).
>>> -
>>> -Limit this in the parsing in both cfg80211 and mac80211, rejecting
>>> -any elements with an invalid value.
>>> -
>>> -This fixes potentially bad shifts in the processing of these inside
>>> -the cfg80211_gen_new_bssid() function later.
>>> -
>>> -I found this during the investigation of CVE-2022-41674 fixed by the
>>> -previous patch.
>>> -
>>> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
>>> -Fixes: 78ac51f81532 ("mac80211: support multi-bssid")
>>> -Reviewed-by: Kees Cook <keescook@chromium.org>
>>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>> ----
>>> - net/mac80211/util.c | 2 ++
>>> - net/wireless/scan.c | 2 ++
>>> - 2 files changed, 4 insertions(+)
>>> -
>>> -diff --git a/net/mac80211/util.c b/net/mac80211/util.c
>>> -index be1911d8089f..00543ea9c6b5 100644
>>> ---- a/net/mac80211/util.c
>>> -+++ b/net/mac80211/util.c
>>> -@@ -1414,6 +1414,8 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
>>> - for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) {
>>> - if (elem->datalen < 2)
>>> - continue;
>>> -+ if (elem->data[0] < 1 || elem->data[0] > 8)
>>> -+ continue;
>>> -
>>> - for_each_element(sub, elem->data + 1, elem->datalen - 1) {
>>> - u8 new_bssid[ETH_ALEN];
>>> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c
>>> -index d9ab37a798f4..84c642eae4d8 100644
>>> ---- a/net/wireless/scan.c
>>> -+++ b/net/wireless/scan.c
>>> -@@ -2103,6 +2103,8 @@ static void cfg80211_parse_mbssid_data(struct wiphy *wiphy,
>>> - for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) {
>>> - if (elem->datalen < 4)
>>> - continue;
>>> -+ if (elem->data[0] < 1 || (int)elem->data[0] > 8)
>>> -+ continue;
>>> - for_each_element(sub, elem->data + 1, elem->datalen - 1) {
>>> - u8 profile_len;
>>> -
>>> ---
>>> -2.30.2
>>> -
>>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-3.patch b/src/patches/linux/linux-5.15-wifi-security-patches-3.patch
>>> deleted file mode 100644
>>> index 60be08214..000000000
>>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-3.patch
>>> +++ /dev/null
>>> @@ -1,49 +0,0 @@
>>> -From 9e99ca59ed3976921f8891c103d503b6da3e78af Mon Sep 17 00:00:00 2001
>>> -From: Johannes Berg <johannes.berg@intel.com>
>>> -Date: Thu, 29 Sep 2022 21:50:44 +0200
>>> -Subject: [PATCH] wifi: cfg80211: ensure length byte is present before access
>>> -
>>> -commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream.
>>> -
>>> -When iterating the elements here, ensure the length byte is
>>> -present before checking it to see if the entire element will
>>> -fit into the buffer.
>>> -
>>> -Longer term, we should rewrite this code using the type-safe
>>> -element iteration macros that check all of this.
>>> -
>>> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
>>> -Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
>>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>> ----
>>> - net/wireless/scan.c | 6 ++++--
>>> - 1 file changed, 4 insertions(+), 2 deletions(-)
>>> -
>>> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c
>>> -index 84c642eae4d8..04c9b78b3fec 100644
>>> ---- a/net/wireless/scan.c
>>> -+++ b/net/wireless/scan.c
>>> -@@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
>>> - tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen);
>>> - tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie;
>>> -
>>> -- while (tmp_old + tmp_old[1] + 2 - ie <= ielen) {
>>> -+ while (tmp_old + 2 - ie <= ielen &&
>>> -+ tmp_old + tmp_old[1] + 2 - ie <= ielen) {
>>> - if (tmp_old[0] == 0) {
>>> - tmp_old++;
>>> - continue;
>>> -@@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
>>> - * copied to new ie, skip ssid, capability, bssid-index ie
>>> - */
>>> - tmp_new = sub_copy;
>>> -- while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
>>> -+ while (tmp_new + 2 - sub_copy <= subie_len &&
>>> -+ tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
>>> - if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP ||
>>> - tmp_new[0] == WLAN_EID_SSID)) {
>>> - memcpy(pos, tmp_new, tmp_new[1] + 2);
>>> ---
>>> -2.30.2
>>> -
>>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-4.patch b/src/patches/linux/linux-5.15-wifi-security-patches-4.patch
>>> deleted file mode 100644
>>> index bd2439041..000000000
>>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-4.patch
>>> +++ /dev/null
>>> @@ -1,96 +0,0 @@
>>> -From bfe29873454f38eb1a511a76144ad1a4848ca176 Mon Sep 17 00:00:00 2001
>>> -From: Johannes Berg <johannes.berg@intel.com>
>>> -Date: Fri, 30 Sep 2022 23:44:23 +0200
>>> -Subject: [PATCH] wifi: cfg80211: fix BSS refcounting bugs
>>> -MIME-Version: 1.0
>>> -Content-Type: text/plain; charset=utf8
>>> -Content-Transfer-Encoding: 8bit
>>> -
>>> -commit 0b7808818cb9df6680f98996b8e9a439fa7bcc2f upstream.
>>> -
>>> -There are multiple refcounting bugs related to multi-BSSID:
>>> - - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then
>>> - the bss pointer is overwritten before checking for the
>>> - transmitted BSS, which is clearly wrong. Fix this by using
>>> - the bss_from_pub() macro.
>>> -
>>> - - In cfg80211_bss_update() we copy the transmitted_bss pointer
>>> - from tmp into new, but then if we release new, we'll unref
>>> - it erroneously. We already set the pointer and ref it, but
>>> - need to NULL it since it was copied from the tmp data.
>>> -
>>> - - In cfg80211_inform_single_bss_data(), if adding to the non-
>>> - transmitted list fails, we unlink the BSS and yet still we
>>> - return it, but this results in returning an entry without
>>> - a reference. We shouldn't return it anyway if it was broken
>>> - enough to not get added there.
>>> -
>>> -This fixes CVE-2022-42720.
>>> -
>>> -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
>>> -Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
>>> -Fixes: a3584f56de1c ("cfg80211: Properly track transmitting and non-transmitting BSS")
>>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>> ----
>>> - net/wireless/scan.c | 27 ++++++++++++++-------------
>>> - 1 file changed, 14 insertions(+), 13 deletions(-)
>>> -
>>> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c
>>> -index 04c9b78b3fec..2e576714e989 100644
>>> ---- a/net/wireless/scan.c
>>> -+++ b/net/wireless/scan.c
>>> -@@ -143,18 +143,12 @@ static inline void bss_ref_get(struct cfg80211_registered_device *rdev,
>>> - lockdep_assert_held(&rdev->bss_lock);
>>> -
>>> - bss->refcount++;
>>> -- if (bss->pub.hidden_beacon_bss) {
>>> -- bss = container_of(bss->pub.hidden_beacon_bss,
>>> -- struct cfg80211_internal_bss,
>>> -- pub);
>>> -- bss->refcount++;
>>> -- }
>>> -- if (bss->pub.transmitted_bss) {
>>> -- bss = container_of(bss->pub.transmitted_bss,
>>> -- struct cfg80211_internal_bss,
>>> -- pub);
>>> -- bss->refcount++;
>>> -- }
>>> -+
>>> -+ if (bss->pub.hidden_beacon_bss)
>>> -+ bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++;
>>> -+
>>> -+ if (bss->pub.transmitted_bss)
>>> -+ bss_from_pub(bss->pub.transmitted_bss)->refcount++;
>>> - }
>>> -
>>> - static inline void bss_ref_put(struct cfg80211_registered_device *rdev,
>>> -@@ -1743,6 +1737,8 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev,
>>> - new->refcount = 1;
>>> - INIT_LIST_HEAD(&new->hidden_list);
>>> - INIT_LIST_HEAD(&new->pub.nontrans_list);
>>> -+ /* we'll set this later if it was non-NULL */
>>> -+ new->pub.transmitted_bss = NULL;
>>> -
>>> - if (rcu_access_pointer(tmp->pub.proberesp_ies)) {
>>> - hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN);
>>> -@@ -1983,10 +1979,15 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy,
>>> - spin_lock_bh(&rdev->bss_lock);
>>> - if (cfg80211_add_nontrans_list(non_tx_data->tx_bss,
>>> - &res->pub)) {
>>> -- if (__cfg80211_unlink_bss(rdev, res))
>>> -+ if (__cfg80211_unlink_bss(rdev, res)) {
>>> - rdev->bss_generation++;
>>> -+ res = NULL;
>>> -+ }
>>> - }
>>> - spin_unlock_bh(&rdev->bss_lock);
>>> -+
>>> -+ if (!res)
>>> -+ return NULL;
>>> - }
>>> -
>>> - trace_cfg80211_return_bss(&res->pub);
>>> ---
>>> -2.30.2
>>> -
>>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-5.patch b/src/patches/linux/linux-5.15-wifi-security-patches-5.patch
>>> deleted file mode 100644
>>> index c0c4dadd3..000000000
>>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-5.patch
>>> +++ /dev/null
>>> @@ -1,56 +0,0 @@
>>> -From 0a8ee682e4f992eccce226b012bba600bb2251e2 Mon Sep 17 00:00:00 2001
>>> -From: Johannes Berg <johannes.berg@intel.com>
>>> -Date: Sat, 1 Oct 2022 00:01:44 +0200
>>> -Subject: [PATCH] wifi: cfg80211: avoid nontransmitted BSS list corruption
>>> -MIME-Version: 1.0
>>> -Content-Type: text/plain; charset=utf8
>>> -Content-Transfer-Encoding: 8bit
>>> -
>>> -commit bcca852027e5878aec911a347407ecc88d6fff7f upstream.
>>> -
>>> -If a non-transmitted BSS shares enough information (both
>>> -SSID and BSSID!) with another non-transmitted BSS of a
>>> -different AP, then we can find and update it, and then
>>> -try to add it to the non-transmitted BSS list. We do a
>>> -search for it on the transmitted BSS, but if it's not
>>> -there (but belongs to another transmitted BSS), the list
>>> -gets corrupted.
>>> -
>>> -Since this is an erroneous situation, simply fail the
>>> -list insertion in this case and free the non-transmitted
>>> -BSS.
>>> -
>>> -This fixes CVE-2022-42721.
>>> -
>>> -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
>>> -Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
>>> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
>>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>> ----
>>> - net/wireless/scan.c | 9 +++++++++
>>> - 1 file changed, 9 insertions(+)
>>> -
>>> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c
>>> -index 2e576714e989..a21baf7b3612 100644
>>> ---- a/net/wireless/scan.c
>>> -+++ b/net/wireless/scan.c
>>> -@@ -425,6 +425,15 @@ cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss,
>>> -
>>> - rcu_read_unlock();
>>> -
>>> -+ /*
>>> -+ * This is a bit weird - it's not on the list, but already on another
>>> -+ * one! The only way that could happen is if there's some BSSID/SSID
>>> -+ * shared by multiple APs in their multi-BSSID profiles, potentially
>>> -+ * with hidden SSID mixed in ... ignore it.
>>> -+ */
>>> -+ if (!list_empty(&nontrans_bss->nontrans_list))
>>> -+ return -EINVAL;
>>> -+
>>> - /* add to the list */
>>> - list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list);
>>> - return 0;
>>> ---
>>> -2.30.2
>>> -
>>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-6.patch b/src/patches/linux/linux-5.15-wifi-security-patches-6.patch
>>> deleted file mode 100644
>>> index caa380de8..000000000
>>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-6.patch
>>> +++ /dev/null
>>> @@ -1,39 +0,0 @@
>>> -From fff244e9171b2ca692469d41c68b36607bd73ab0 Mon Sep 17 00:00:00 2001
>>> -From: Johannes Berg <johannes.berg@intel.com>
>>> -Date: Wed, 5 Oct 2022 15:10:09 +0200
>>> -Subject: [PATCH] wifi: mac80211_hwsim: avoid mac80211 warning on bad rate
>>> -MIME-Version: 1.0
>>> -Content-Type: text/plain; charset=utf8
>>> -Content-Transfer-Encoding: 8bit
>>> -
>>> -commit 1833b6f46d7e2830251a063935ab464256defe22 upstream.
>>> -
>>> -If the tool on the other side (e.g. wmediumd) gets confused
>>> -about the rate, we hit a warning in mac80211. Silence that
>>> -by effectively duplicating the check here and dropping the
>>> -frame silently (in mac80211 it's dropped with the warning).
>>> -
>>> -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
>>> -Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
>>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>> ----
>>> - drivers/net/wireless/mac80211_hwsim.c | 2 ++
>>> - 1 file changed, 2 insertions(+)
>>> -
>>> -diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
>>> -index 52a2574b7d13..b228567b2a73 100644
>>> ---- a/drivers/net/wireless/mac80211_hwsim.c
>>> -+++ b/drivers/net/wireless/mac80211_hwsim.c
>>> -@@ -3749,6 +3749,8 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
>>> -
>>> - rx_status.band = channel->band;
>>> - rx_status.rate_idx = nla_get_u32(info->attrs[HWSIM_ATTR_RX_RATE]);
>>> -+ if (rx_status.rate_idx >= data2->hw->wiphy->bands[rx_status.band]->n_bitrates)
>>> -+ goto out;
>>> - rx_status.signal = nla_get_u32(info->attrs[HWSIM_ATTR_SIGNAL]);
>>> -
>>> - hdr = (void *)skb->data;
>>> ---
>>> -2.30.2
>>> -
>>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-7.patch b/src/patches/linux/linux-5.15-wifi-security-patches-7.patch
>>> deleted file mode 100644
>>> index b5cb2ad12..000000000
>>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-7.patch
>>> +++ /dev/null
>>> @@ -1,60 +0,0 @@
>>> -From 93a3a32554079432b49cf87f326607b2a2fab4f2 Mon Sep 17 00:00:00 2001
>>> -From: Johannes Berg <johannes.berg@intel.com>
>>> -Date: Wed, 5 Oct 2022 21:24:10 +0200
>>> -Subject: [PATCH] wifi: mac80211: fix crash in beacon protection for P2P-device
>>> -MIME-Version: 1.0
>>> -Content-Type: text/plain; charset=utf8
>>> -Content-Transfer-Encoding: 8bit
>>> -
>>> -commit b2d03cabe2b2e150ff5a381731ea0355459be09f upstream.
>>> -
>>> -If beacon protection is active but the beacon cannot be
>>> -decrypted or is otherwise malformed, we call the cfg80211
>>> -API to report this to userspace, but that uses a netdev
>>> -pointer, which isn't present for P2P-Device. Fix this to
>>> -call it only conditionally to ensure cfg80211 won't crash
>>> -in the case of P2P-Device.
>>> -
>>> -This fixes CVE-2022-42722.
>>> -
>>> -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
>>> -Fixes: 9eaf183af741 ("mac80211: Report beacon protection failures to user space")
>>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>> ----
>>> - net/mac80211/rx.c | 12 +++++++-----
>>> - 1 file changed, 7 insertions(+), 5 deletions(-)
>>> -
>>> -diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
>>> -index 743e97ba352c..175ead6b19cb 100644
>>> ---- a/net/mac80211/rx.c
>>> -+++ b/net/mac80211/rx.c
>>> -@@ -1982,10 +1982,11 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
>>> -
>>> - if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS ||
>>> - mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS +
>>> -- NUM_DEFAULT_BEACON_KEYS) {
>>> -- cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
>>> -- skb->data,
>>> -- skb->len);
>>> -+ NUM_DEFAULT_BEACON_KEYS) {
>>> -+ if (rx->sdata->dev)
>>> -+ cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
>>> -+ skb->data,
>>> -+ skb->len);
>>> - return RX_DROP_MONITOR; /* unexpected BIP keyidx */
>>> - }
>>> -
>>> -@@ -2133,7 +2134,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
>>> - /* either the frame has been decrypted or will be dropped */
>>> - status->flag |= RX_FLAG_DECRYPTED;
>>> -
>>> -- if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE))
>>> -+ if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE &&
>>> -+ rx->sdata->dev))
>>> - cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
>>> - skb->data, skb->len);
>>> -
>>> ---
>>> -2.30.2
>>> -
>>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-8.patch b/src/patches/linux/linux-5.15-wifi-security-patches-8.patch
>>> deleted file mode 100644
>>> index 8099f3a72..000000000
>>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-8.patch
>>> +++ /dev/null
>>> @@ -1,94 +0,0 @@
>>> -From d15bb1f6dabe1d2a4155958111bea47db72b599c Mon Sep 17 00:00:00 2001
>>> -From: Johannes Berg <johannes.berg@intel.com>
>>> -Date: Wed, 5 Oct 2022 23:11:43 +0200
>>> -Subject: [PATCH] wifi: cfg80211: update hidden BSSes to avoid WARN_ON
>>> -MIME-Version: 1.0
>>> -Content-Type: text/plain; charset=utf8
>>> -Content-Transfer-Encoding: 8bit
>>> -
>>> -commit c90b93b5b782891ebfda49d4e5da36632fefd5d1 upstream.
>>> -
>>> -When updating beacon elements in a non-transmitted BSS,
>>> -also update the hidden sub-entries to the same beacon
>>> -elements, so that a future update through other paths
>>> -won't trigger a WARN_ON().
>>> -
>>> -The warning is triggered because the beacon elements in
>>> -the hidden BSSes that are children of the BSS should
>>> -always be the same as in the parent.
>>> -
>>> -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
>>> -Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
>>> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
>>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>> ----
>>> - net/wireless/scan.c | 31 ++++++++++++++++++++-----------
>>> - 1 file changed, 20 insertions(+), 11 deletions(-)
>>> -
>>> -diff --git a/net/wireless/scan.c b/net/wireless/scan.c
>>> -index a21baf7b3612..f0de22a6caf7 100644
>>> ---- a/net/wireless/scan.c
>>> -+++ b/net/wireless/scan.c
>>> -@@ -1609,6 +1609,23 @@ struct cfg80211_non_tx_bss {
>>> - u8 bssid_index;
>>> - };
>>> -
>>> -+static void cfg80211_update_hidden_bsses(struct cfg80211_internal_bss *known,
>>> -+ const struct cfg80211_bss_ies *new_ies,
>>> -+ const struct cfg80211_bss_ies *old_ies)
>>> -+{
>>> -+ struct cfg80211_internal_bss *bss;
>>> -+
>>> -+ /* Assign beacon IEs to all sub entries */
>>> -+ list_for_each_entry(bss, &known->hidden_list, hidden_list) {
>>> -+ const struct cfg80211_bss_ies *ies;
>>> -+
>>> -+ ies = rcu_access_pointer(bss->pub.beacon_ies);
>>> -+ WARN_ON(ies != old_ies);
>>> -+
>>> -+ rcu_assign_pointer(bss->pub.beacon_ies, new_ies);
>>> -+ }
>>> -+}
>>> -+
>>> - static bool
>>> - cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
>>> - struct cfg80211_internal_bss *known,
>>> -@@ -1632,7 +1649,6 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
>>> - kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head);
>>> - } else if (rcu_access_pointer(new->pub.beacon_ies)) {
>>> - const struct cfg80211_bss_ies *old;
>>> -- struct cfg80211_internal_bss *bss;
>>> -
>>> - if (known->pub.hidden_beacon_bss &&
>>> - !list_empty(&known->hidden_list)) {
>>> -@@ -1660,16 +1676,7 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
>>> - if (old == rcu_access_pointer(known->pub.ies))
>>> - rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies);
>>> -
>>> -- /* Assign beacon IEs to all sub entries */
>>> -- list_for_each_entry(bss, &known->hidden_list, hidden_list) {
>>> -- const struct cfg80211_bss_ies *ies;
>>> --
>>> -- ies = rcu_access_pointer(bss->pub.beacon_ies);
>>> -- WARN_ON(ies != old);
>>> --
>>> -- rcu_assign_pointer(bss->pub.beacon_ies,
>>> -- new->pub.beacon_ies);
>>> -- }
>>> -+ cfg80211_update_hidden_bsses(known, new->pub.beacon_ies, old);
>>> -
>>> - if (old)
>>> - kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head);
>>> -@@ -2319,6 +2326,8 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
>>> - } else {
>>> - old = rcu_access_pointer(nontrans_bss->beacon_ies);
>>> - rcu_assign_pointer(nontrans_bss->beacon_ies, new_ies);
>>> -+ cfg80211_update_hidden_bsses(bss_from_pub(nontrans_bss),
>>> -+ new_ies, old);
>>> - rcu_assign_pointer(nontrans_bss->ies, new_ies);
>>> - if (old)
>>> - kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head);
>>> ---
>>> -2.30.2
>>> -
>>> diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-9.patch b/src/patches/linux/linux-5.15-wifi-security-patches-9.patch
>>> deleted file mode 100644
>>> index 5781b077d..000000000
>>> --- a/src/patches/linux/linux-5.15-wifi-security-patches-9.patch
>>> +++ /dev/null
>>> @@ -1,126 +0,0 @@
>>> -From 864f2d3482f4bd0c62b355e35ee8300be8ef488e Mon Sep 17 00:00:00 2001
>>> -From: Johannes Berg <johannes.berg@intel.com>
>>> -Date: Thu, 13 Oct 2022 20:15:56 +0200
>>> -Subject: [PATCH] mac80211: mesh: clean up rx_bcn_presp API
>>> -
>>> -commit a5b983c6073140b624f64e79fea6d33c3e4315a0 upstream.
>>> -
>>> -We currently pass the entire elements to the rx_bcn_presp()
>>> -method, but only need mesh_config. Additionally, we use the
>>> -length of the elements to calculate back the entire frame's
>>> -length, but that's confusing - just pass the length of the
>>> -frame instead.
>>> -
>>> -Link: https://lore.kernel.org/r/20210920154009.a18ed3d2da6c.I1824b773a0fbae4453e1433c184678ca14e8df45@changeid
>>> -Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>>> -Cc: Felix Fietkau <nbd@nbd.name>
>>> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>> ----
>>> - net/mac80211/ieee80211_i.h | 7 +++----
>>> - net/mac80211/mesh.c | 4 ++--
>>> - net/mac80211/mesh_sync.c | 26 ++++++++++++--------------
>>> - 3 files changed, 17 insertions(+), 20 deletions(-)
>>> -
>>> -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
>>> -index f7bea4af2ddb..4bd55af184b2 100644
>>> ---- a/net/mac80211/ieee80211_i.h
>>> -+++ b/net/mac80211/ieee80211_i.h
>>> -@@ -631,10 +631,9 @@ struct ieee80211_if_ocb {
>>> - */
>>> - struct ieee802_11_elems;
>>> - struct ieee80211_mesh_sync_ops {
>>> -- void (*rx_bcn_presp)(struct ieee80211_sub_if_data *sdata,
>>> -- u16 stype,
>>> -- struct ieee80211_mgmt *mgmt,
>>> -- struct ieee802_11_elems *elems,
>>> -+ void (*rx_bcn_presp)(struct ieee80211_sub_if_data *sdata, u16 stype,
>>> -+ struct ieee80211_mgmt *mgmt, unsigned int len,
>>> -+ const struct ieee80211_meshconf_ie *mesh_cfg,
>>> - struct ieee80211_rx_status *rx_status);
>>> -
>>> - /* should be called with beacon_data under RCU read lock */
>>> -diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
>>> -index 42bd81a30310..9f6414a68d71 100644
>>> ---- a/net/mac80211/mesh.c
>>> -+++ b/net/mac80211/mesh.c
>>> -@@ -1354,8 +1354,8 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
>>> - }
>>> -
>>> - if (ifmsh->sync_ops)
>>> -- ifmsh->sync_ops->rx_bcn_presp(sdata,
>>> -- stype, mgmt, &elems, rx_status);
>>> -+ ifmsh->sync_ops->rx_bcn_presp(sdata, stype, mgmt, len,
>>> -+ elems.mesh_config, rx_status);
>>> - }
>>> -
>>> - int ieee80211_mesh_finish_csa(struct ieee80211_sub_if_data *sdata)
>>> -diff --git a/net/mac80211/mesh_sync.c b/net/mac80211/mesh_sync.c
>>> -index fde93de2b80a..9e342cc2504c 100644
>>> ---- a/net/mac80211/mesh_sync.c
>>> -+++ b/net/mac80211/mesh_sync.c
>>> -@@ -3,6 +3,7 @@
>>> - * Copyright 2011-2012, Pavel Zubarev <pavel.zubarev@gmail.com>
>>> - * Copyright 2011-2012, Marco Porsch <marco.porsch@s2005.tu-chemnitz.de>
>>> - * Copyright 2011-2012, cozybit Inc.
>>> -+ * Copyright (C) 2021 Intel Corporation
>>> - */
>>> -
>>> - #include "ieee80211_i.h"
>>> -@@ -35,12 +36,12 @@ struct sync_method {
>>> - /**
>>> - * mesh_peer_tbtt_adjusting - check if an mp is currently adjusting its TBTT
>>> - *
>>> -- * @ie: information elements of a management frame from the mesh peer
>>> -+ * @cfg: mesh config element from the mesh peer (or %NULL)
>>> - */
>>> --static bool mesh_peer_tbtt_adjusting(struct ieee802_11_elems *ie)
>>> -+static bool mesh_peer_tbtt_adjusting(const struct ieee80211_meshconf_ie *cfg)
>>> - {
>>> -- return (ie->mesh_config->meshconf_cap &
>>> -- IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING) != 0;
>>> -+ return cfg &&
>>> -+ (cfg->meshconf_cap & IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING);
>>> - }
>>> -
>>> - void mesh_sync_adjust_tsf(struct ieee80211_sub_if_data *sdata)
>>> -@@ -76,11 +77,11 @@ void mesh_sync_adjust_tsf(struct ieee80211_sub_if_data *sdata)
>>> - }
>>> - }
>>> -
>>> --static void mesh_sync_offset_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
>>> -- u16 stype,
>>> -- struct ieee80211_mgmt *mgmt,
>>> -- struct ieee802_11_elems *elems,
>>> -- struct ieee80211_rx_status *rx_status)
>>> -+static void
>>> -+mesh_sync_offset_rx_bcn_presp(struct ieee80211_sub_if_data *sdata, u16 stype,
>>> -+ struct ieee80211_mgmt *mgmt, unsigned int len,
>>> -+ const struct ieee80211_meshconf_ie *mesh_cfg,
>>> -+ struct ieee80211_rx_status *rx_status)
>>> - {
>>> - struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
>>> - struct ieee80211_local *local = sdata->local;
>>> -@@ -101,10 +102,7 @@ static void mesh_sync_offset_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
>>> - */
>>> - if (ieee80211_have_rx_timestamp(rx_status))
>>> - t_r = ieee80211_calculate_rx_timestamp(local, rx_status,
>>> -- 24 + 12 +
>>> -- elems->total_len +
>>> -- FCS_LEN,
>>> -- 24);
>>> -+ len + FCS_LEN, 24);
>>> - else
>>> - t_r = drv_get_tsf(local, sdata);
>>> -
>>> -@@ -119,7 +117,7 @@ static void mesh_sync_offset_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
>>> - * dot11MeshNbrOffsetMaxNeighbor non-peer non-MBSS neighbors
>>> - */
>>> -
>>> -- if (elems->mesh_config && mesh_peer_tbtt_adjusting(elems)) {
>>> -+ if (mesh_peer_tbtt_adjusting(mesh_cfg)) {
>>> - msync_dbg(sdata, "STA %pM : is adjusting TBTT\n",
>>> - sta->sta.addr);
>>> - goto no_sync;
>>> ---
>>> -2.30.2
>>> -
>>> --
>>> 2.35.3
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.15.68-ipfire Kernel Configuration
+# Linux/x86 5.15.85-ipfire Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.3.0"
CONFIG_CC_IS_GCC=y
@@ -1036,6 +1036,7 @@ CONFIG_INET_ESP=m
CONFIG_INET_ESP_OFFLOAD=m
# CONFIG_INET_ESPINTCP is not set
CONFIG_INET_IPCOMP=m
+CONFIG_INET_TABLE_PERTURB_ORDER=16
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_DIAG=m
@@ -7393,6 +7394,8 @@ CONFIG_SYMBOLIC_ERRNAME=y
CONFIG_DEBUG_BUGVERBOSE=y
# end of printk and dmesg options
+CONFIG_AS_HAS_NON_CONST_LEB128=y
+
#
# Compile-time checks and compiler options
#
@@ -6525,6 +6525,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/ASYNC_TX_DMA
#lib/modules/KVER-ipfire/build/include/config/ASYNC_XOR
#lib/modules/KVER-ipfire/build/include/config/AS_AVX512
+#lib/modules/KVER-ipfire/build/include/config/AS_HAS_NON_CONST_LEB128
#lib/modules/KVER-ipfire/build/include/config/AS_IS_GNU
#lib/modules/KVER-ipfire/build/include/config/AS_SHA1_NI
#lib/modules/KVER-ipfire/build/include/config/AS_SHA256_NI
@@ -6668,8 +6669,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/BITREVERSE
#lib/modules/KVER-ipfire/build/include/config/BLK_CGROUP
#lib/modules/KVER-ipfire/build/include/config/BLK_CGROUP_RWSTAT
-#lib/modules/KVER-ipfire/build/include/config/BLK_DEBUG_FS
-#lib/modules/KVER-ipfire/build/include/config/BLK_DEBUG_FS_ZONED
#lib/modules/KVER-ipfire/build/include/config/BLK_DEV
#lib/modules/KVER-ipfire/build/include/config/BLK_DEV_3W_XXXX_RAID
#lib/modules/KVER-ipfire/build/include/config/BLK_DEV_BSG
@@ -7089,8 +7088,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/DE2104X_DSL
#lib/modules/KVER-ipfire/build/include/config/DE4X5
#lib/modules/KVER-ipfire/build/include/config/DEBUG_BUGVERBOSE
-#lib/modules/KVER-ipfire/build/include/config/DEBUG_FS
-#lib/modules/KVER-ipfire/build/include/config/DEBUG_FS_ALLOW_ALL
#lib/modules/KVER-ipfire/build/include/config/DEBUG_KERNEL
#lib/modules/KVER-ipfire/build/include/config/DEBUG_MISC
#lib/modules/KVER-ipfire/build/include/config/DEBUG_WX
@@ -7422,7 +7419,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/DW_XDATA_PCIE
#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_DEBUG
#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_DEBUG_CORE
-#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_EVENTS
#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE
#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_ARGS
#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_DIRECT_CALLS
@@ -8024,6 +8020,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/INET_IPCOMP
#lib/modules/KVER-ipfire/build/include/config/INET_RAW_DIAG
#lib/modules/KVER-ipfire/build/include/config/INET_SCTP_DIAG
+#lib/modules/KVER-ipfire/build/include/config/INET_TABLE_PERTURB_ORDER
#lib/modules/KVER-ipfire/build/include/config/INET_TCP_DIAG
#lib/modules/KVER-ipfire/build/include/config/INET_TUNNEL
#lib/modules/KVER-ipfire/build/include/config/INET_UDP_DIAG
@@ -8424,7 +8421,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/LOCKUP_DETECTOR
#lib/modules/KVER-ipfire/build/include/config/LOCK_DEBUGGING_SUPPORT
#lib/modules/KVER-ipfire/build/include/config/LOCK_DOWN_KERNEL_FORCE_NONE
-#lib/modules/KVER-ipfire/build/include/config/LOCK_EVENT_COUNTS
#lib/modules/KVER-ipfire/build/include/config/LOCK_SPIN_ON_OWNER
#lib/modules/KVER-ipfire/build/include/config/LOGO
#lib/modules/KVER-ipfire/build/include/config/LOGO_LINUX_CLUT224
@@ -9490,7 +9486,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/PRINTER
#lib/modules/KVER-ipfire/build/include/config/PRINTK
#lib/modules/KVER-ipfire/build/include/config/PRINTK_SAFE_LOG_BUF_SHIFT
-#lib/modules/KVER-ipfire/build/include/config/PROBE_EVENTS
#lib/modules/KVER-ipfire/build/include/config/PROC_EVENTS
#lib/modules/KVER-ipfire/build/include/config/PROC_FS
#lib/modules/KVER-ipfire/build/include/config/PROC_PAGE_MONITOR
@@ -9848,7 +9843,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/SCSI_SCAN_ASYNC
#lib/modules/KVER-ipfire/build/include/config/SCSI_SMARTPQI
#lib/modules/KVER-ipfire/build/include/config/SCSI_SNIC
-#lib/modules/KVER-ipfire/build/include/config/SCSI_SNIC_DEBUG_FS
#lib/modules/KVER-ipfire/build/include/config/SCSI_SPI_ATTRS
#lib/modules/KVER-ipfire/build/include/config/SCSI_SRP_ATTRS
#lib/modules/KVER-ipfire/build/include/config/SCSI_STEX
@@ -10385,7 +10379,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/SWIOTLB
#lib/modules/KVER-ipfire/build/include/config/SWIOTLB_XEN
#lib/modules/KVER-ipfire/build/include/config/SWPHY
-#lib/modules/KVER-ipfire/build/include/config/SW_SYNC
#lib/modules/KVER-ipfire/build/include/config/SXGBE_ETH
#lib/modules/KVER-ipfire/build/include/config/SYMBOLIC_ERRNAME
#lib/modules/KVER-ipfire/build/include/config/SYNCLINK_GT
@@ -10533,8 +10526,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/UNIX_DIAG
#lib/modules/KVER-ipfire/build/include/config/UNIX_SCM
#lib/modules/KVER-ipfire/build/include/config/UNWINDER_ORC
-#lib/modules/KVER-ipfire/build/include/config/UPROBES
-#lib/modules/KVER-ipfire/build/include/config/UPROBE_EVENTS
#lib/modules/KVER-ipfire/build/include/config/USB
#lib/modules/KVER-ipfire/build/include/config/USBIP_CORE
#lib/modules/KVER-ipfire/build/include/config/USBIP_HOST
@@ -11105,7 +11096,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/XEN_BLKDEV_BACKEND
#lib/modules/KVER-ipfire/build/include/config/XEN_BLKDEV_FRONTEND
#lib/modules/KVER-ipfire/build/include/config/XEN_COMPAT_XENFS
-#lib/modules/KVER-ipfire/build/include/config/XEN_DEBUG_FS
#lib/modules/KVER-ipfire/build/include/config/XEN_DEV_EVTCHN
#lib/modules/KVER-ipfire/build/include/config/XEN_DOM0
#lib/modules/KVER-ipfire/build/include/config/XEN_EFI
@@ -16866,6 +16856,8 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/init
#lib/modules/KVER-ipfire/build/init/Kconfig
#lib/modules/KVER-ipfire/build/init/Makefile
+#lib/modules/KVER-ipfire/build/io_uring
+#lib/modules/KVER-ipfire/build/io_uring/Makefile
#lib/modules/KVER-ipfire/build/ipc
#lib/modules/KVER-ipfire/build/ipc/Makefile
#lib/modules/KVER-ipfire/build/kernel
@@ -24,7 +24,7 @@
include Config
-VER = 5.15.71
+VER = 5.15.85
ARM_PATCHES = 5.15-ipfire5
THISAPP = linux-$(VER)
@@ -78,7 +78,7 @@ objects =$(DL_FILE) \
$(DL_FILE) = $(URL_IPFIRE)/$(DL_FILE)
arm-multi-patches-$(ARM_PATCHES).patch.xz = $(URL_IPFIRE)/arm-multi-patches-$(ARM_PATCHES).patch.xz
-$(DL_FILE)_BLAKE2 = 77da2393a31b6c6fed7cdfef61a112ae49fcdfce96968daf8c7a690a6e65025c7238c1fe084d0bfda403dc56db877b6db99def12803e840cacf318da40327d7b
+$(DL_FILE)_BLAKE2 = 481cea334dee4146d72704ecb88f654bd38ca62a5a28540f365a57f5cd522551c4b7f854c09380ec614098a9efa5dff4cef70c9cafe6277a410d3d2099eca1cc
arm-multi-patches-$(ARM_PATCHES).patch.xz_BLAKE2 = 58a70e757a9121a0aac83604a37aa787ec7ac0ee4970c5a3ac3bcb2dbaca32b00089cae6c0da5cf2fe0a2e156427b5165c6a86e0371a3e896f4c7cdd699c34a0
install : $(TARGET)
@@ -146,11 +146,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# https://bugzilla.ipfire.org/show_bug.cgi?id=12889
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch
- # https://lists.ipfire.org/pipermail/development/2022-October/014562.html
- for i in $$(seq 1 14); do \
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15-wifi-security-patches-$$i.patch || exit 1; \
- done
-
ifeq "$(BUILD_ARCH)" "armv6l"
# Apply Arm-multiarch kernel patches.
cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
deleted file mode 100644
@@ -1,50 +0,0 @@
-From 9a8ef2030510a9d6ce86fd535b8d10720230811f Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Wed, 28 Sep 2022 21:56:15 +0200
-Subject: [PATCH] wifi: cfg80211: fix u8 overflow in
- cfg80211_update_notlisted_nontrans()
-
-commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream.
-
-In the copy code of the elements, we do the following calculation
-to reach the end of the MBSSID element:
-
- /* copy the IEs after MBSSID */
- cpy_len = mbssid[1] + 2;
-
-This looks fine, however, cpy_len is a u8, the same as mbssid[1],
-so the addition of two can overflow. In this case the subsequent
-memcpy() will overflow the allocated buffer, since it copies 256
-bytes too much due to the way the allocation and memcpy() sizes
-are calculated.
-
-Fix this by using size_t for the cpy_len variable.
-
-This fixes CVE-2022-41674.
-
-Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
-Tested-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
-Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/wireless/scan.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/wireless/scan.c b/net/wireless/scan.c
-index 1a8b76c9dd56..d9ab37a798f4 100644
---- a/net/wireless/scan.c
-+++ b/net/wireless/scan.c
-@@ -2238,7 +2238,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
- size_t new_ie_len;
- struct cfg80211_bss_ies *new_ies;
- const struct cfg80211_bss_ies *old;
-- u8 cpy_len;
-+ size_t cpy_len;
-
- lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock);
-
-2.30.2
-
deleted file mode 100644
@@ -1,98 +0,0 @@
-From 21df3a583e8e03d8f74fa2eedbcd7a2b3f5cabc1 Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Thu, 13 Oct 2022 20:15:57 +0200
-Subject: [PATCH] mac80211: move CRC into struct ieee802_11_elems
-
-commit c6e37ed498f958254b5459253199e816b6bfc52f upstream.
-
-We're currently returning this value, but to prepare for
-returning the allocated structure, move it into there.
-
-Link: https://lore.kernel.org/r/20210920154009.479b8ebf999d.If0d4ba75ee38998dc3eeae25058aa748efcb2fc9@changeid
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Cc: Felix Fietkau <nbd@nbd.name>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/mac80211/ieee80211_i.h | 9 +++++----
- net/mac80211/mlme.c | 9 +++++----
- net/mac80211/util.c | 10 +++++-----
- 3 files changed, 15 insertions(+), 13 deletions(-)
-
-diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
-index 4bd55af184b2..5ea38ae65809 100644
---- a/net/mac80211/ieee80211_i.h
-+++ b/net/mac80211/ieee80211_i.h
-@@ -1532,6 +1532,7 @@ struct ieee80211_csa_ie {
- struct ieee802_11_elems {
- const u8 *ie_start;
- size_t total_len;
-+ u32 crc;
-
- /* pointers to IEs */
- const struct ieee80211_tdls_lnkie *lnk_id;
-@@ -2218,10 +2219,10 @@ static inline void ieee80211_tx_skb(struct ieee80211_sub_if_data *sdata,
- ieee80211_tx_skb_tid(sdata, skb, 7);
- }
-
--u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
-- struct ieee802_11_elems *elems,
-- u64 filter, u32 crc, u8 *transmitter_bssid,
-- u8 *bss_bssid);
-+void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
-+ struct ieee802_11_elems *elems,
-+ u64 filter, u32 crc, u8 *transmitter_bssid,
-+ u8 *bss_bssid);
- static inline void ieee802_11_parse_elems(const u8 *start, size_t len,
- bool action,
- struct ieee802_11_elems *elems,
-diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
-index 1548f532dc1a..4414e82e71d1 100644
---- a/net/mac80211/mlme.c
-+++ b/net/mac80211/mlme.c
-@@ -4102,10 +4102,11 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
- */
- if (!ieee80211_is_s1g_beacon(hdr->frame_control))
- ncrc = crc32_be(0, (void *)&mgmt->u.beacon.beacon_int, 4);
-- ncrc = ieee802_11_parse_elems_crc(variable,
-- len - baselen, false, &elems,
-- care_about_ies, ncrc,
-- mgmt->bssid, bssid);
-+ ieee802_11_parse_elems_crc(variable,
-+ len - baselen, false, &elems,
-+ care_about_ies, ncrc,
-+ mgmt->bssid, bssid);
-+ ncrc = elems.crc;
-
- if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) &&
- ieee80211_check_tim(elems.tim, elems.tim_len, bss_conf->aid)) {
-diff --git a/net/mac80211/util.c b/net/mac80211/util.c
-index 00543ea9c6b5..ceb6894381e4 100644
---- a/net/mac80211/util.c
-+++ b/net/mac80211/util.c
-@@ -1468,10 +1468,10 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
- return found ? profile_len : 0;
- }
-
--u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
-- struct ieee802_11_elems *elems,
-- u64 filter, u32 crc, u8 *transmitter_bssid,
-- u8 *bss_bssid)
-+void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
-+ struct ieee802_11_elems *elems,
-+ u64 filter, u32 crc, u8 *transmitter_bssid,
-+ u8 *bss_bssid)
- {
- const struct element *non_inherit = NULL;
- u8 *nontransmitted_profile;
-@@ -1523,7 +1523,7 @@ u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
-
- kfree(nontransmitted_profile);
-
-- return crc;
-+ elems->crc = crc;
- }
-
- void ieee80211_regulatory_limit_wmm_params(struct ieee80211_sub_if_data *sdata,
-2.30.2
-
deleted file mode 100644
@@ -1,96 +0,0 @@
-From 630060f1175676b9cb3a032767f20dbce93616c9 Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Thu, 13 Oct 2022 20:15:58 +0200
-Subject: [PATCH] mac80211: mlme: find auth challenge directly
-
-commit 49a765d6785e99157ff5091cc37485732496864e upstream.
-
-There's no need to parse all elements etc. just to find the
-authentication challenge - use cfg80211_find_elem() instead.
-This also allows us to remove WLAN_EID_CHALLENGE handling
-from the element parsing entirely.
-
-Link: https://lore.kernel.org/r/20210920154009.45f9b3a15722.Ice3159ffad03a007d6154cbf1fb3a8c48489e86f@changeid
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Cc: Felix Fietkau <nbd@nbd.name>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/mac80211/ieee80211_i.h | 2 --
- net/mac80211/mlme.c | 11 ++++++-----
- net/mac80211/util.c | 4 ----
- 3 files changed, 6 insertions(+), 11 deletions(-)
-
-diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
-index 5ea38ae65809..c5f0ff805010 100644
---- a/net/mac80211/ieee80211_i.h
-+++ b/net/mac80211/ieee80211_i.h
-@@ -1542,7 +1542,6 @@ struct ieee802_11_elems {
- const u8 *supp_rates;
- const u8 *ds_params;
- const struct ieee80211_tim_ie *tim;
-- const u8 *challenge;
- const u8 *rsn;
- const u8 *rsnx;
- const u8 *erp_info;
-@@ -1596,7 +1595,6 @@ struct ieee802_11_elems {
- u8 ssid_len;
- u8 supp_rates_len;
- u8 tim_len;
-- u8 challenge_len;
- u8 rsn_len;
- u8 rsnx_len;
- u8 ext_supp_rates_len;
-diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
-index 4414e82e71d1..548cd14c5503 100644
---- a/net/mac80211/mlme.c
-+++ b/net/mac80211/mlme.c
-@@ -2889,17 +2889,17 @@ static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata,
- {
- struct ieee80211_local *local = sdata->local;
- struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data;
-+ const struct element *challenge;
- u8 *pos;
-- struct ieee802_11_elems elems;
- u32 tx_flags = 0;
- struct ieee80211_prep_tx_info info = {
- .subtype = IEEE80211_STYPE_AUTH,
- };
-
- pos = mgmt->u.auth.variable;
-- ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems,
-- mgmt->bssid, auth_data->bss->bssid);
-- if (!elems.challenge)
-+ challenge = cfg80211_find_elem(WLAN_EID_CHALLENGE, pos,
-+ len - (pos - (u8 *)mgmt));
-+ if (!challenge)
- return;
- auth_data->expected_transaction = 4;
- drv_mgd_prepare_tx(sdata->local, sdata, &info);
-@@ -2907,7 +2907,8 @@ static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata,
- tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
- IEEE80211_TX_INTFL_MLME_CONN_TX;
- ieee80211_send_auth(sdata, 3, auth_data->algorithm, 0,
-- elems.challenge - 2, elems.challenge_len + 2,
-+ (void *)challenge,
-+ challenge->datalen + sizeof(*challenge),
- auth_data->bss->bssid, auth_data->bss->bssid,
- auth_data->key, auth_data->key_len,
- auth_data->key_idx, tx_flags);
-diff --git a/net/mac80211/util.c b/net/mac80211/util.c
-index ceb6894381e4..664c32b6db19 100644
---- a/net/mac80211/util.c
-+++ b/net/mac80211/util.c
-@@ -1117,10 +1117,6 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
- } else
- elem_parse_failed = true;
- break;
-- case WLAN_EID_CHALLENGE:
-- elems->challenge = pos;
-- elems->challenge_len = elen;
-- break;
- case WLAN_EID_VENDOR_SPECIFIC:
- if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 &&
- pos[2] == 0xf2) {
-2.30.2
-
deleted file mode 100644
@@ -1,1179 +0,0 @@
-From fee48f3bdd7516bb63da507213916227cf147211 Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Thu, 13 Oct 2022 20:15:59 +0200
-Subject: [PATCH] mac80211: always allocate struct ieee802_11_elems
-
-As the 802.11 spec evolves, we need to parse more and more
-elements. This is causing the struct to grow, and we can no
-longer get away with putting it on the stack.
-
-Change the API to always dynamically allocate and return an
-allocated pointer that must be kfree()d later.
-
-As an alternative, I contemplated a scheme whereby we'd say
-in the code which elements we needed, e.g.
-
- DECLARE_ELEMENT_PARSER(elems,
- SUPPORTED_CHANNELS,
- CHANNEL_SWITCH,
- EXT(KEY_DELIVERY));
-
- ieee802_11_parse_elems(..., &elems, ...);
-
-and while I think this is possible and will save us a lot
-since most individual places only care about a small subset
-of the elements, it ended up being a bit more work since a
-lot of places do the parsing and then pass the struct to
-other functions, sometimes with multiple levels.
-
-Link: https://lore.kernel.org/r/20210920154009.26caff6b5998.I05ae58768e990e611aee8eca8abefd9d7bc15e05@changeid
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Cc: Felix Fietkau <nbd@nbd.name>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/mac80211/agg-rx.c | 11 +--
- net/mac80211/ibss.c | 25 +++---
- net/mac80211/ieee80211_i.h | 22 ++---
- net/mac80211/mesh.c | 85 ++++++++++--------
- net/mac80211/mesh_hwmp.c | 44 +++++-----
- net/mac80211/mesh_plink.c | 11 +--
- net/mac80211/mlme.c | 176 +++++++++++++++++++++----------------
- net/mac80211/scan.c | 16 ++--
- net/mac80211/tdls.c | 63 +++++++------
- net/mac80211/util.c | 20 +++--
- 10 files changed, 272 insertions(+), 201 deletions(-)
-
-diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
-index e43176794149..ffa4f31f6c2b 100644
---- a/net/mac80211/agg-rx.c
-+++ b/net/mac80211/agg-rx.c
-@@ -478,7 +478,7 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
- size_t len)
- {
- u16 capab, tid, timeout, ba_policy, buf_size, start_seq_num;
-- struct ieee802_11_elems elems = { };
-+ struct ieee802_11_elems *elems = NULL;
- u8 dialog_token;
- int ies_len;
-
-@@ -496,16 +496,17 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
- ies_len = len - offsetof(struct ieee80211_mgmt,
- u.action.u.addba_req.variable);
- if (ies_len) {
-- ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable,
-- ies_len, true, &elems, mgmt->bssid, NULL);
-- if (elems.parse_error)
-+ elems = ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable,
-+ ies_len, true, mgmt->bssid, NULL);
-+ if (!elems || elems->parse_error)
- return;
- }
-
- __ieee80211_start_rx_ba_session(sta, dialog_token, timeout,
- start_seq_num, ba_policy, tid,
- buf_size, true, false,
-- elems.addba_ext_ie);
-+ elems ? elems->addba_ext_ie : NULL);
-+ kfree(elems);
- }
-
- void ieee80211_manage_rx_ba_offl(struct ieee80211_vif *vif,
-diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
-index 1e133ca58e78..4b721b48f86a 100644
---- a/net/mac80211/ibss.c
-+++ b/net/mac80211/ibss.c
-@@ -9,7 +9,7 @@
- * Copyright 2009, Johannes Berg <johannes@sipsolutions.net>
- * Copyright 2013-2014 Intel Mobile Communications GmbH
- * Copyright(c) 2016 Intel Deutschland GmbH
-- * Copyright(c) 2018-2020 Intel Corporation
-+ * Copyright(c) 2018-2021 Intel Corporation
- */
-
- #include <linux/delay.h>
-@@ -1593,7 +1593,7 @@ void ieee80211_rx_mgmt_probe_beacon(struct ieee80211_sub_if_data *sdata,
- struct ieee80211_rx_status *rx_status)
- {
- size_t baselen;
-- struct ieee802_11_elems elems;
-+ struct ieee802_11_elems *elems;
-
- BUILD_BUG_ON(offsetof(typeof(mgmt->u.probe_resp), variable) !=
- offsetof(typeof(mgmt->u.beacon), variable));
-@@ -1606,10 +1606,14 @@ void ieee80211_rx_mgmt_probe_beacon(struct ieee80211_sub_if_data *sdata,
- if (baselen > len)
- return;
-
-- ieee802_11_parse_elems(mgmt->u.probe_resp.variable, len - baselen,
-- false, &elems, mgmt->bssid, NULL);
-+ elems = ieee802_11_parse_elems(mgmt->u.probe_resp.variable,
-+ len - baselen, false,
-+ mgmt->bssid, NULL);
-
-- ieee80211_rx_bss_info(sdata, mgmt, len, rx_status, &elems);
-+ if (elems) {
-+ ieee80211_rx_bss_info(sdata, mgmt, len, rx_status, elems);
-+ kfree(elems);
-+ }
- }
-
- void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
-@@ -1618,7 +1622,7 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
- struct ieee80211_rx_status *rx_status;
- struct ieee80211_mgmt *mgmt;
- u16 fc;
-- struct ieee802_11_elems elems;
-+ struct ieee802_11_elems *elems;
- int ies_len;
-
- rx_status = IEEE80211_SKB_RXCB(skb);
-@@ -1655,15 +1659,16 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
- if (ies_len < 0)
- break;
-
-- ieee802_11_parse_elems(
-+ elems = ieee802_11_parse_elems(
- mgmt->u.action.u.chan_switch.variable,
-- ies_len, true, &elems, mgmt->bssid, NULL);
-+ ies_len, true, mgmt->bssid, NULL);
-
-- if (elems.parse_error)
-+ if (!elems || elems->parse_error)
- break;
-
- ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt, skb->len,
-- rx_status, &elems);
-+ rx_status, elems);
-+ kfree(elems);
- break;
- }
- }
-diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
-index c5f0ff805010..3633e49239c7 100644
---- a/net/mac80211/ieee80211_i.h
-+++ b/net/mac80211/ieee80211_i.h
-@@ -2217,18 +2217,18 @@ static inline void ieee80211_tx_skb(struct ieee80211_sub_if_data *sdata,
- ieee80211_tx_skb_tid(sdata, skb, 7);
- }
-
--void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
-- struct ieee802_11_elems *elems,
-- u64 filter, u32 crc, u8 *transmitter_bssid,
-- u8 *bss_bssid);
--static inline void ieee802_11_parse_elems(const u8 *start, size_t len,
-- bool action,
-- struct ieee802_11_elems *elems,
-- u8 *transmitter_bssid,
-- u8 *bss_bssid)
-+struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,
-+ bool action,
-+ u64 filter, u32 crc,
-+ const u8 *transmitter_bssid,
-+ const u8 *bss_bssid);
-+static inline struct ieee802_11_elems *
-+ieee802_11_parse_elems(const u8 *start, size_t len, bool action,
-+ const u8 *transmitter_bssid,
-+ const u8 *bss_bssid)
- {
-- ieee802_11_parse_elems_crc(start, len, action, elems, 0, 0,
-- transmitter_bssid, bss_bssid);
-+ return ieee802_11_parse_elems_crc(start, len, action, 0, 0,
-+ transmitter_bssid, bss_bssid);
- }
-
-
-diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
-index 9f6414a68d71..6847fdf93439 100644
---- a/net/mac80211/mesh.c
-+++ b/net/mac80211/mesh.c
-@@ -1247,7 +1247,7 @@ ieee80211_mesh_rx_probe_req(struct ieee80211_sub_if_data *sdata,
- struct sk_buff *presp;
- struct beacon_data *bcn;
- struct ieee80211_mgmt *hdr;
-- struct ieee802_11_elems elems;
-+ struct ieee802_11_elems *elems;
- size_t baselen;
- u8 *pos;
-
-@@ -1256,22 +1256,24 @@ ieee80211_mesh_rx_probe_req(struct ieee80211_sub_if_data *sdata,
- if (baselen > len)
- return;
-
-- ieee802_11_parse_elems(pos, len - baselen, false, &elems, mgmt->bssid,
-- NULL);
--
-- if (!elems.mesh_id)
-+ elems = ieee802_11_parse_elems(pos, len - baselen, false, mgmt->bssid,
-+ NULL);
-+ if (!elems)
- return;
-
-+ if (!elems->mesh_id)
-+ goto free;
-+
- /* 802.11-2012 10.1.4.3.2 */
- if ((!ether_addr_equal(mgmt->da, sdata->vif.addr) &&
- !is_broadcast_ether_addr(mgmt->da)) ||
-- elems.ssid_len != 0)
-- return;
-+ elems->ssid_len != 0)
-+ goto free;
-
-- if (elems.mesh_id_len != 0 &&
-- (elems.mesh_id_len != ifmsh->mesh_id_len ||
-- memcmp(elems.mesh_id, ifmsh->mesh_id, ifmsh->mesh_id_len)))
-- return;
-+ if (elems->mesh_id_len != 0 &&
-+ (elems->mesh_id_len != ifmsh->mesh_id_len ||
-+ memcmp(elems->mesh_id, ifmsh->mesh_id, ifmsh->mesh_id_len)))
-+ goto free;
-
- rcu_read_lock();
- bcn = rcu_dereference(ifmsh->beacon);
-@@ -1295,6 +1297,8 @@ ieee80211_mesh_rx_probe_req(struct ieee80211_sub_if_data *sdata,
- ieee80211_tx_skb(sdata, presp);
- out:
- rcu_read_unlock();
-+free:
-+ kfree(elems);
- }
-
- static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
-@@ -1305,7 +1309,7 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
- {
- struct ieee80211_local *local = sdata->local;
- struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
-- struct ieee802_11_elems elems;
-+ struct ieee802_11_elems *elems;
- struct ieee80211_channel *channel;
- size_t baselen;
- int freq;
-@@ -1320,42 +1324,47 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
- if (baselen > len)
- return;
-
-- ieee802_11_parse_elems(mgmt->u.probe_resp.variable, len - baselen,
-- false, &elems, mgmt->bssid, NULL);
-+ elems = ieee802_11_parse_elems(mgmt->u.probe_resp.variable,
-+ len - baselen,
-+ false, mgmt->bssid, NULL);
-+ if (!elems)
-+ return;
-
- /* ignore non-mesh or secure / unsecure mismatch */
-- if ((!elems.mesh_id || !elems.mesh_config) ||
-- (elems.rsn && sdata->u.mesh.security == IEEE80211_MESH_SEC_NONE) ||
-- (!elems.rsn && sdata->u.mesh.security != IEEE80211_MESH_SEC_NONE))
-- return;
-+ if ((!elems->mesh_id || !elems->mesh_config) ||
-+ (elems->rsn && sdata->u.mesh.security == IEEE80211_MESH_SEC_NONE) ||
-+ (!elems->rsn && sdata->u.mesh.security != IEEE80211_MESH_SEC_NONE))
-+ goto free;
-
-- if (elems.ds_params)
-- freq = ieee80211_channel_to_frequency(elems.ds_params[0], band);
-+ if (elems->ds_params)
-+ freq = ieee80211_channel_to_frequency(elems->ds_params[0], band);
- else
- freq = rx_status->freq;
-
- channel = ieee80211_get_channel(local->hw.wiphy, freq);
-
- if (!channel || channel->flags & IEEE80211_CHAN_DISABLED)
-- return;
-+ goto free;
-
-- if (mesh_matches_local(sdata, &elems)) {
-+ if (mesh_matches_local(sdata, elems)) {
- mpl_dbg(sdata, "rssi_threshold=%d,rx_status->signal=%d\n",
- sdata->u.mesh.mshcfg.rssi_threshold, rx_status->signal);
- if (!sdata->u.mesh.user_mpm ||
- sdata->u.mesh.mshcfg.rssi_threshold == 0 ||
- sdata->u.mesh.mshcfg.rssi_threshold < rx_status->signal)
-- mesh_neighbour_update(sdata, mgmt->sa, &elems,
-+ mesh_neighbour_update(sdata, mgmt->sa, elems,
- rx_status);
-
- if (ifmsh->csa_role != IEEE80211_MESH_CSA_ROLE_INIT &&
- !sdata->vif.csa_active)
-- ieee80211_mesh_process_chnswitch(sdata, &elems, true);
-+ ieee80211_mesh_process_chnswitch(sdata, elems, true);
- }
-
- if (ifmsh->sync_ops)
- ifmsh->sync_ops->rx_bcn_presp(sdata, stype, mgmt, len,
-- elems.mesh_config, rx_status);
-+ elems->mesh_config, rx_status);
-+free:
-+ kfree(elems);
- }
-
- int ieee80211_mesh_finish_csa(struct ieee80211_sub_if_data *sdata)
-@@ -1447,7 +1456,7 @@ static void mesh_rx_csa_frame(struct ieee80211_sub_if_data *sdata,
- struct ieee80211_mgmt *mgmt, size_t len)
- {
- struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
-- struct ieee802_11_elems elems;
-+ struct ieee802_11_elems *elems;
- u16 pre_value;
- bool fwd_csa = true;
- size_t baselen;
-@@ -1460,33 +1469,37 @@ static void mesh_rx_csa_frame(struct ieee80211_sub_if_data *sdata,
- pos = mgmt->u.action.u.chan_switch.variable;
- baselen = offsetof(struct ieee80211_mgmt,
- u.action.u.chan_switch.variable);
-- ieee802_11_parse_elems(pos, len - baselen, true, &elems,
-- mgmt->bssid, NULL);
--
-- if (!mesh_matches_local(sdata, &elems))
-+ elems = ieee802_11_parse_elems(pos, len - baselen, true,
-+ mgmt->bssid, NULL);
-+ if (!elems)
- return;
-
-- ifmsh->chsw_ttl = elems.mesh_chansw_params_ie->mesh_ttl;
-+ if (!mesh_matches_local(sdata, elems))
-+ goto free;
-+
-+ ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;
- if (!--ifmsh->chsw_ttl)
- fwd_csa = false;
-
-- pre_value = le16_to_cpu(elems.mesh_chansw_params_ie->mesh_pre_value);
-+ pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);
- if (ifmsh->pre_value >= pre_value)
-- return;
-+ goto free;
-
- ifmsh->pre_value = pre_value;
-
- if (!sdata->vif.csa_active &&
-- !ieee80211_mesh_process_chnswitch(sdata, &elems, false)) {
-+ !ieee80211_mesh_process_chnswitch(sdata, elems, false)) {
- mcsa_dbg(sdata, "Failed to process CSA action frame");
-- return;
-+ goto free;
- }
-
- /* forward or re-broadcast the CSA frame */
- if (fwd_csa) {
-- if (mesh_fwd_csa_frame(sdata, mgmt, len, &elems) < 0)
-+ if (mesh_fwd_csa_frame(sdata, mgmt, len, elems) < 0)
- mcsa_dbg(sdata, "Failed to forward the CSA frame");
- }
-+free:
-+ kfree(elems);
- }
-
- static void ieee80211_mesh_rx_mgmt_action(struct ieee80211_sub_if_data *sdata,
-diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
-index a05b615deb51..44a6fdb6efbd 100644
---- a/net/mac80211/mesh_hwmp.c
-+++ b/net/mac80211/mesh_hwmp.c
-@@ -1,7 +1,7 @@
- // SPDX-License-Identifier: GPL-2.0-only
- /*
- * Copyright (c) 2008, 2009 open80211s Ltd.
-- * Copyright (C) 2019 Intel Corporation
-+ * Copyright (C) 2019, 2021 Intel Corporation
- * Author: Luis Carlos Cobo <luisca@cozybit.com>
- */
-
-@@ -908,7 +908,7 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata,
- void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata,
- struct ieee80211_mgmt *mgmt, size_t len)
- {
-- struct ieee802_11_elems elems;
-+ struct ieee802_11_elems *elems;
- size_t baselen;
- u32 path_metric;
- struct sta_info *sta;
-@@ -926,37 +926,41 @@ void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata,
- rcu_read_unlock();
-
- baselen = (u8 *) mgmt->u.action.u.mesh_action.variable - (u8 *) mgmt;
-- ieee802_11_parse_elems(mgmt->u.action.u.mesh_action.variable,
-- len - baselen, false, &elems, mgmt->bssid, NULL);
-+ elems = ieee802_11_parse_elems(mgmt->u.action.u.mesh_action.variable,
-+ len - baselen, false, mgmt->bssid, NULL);
-+ if (!elems)
-+ return;
-
-- if (elems.preq) {
-- if (elems.preq_len != 37)
-+ if (elems->preq) {
-+ if (elems->preq_len != 37)
- /* Right now we support just 1 destination and no AE */
-- return;
-- path_metric = hwmp_route_info_get(sdata, mgmt, elems.preq,
-+ goto free;
-+ path_metric = hwmp_route_info_get(sdata, mgmt, elems->preq,
- MPATH_PREQ);
- if (path_metric)
-- hwmp_preq_frame_process(sdata, mgmt, elems.preq,
-+ hwmp_preq_frame_process(sdata, mgmt, elems->preq,
- path_metric);
- }
-- if (elems.prep) {
-- if (elems.prep_len != 31)
-+ if (elems->prep) {
-+ if (elems->prep_len != 31)
- /* Right now we support no AE */
-- return;
-- path_metric = hwmp_route_info_get(sdata, mgmt, elems.prep,
-+ goto free;
-+ path_metric = hwmp_route_info_get(sdata, mgmt, elems->prep,
- MPATH_PREP);
- if (path_metric)
-- hwmp_prep_frame_process(sdata, mgmt, elems.prep,
-+ hwmp_prep_frame_process(sdata, mgmt, elems->prep,
- path_metric);
- }
-- if (elems.perr) {
-- if (elems.perr_len != 15)
-+ if (elems->perr) {
-+ if (elems->perr_len != 15)
- /* Right now we support only one destination per PERR */
-- return;
-- hwmp_perr_frame_process(sdata, mgmt, elems.perr);
-+ goto free;
-+ hwmp_perr_frame_process(sdata, mgmt, elems->perr);
- }
-- if (elems.rann)
-- hwmp_rann_frame_process(sdata, mgmt, elems.rann);
-+ if (elems->rann)
-+ hwmp_rann_frame_process(sdata, mgmt, elems->rann);
-+free:
-+ kfree(elems);
- }
-
- /**
-diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
-index a6915847d78a..a829470dd59e 100644
---- a/net/mac80211/mesh_plink.c
-+++ b/net/mac80211/mesh_plink.c
-@@ -1,7 +1,7 @@
- // SPDX-License-Identifier: GPL-2.0-only
- /*
- * Copyright (c) 2008, 2009 open80211s Ltd.
-- * Copyright (C) 2019 Intel Corporation
-+ * Copyright (C) 2019, 2021 Intel Corporation
- * Author: Luis Carlos Cobo <luisca@cozybit.com>
- */
- #include <linux/gfp.h>
-@@ -1200,7 +1200,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata,
- struct ieee80211_mgmt *mgmt, size_t len,
- struct ieee80211_rx_status *rx_status)
- {
-- struct ieee802_11_elems elems;
-+ struct ieee802_11_elems *elems;
- size_t baselen;
- u8 *baseaddr;
-
-@@ -1228,7 +1228,8 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata,
- if (baselen > len)
- return;
- }
-- ieee802_11_parse_elems(baseaddr, len - baselen, true, &elems,
-- mgmt->bssid, NULL);
-- mesh_process_plink_frame(sdata, mgmt, &elems, rx_status);
-+ elems = ieee802_11_parse_elems(baseaddr, len - baselen, true,
-+ mgmt->bssid, NULL);
-+ mesh_process_plink_frame(sdata, mgmt, elems, rx_status);
-+ kfree(elems);
- }
-diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
-index 548cd14c5503..45efa1d1c550 100644
---- a/net/mac80211/mlme.c
-+++ b/net/mac80211/mlme.c
-@@ -3317,8 +3317,11 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
- aid = 0; /* TODO */
- }
- capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
-- ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, elems,
-- mgmt->bssid, assoc_data->bss->bssid);
-+ elems = ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false,
-+ mgmt->bssid, assoc_data->bss->bssid);
-+
-+ if (!elems)
-+ return false;
-
- if (elems->aid_resp)
- aid = le16_to_cpu(elems->aid_resp->aid);
-@@ -3340,7 +3343,8 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
-
- if (!is_s1g && !elems->supp_rates) {
- sdata_info(sdata, "no SuppRates element in AssocResp\n");
-- return false;
-+ ret = false;
-+ goto out;
- }
-
- sdata->vif.bss_conf.aid = aid;
-@@ -3362,7 +3366,7 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
- (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT) &&
- (!elems->vht_cap_elem || !elems->vht_operation)))) {
- const struct cfg80211_bss_ies *ies;
-- struct ieee802_11_elems bss_elems;
-+ struct ieee802_11_elems *bss_elems;
-
- rcu_read_lock();
- ies = rcu_dereference(cbss->ies);
-@@ -3373,13 +3377,17 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
- if (!bss_ies)
- return false;
-
-- ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
-- false, &bss_elems,
-- mgmt->bssid,
-- assoc_data->bss->bssid);
-+ bss_elems = ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
-+ false, mgmt->bssid,
-+ assoc_data->bss->bssid);
-+ if (!bss_elems) {
-+ ret = false;
-+ goto out;
-+ }
-+
- if (assoc_data->wmm &&
-- !elems->wmm_param && bss_elems.wmm_param) {
-- elems->wmm_param = bss_elems.wmm_param;
-+ !elems->wmm_param && bss_elems->wmm_param) {
-+ elems->wmm_param = bss_elems->wmm_param;
- sdata_info(sdata,
- "AP bug: WMM param missing from AssocResp\n");
- }
-@@ -3388,30 +3396,32 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
- * Also check if we requested HT/VHT, otherwise the AP doesn't
- * have to include the IEs in the (re)association response.
- */
-- if (!elems->ht_cap_elem && bss_elems.ht_cap_elem &&
-+ if (!elems->ht_cap_elem && bss_elems->ht_cap_elem &&
- !(ifmgd->flags & IEEE80211_STA_DISABLE_HT)) {
-- elems->ht_cap_elem = bss_elems.ht_cap_elem;
-+ elems->ht_cap_elem = bss_elems->ht_cap_elem;
- sdata_info(sdata,
- "AP bug: HT capability missing from AssocResp\n");
- }
-- if (!elems->ht_operation && bss_elems.ht_operation &&
-+ if (!elems->ht_operation && bss_elems->ht_operation &&
- !(ifmgd->flags & IEEE80211_STA_DISABLE_HT)) {
-- elems->ht_operation = bss_elems.ht_operation;
-+ elems->ht_operation = bss_elems->ht_operation;
- sdata_info(sdata,
- "AP bug: HT operation missing from AssocResp\n");
- }
-- if (!elems->vht_cap_elem && bss_elems.vht_cap_elem &&
-+ if (!elems->vht_cap_elem && bss_elems->vht_cap_elem &&
- !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) {
-- elems->vht_cap_elem = bss_elems.vht_cap_elem;
-+ elems->vht_cap_elem = bss_elems->vht_cap_elem;
- sdata_info(sdata,
- "AP bug: VHT capa missing from AssocResp\n");
- }
-- if (!elems->vht_operation && bss_elems.vht_operation &&
-+ if (!elems->vht_operation && bss_elems->vht_operation &&
- !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) {
-- elems->vht_operation = bss_elems.vht_operation;
-+ elems->vht_operation = bss_elems->vht_operation;
- sdata_info(sdata,
- "AP bug: VHT operation missing from AssocResp\n");
- }
-+
-+ kfree(bss_elems);
- }
-
- /*
-@@ -3662,6 +3672,7 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
-
- ret = true;
- out:
-+ kfree(elems);
- kfree(bss_ies);
- return ret;
- }
-@@ -3673,7 +3684,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
- struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
- struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
- u16 capab_info, status_code, aid;
-- struct ieee802_11_elems elems;
-+ struct ieee802_11_elems *elems;
- int ac, uapsd_queues = -1;
- u8 *pos;
- bool reassoc;
-@@ -3730,14 +3741,16 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
- fils_decrypt_assoc_resp(sdata, (u8 *)mgmt, &len, assoc_data) < 0)
- return;
-
-- ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems,
-- mgmt->bssid, assoc_data->bss->bssid);
-+ elems = ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false,
-+ mgmt->bssid, assoc_data->bss->bssid);
-+ if (!elems)
-+ goto notify_driver;
-
- if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY &&
-- elems.timeout_int &&
-- elems.timeout_int->type == WLAN_TIMEOUT_ASSOC_COMEBACK) {
-+ elems->timeout_int &&
-+ elems->timeout_int->type == WLAN_TIMEOUT_ASSOC_COMEBACK) {
- u32 tu, ms;
-- tu = le32_to_cpu(elems.timeout_int->value);
-+ tu = le32_to_cpu(elems->timeout_int->value);
- ms = tu * 1024 / 1000;
- sdata_info(sdata,
- "%pM rejected association temporarily; comeback duration %u TU (%u ms)\n",
-@@ -3757,7 +3770,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
- event.u.mlme.reason = status_code;
- drv_event_callback(sdata->local, sdata, &event);
- } else {
-- if (!ieee80211_assoc_success(sdata, cbss, mgmt, len, &elems)) {
-+ if (!ieee80211_assoc_success(sdata, cbss, mgmt, len, elems)) {
- /* oops -- internal error -- send timeout for now */
- ieee80211_destroy_assoc_data(sdata, false, false);
- cfg80211_assoc_timeout(sdata->dev, cbss);
-@@ -3787,6 +3800,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
- ifmgd->assoc_req_ies, ifmgd->assoc_req_ies_len);
- notify_driver:
- drv_mgd_complete_tx(sdata->local, sdata, &info);
-+ kfree(elems);
- }
-
- static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
-@@ -3991,7 +4005,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
- struct ieee80211_bss_conf *bss_conf = &sdata->vif.bss_conf;
- struct ieee80211_mgmt *mgmt = (void *) hdr;
- size_t baselen;
-- struct ieee802_11_elems elems;
-+ struct ieee802_11_elems *elems;
- struct ieee80211_local *local = sdata->local;
- struct ieee80211_chanctx_conf *chanctx_conf;
- struct ieee80211_channel *chan;
-@@ -4037,15 +4051,16 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
-
- if (ifmgd->assoc_data && ifmgd->assoc_data->need_beacon &&
- ieee80211_rx_our_beacon(bssid, ifmgd->assoc_data->bss)) {
-- ieee802_11_parse_elems(variable,
-- len - baselen, false, &elems,
-- bssid,
-- ifmgd->assoc_data->bss->bssid);
-+ elems = ieee802_11_parse_elems(variable, len - baselen, false,
-+ bssid,
-+ ifmgd->assoc_data->bss->bssid);
-+ if (!elems)
-+ return;
-
- ieee80211_rx_bss_info(sdata, mgmt, len, rx_status);
-
-- if (elems.dtim_period)
-- ifmgd->dtim_period = elems.dtim_period;
-+ if (elems->dtim_period)
-+ ifmgd->dtim_period = elems->dtim_period;
- ifmgd->have_beacon = true;
- ifmgd->assoc_data->need_beacon = false;
- if (ieee80211_hw_check(&local->hw, TIMING_BEACON_ONLY)) {
-@@ -4053,17 +4068,17 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
- le64_to_cpu(mgmt->u.beacon.timestamp);
- sdata->vif.bss_conf.sync_device_ts =
- rx_status->device_timestamp;
-- sdata->vif.bss_conf.sync_dtim_count = elems.dtim_count;
-+ sdata->vif.bss_conf.sync_dtim_count = elems->dtim_count;
- }
-
-- if (elems.mbssid_config_ie)
-+ if (elems->mbssid_config_ie)
- bss_conf->profile_periodicity =
-- elems.mbssid_config_ie->profile_periodicity;
-+ elems->mbssid_config_ie->profile_periodicity;
- else
- bss_conf->profile_periodicity = 0;
-
-- if (elems.ext_capab_len >= 11 &&
-- (elems.ext_capab[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
-+ if (elems->ext_capab_len >= 11 &&
-+ (elems->ext_capab[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
- bss_conf->ema_ap = true;
- else
- bss_conf->ema_ap = false;
-@@ -4072,6 +4087,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
- ifmgd->assoc_data->timeout = jiffies;
- ifmgd->assoc_data->timeout_started = true;
- run_again(sdata, ifmgd->assoc_data->timeout);
-+ kfree(elems);
- return;
- }
-
-@@ -4103,14 +4119,15 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
- */
- if (!ieee80211_is_s1g_beacon(hdr->frame_control))
- ncrc = crc32_be(0, (void *)&mgmt->u.beacon.beacon_int, 4);
-- ieee802_11_parse_elems_crc(variable,
-- len - baselen, false, &elems,
-- care_about_ies, ncrc,
-- mgmt->bssid, bssid);
-- ncrc = elems.crc;
-+ elems = ieee802_11_parse_elems_crc(variable, len - baselen,
-+ false, care_about_ies, ncrc,
-+ mgmt->bssid, bssid);
-+ if (!elems)
-+ return;
-+ ncrc = elems->crc;
-
- if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) &&
-- ieee80211_check_tim(elems.tim, elems.tim_len, bss_conf->aid)) {
-+ ieee80211_check_tim(elems->tim, elems->tim_len, bss_conf->aid)) {
- if (local->hw.conf.dynamic_ps_timeout > 0) {
- if (local->hw.conf.flags & IEEE80211_CONF_PS) {
- local->hw.conf.flags &= ~IEEE80211_CONF_PS;
-@@ -4180,12 +4197,12 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
- le64_to_cpu(mgmt->u.beacon.timestamp);
- sdata->vif.bss_conf.sync_device_ts =
- rx_status->device_timestamp;
-- sdata->vif.bss_conf.sync_dtim_count = elems.dtim_count;
-+ sdata->vif.bss_conf.sync_dtim_count = elems->dtim_count;
- }
-
- if ((ncrc == ifmgd->beacon_crc && ifmgd->beacon_crc_valid) ||
- ieee80211_is_s1g_short_beacon(mgmt->frame_control))
-- return;
-+ goto free;
- ifmgd->beacon_crc = ncrc;
- ifmgd->beacon_crc_valid = true;
-
-@@ -4193,12 +4210,12 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
-
- ieee80211_sta_process_chanswitch(sdata, rx_status->mactime,
- rx_status->device_timestamp,
-- &elems, true);
-+ elems, true);
-
- if (!(ifmgd->flags & IEEE80211_STA_DISABLE_WMM) &&
-- ieee80211_sta_wmm_params(local, sdata, elems.wmm_param,
-- elems.wmm_param_len,
-- elems.mu_edca_param_set))
-+ ieee80211_sta_wmm_params(local, sdata, elems->wmm_param,
-+ elems->wmm_param_len,
-+ elems->mu_edca_param_set))
- changed |= BSS_CHANGED_QOS;
-
- /*
-@@ -4207,7 +4224,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
- */
- if (!ifmgd->have_beacon) {
- /* a few bogus AP send dtim_period = 0 or no TIM IE */
-- bss_conf->dtim_period = elems.dtim_period ?: 1;
-+ bss_conf->dtim_period = elems->dtim_period ?: 1;
-
- changed |= BSS_CHANGED_BEACON_INFO;
- ifmgd->have_beacon = true;
-@@ -4219,9 +4236,9 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
- ieee80211_recalc_ps_vif(sdata);
- }
-
-- if (elems.erp_info) {
-+ if (elems->erp_info) {
- erp_valid = true;
-- erp_value = elems.erp_info[0];
-+ erp_value = elems->erp_info[0];
- } else {
- erp_valid = false;
- }
-@@ -4234,12 +4251,12 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
- mutex_lock(&local->sta_mtx);
- sta = sta_info_get(sdata, bssid);
-
-- changed |= ieee80211_recalc_twt_req(sdata, sta, &elems);
-+ changed |= ieee80211_recalc_twt_req(sdata, sta, elems);
-
-- if (ieee80211_config_bw(sdata, sta, elems.ht_cap_elem,
-- elems.vht_cap_elem, elems.ht_operation,
-- elems.vht_operation, elems.he_operation,
-- elems.s1g_oper, bssid, &changed)) {
-+ if (ieee80211_config_bw(sdata, sta, elems->ht_cap_elem,
-+ elems->vht_cap_elem, elems->ht_operation,
-+ elems->vht_operation, elems->he_operation,
-+ elems->s1g_oper, bssid, &changed)) {
- mutex_unlock(&local->sta_mtx);
- sdata_info(sdata,
- "failed to follow AP %pM bandwidth change, disconnect\n",
-@@ -4251,21 +4268,23 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
- sizeof(deauth_buf), true,
- WLAN_REASON_DEAUTH_LEAVING,
- false);
-- return;
-+ goto free;
- }
-
-- if (sta && elems.opmode_notif)
-- ieee80211_vht_handle_opmode(sdata, sta, *elems.opmode_notif,
-+ if (sta && elems->opmode_notif)
-+ ieee80211_vht_handle_opmode(sdata, sta, *elems->opmode_notif,
- rx_status->band);
- mutex_unlock(&local->sta_mtx);
-
- changed |= ieee80211_handle_pwr_constr(sdata, chan, mgmt,
-- elems.country_elem,
-- elems.country_elem_len,
-- elems.pwr_constr_elem,
-- elems.cisco_dtpc_elem);
-+ elems->country_elem,
-+ elems->country_elem_len,
-+ elems->pwr_constr_elem,
-+ elems->cisco_dtpc_elem);
-
- ieee80211_bss_info_change_notify(sdata, changed);
-+free:
-+ kfree(elems);
- }
-
- void ieee80211_sta_rx_queued_ext(struct ieee80211_sub_if_data *sdata,
-@@ -4294,7 +4313,6 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
- struct ieee80211_rx_status *rx_status;
- struct ieee80211_mgmt *mgmt;
- u16 fc;
-- struct ieee802_11_elems elems;
- int ies_len;
-
- rx_status = (struct ieee80211_rx_status *) skb->cb;
-@@ -4326,6 +4344,8 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
- break;
- case IEEE80211_STYPE_ACTION:
- if (mgmt->u.action.category == WLAN_CATEGORY_SPECTRUM_MGMT) {
-+ struct ieee802_11_elems *elems;
-+
- ies_len = skb->len -
- offsetof(struct ieee80211_mgmt,
- u.action.u.chan_switch.variable);
-@@ -4334,18 +4354,21 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
- break;
-
- /* CSA IE cannot be overridden, no need for BSSID */
-- ieee802_11_parse_elems(
-- mgmt->u.action.u.chan_switch.variable,
-- ies_len, true, &elems, mgmt->bssid, NULL);
-+ elems = ieee802_11_parse_elems(
-+ mgmt->u.action.u.chan_switch.variable,
-+ ies_len, true, mgmt->bssid, NULL);
-
-- if (elems.parse_error)
-+ if (!elems || elems->parse_error)
- break;
-
- ieee80211_sta_process_chanswitch(sdata,
- rx_status->mactime,
- rx_status->device_timestamp,
-- &elems, false);
-+ elems, false);
-+ kfree(elems);
- } else if (mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) {
-+ struct ieee802_11_elems *elems;
-+
- ies_len = skb->len -
- offsetof(struct ieee80211_mgmt,
- u.action.u.ext_chan_switch.variable);
-@@ -4357,21 +4380,22 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
- * extended CSA IE can't be overridden, no need for
- * BSSID
- */
-- ieee802_11_parse_elems(
-- mgmt->u.action.u.ext_chan_switch.variable,
-- ies_len, true, &elems, mgmt->bssid, NULL);
-+ elems = ieee802_11_parse_elems(
-+ mgmt->u.action.u.ext_chan_switch.variable,
-+ ies_len, true, mgmt->bssid, NULL);
-
-- if (elems.parse_error)
-+ if (!elems || elems->parse_error)
- break;
-
- /* for the handling code pretend this was also an IE */
-- elems.ext_chansw_ie =
-+ elems->ext_chansw_ie =
- &mgmt->u.action.u.ext_chan_switch.data;
-
- ieee80211_sta_process_chanswitch(sdata,
- rx_status->mactime,
- rx_status->device_timestamp,
-- &elems, false);
-+ elems, false);
-+ kfree(elems);
- }
- break;
- }
-diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
-index d6afaacaf7ef..e692a2487eb5 100644
---- a/net/mac80211/scan.c
-+++ b/net/mac80211/scan.c
-@@ -9,7 +9,7 @@
- * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
- * Copyright 2013-2015 Intel Mobile Communications GmbH
- * Copyright 2016-2017 Intel Deutschland GmbH
-- * Copyright (C) 2018-2020 Intel Corporation
-+ * Copyright (C) 2018-2021 Intel Corporation
- */
-
- #include <linux/if_arp.h>
-@@ -155,7 +155,7 @@ ieee80211_bss_info_update(struct ieee80211_local *local,
- };
- bool signal_valid;
- struct ieee80211_sub_if_data *scan_sdata;
-- struct ieee802_11_elems elems;
-+ struct ieee802_11_elems *elems;
- size_t baselen;
- u8 *elements;
-
-@@ -209,8 +209,10 @@ ieee80211_bss_info_update(struct ieee80211_local *local,
- if (baselen > len)
- return NULL;
-
-- ieee802_11_parse_elems(elements, len - baselen, false, &elems,
-- mgmt->bssid, cbss->bssid);
-+ elems = ieee802_11_parse_elems(elements, len - baselen, false,
-+ mgmt->bssid, cbss->bssid);
-+ if (!elems)
-+ return NULL;
-
- /* In case the signal is invalid update the status */
- signal_valid = channel == cbss->channel;
-@@ -218,15 +220,17 @@ ieee80211_bss_info_update(struct ieee80211_local *local,
- rx_status->flag |= RX_FLAG_NO_SIGNAL_VAL;
-
- bss = (void *)cbss->priv;
-- ieee80211_update_bss_from_elems(local, bss, &elems, rx_status, beacon);
-+ ieee80211_update_bss_from_elems(local, bss, elems, rx_status, beacon);
-
- list_for_each_entry(non_tx_cbss, &cbss->nontrans_list, nontrans_list) {
- non_tx_bss = (void *)non_tx_cbss->priv;
-
-- ieee80211_update_bss_from_elems(local, non_tx_bss, &elems,
-+ ieee80211_update_bss_from_elems(local, non_tx_bss, elems,
- rx_status, beacon);
- }
-
-+ kfree(elems);
-+
- return bss;
- }
-
-diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
-index 45e532ad1215..137be9ec94af 100644
---- a/net/mac80211/tdls.c
-+++ b/net/mac80211/tdls.c
-@@ -6,7 +6,7 @@
- * Copyright 2014, Intel Corporation
- * Copyright 2014 Intel Mobile Communications GmbH
- * Copyright 2015 - 2016 Intel Deutschland GmbH
-- * Copyright (C) 2019 Intel Corporation
-+ * Copyright (C) 2019, 2021 Intel Corporation
- */
-
- #include <linux/ieee80211.h>
-@@ -1684,7 +1684,7 @@ ieee80211_process_tdls_channel_switch_resp(struct ieee80211_sub_if_data *sdata,
- struct sk_buff *skb)
- {
- struct ieee80211_local *local = sdata->local;
-- struct ieee802_11_elems elems;
-+ struct ieee802_11_elems *elems = NULL;
- struct sta_info *sta;
- struct ieee80211_tdls_data *tf = (void *)skb->data;
- bool local_initiator;
-@@ -1718,16 +1718,20 @@ ieee80211_process_tdls_channel_switch_resp(struct ieee80211_sub_if_data *sdata,
- goto call_drv;
- }
-
-- ieee802_11_parse_elems(tf->u.chan_switch_resp.variable,
-- skb->len - baselen, false, &elems,
-- NULL, NULL);
-- if (elems.parse_error) {
-+ elems = ieee802_11_parse_elems(tf->u.chan_switch_resp.variable,
-+ skb->len - baselen, false, NULL, NULL);
-+ if (!elems) {
-+ ret = -ENOMEM;
-+ goto out;
-+ }
-+
-+ if (elems->parse_error) {
- tdls_dbg(sdata, "Invalid IEs in TDLS channel switch resp\n");
- ret = -EINVAL;
- goto out;
- }
-
-- if (!elems.ch_sw_timing || !elems.lnk_id) {
-+ if (!elems->ch_sw_timing || !elems->lnk_id) {
- tdls_dbg(sdata, "TDLS channel switch resp - missing IEs\n");
- ret = -EINVAL;
- goto out;
-@@ -1735,15 +1739,15 @@ ieee80211_process_tdls_channel_switch_resp(struct ieee80211_sub_if_data *sdata,
-
- /* validate the initiator is set correctly */
- local_initiator =
-- !memcmp(elems.lnk_id->init_sta, sdata->vif.addr, ETH_ALEN);
-+ !memcmp(elems->lnk_id->init_sta, sdata->vif.addr, ETH_ALEN);
- if (local_initiator == sta->sta.tdls_initiator) {
- tdls_dbg(sdata, "TDLS chan switch invalid lnk-id initiator\n");
- ret = -EINVAL;
- goto out;
- }
-
-- params.switch_time = le16_to_cpu(elems.ch_sw_timing->switch_time);
-- params.switch_timeout = le16_to_cpu(elems.ch_sw_timing->switch_timeout);
-+ params.switch_time = le16_to_cpu(elems->ch_sw_timing->switch_time);
-+ params.switch_timeout = le16_to_cpu(elems->ch_sw_timing->switch_timeout);
-
- params.tmpl_skb =
- ieee80211_tdls_ch_sw_resp_tmpl_get(sta, ¶ms.ch_sw_tm_ie);
-@@ -1763,6 +1767,7 @@ call_drv:
- out:
- mutex_unlock(&local->sta_mtx);
- dev_kfree_skb_any(params.tmpl_skb);
-+ kfree(elems);
- return ret;
- }
-
-@@ -1771,7 +1776,7 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
- struct sk_buff *skb)
- {
- struct ieee80211_local *local = sdata->local;
-- struct ieee802_11_elems elems;
-+ struct ieee802_11_elems *elems;
- struct cfg80211_chan_def chandef;
- struct ieee80211_channel *chan;
- enum nl80211_channel_type chan_type;
-@@ -1831,22 +1836,27 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
- return -EINVAL;
- }
-
-- ieee802_11_parse_elems(tf->u.chan_switch_req.variable,
-- skb->len - baselen, false, &elems, NULL, NULL);
-- if (elems.parse_error) {
-+ elems = ieee802_11_parse_elems(tf->u.chan_switch_req.variable,
-+ skb->len - baselen, false, NULL, NULL);
-+ if (!elems)
-+ return -ENOMEM;
-+
-+ if (elems->parse_error) {
- tdls_dbg(sdata, "Invalid IEs in TDLS channel switch req\n");
-- return -EINVAL;
-+ ret = -EINVAL;
-+ goto free;
- }
-
-- if (!elems.ch_sw_timing || !elems.lnk_id) {
-+ if (!elems->ch_sw_timing || !elems->lnk_id) {
- tdls_dbg(sdata, "TDLS channel switch req - missing IEs\n");
-- return -EINVAL;
-+ ret = -EINVAL;
-+ goto free;
- }
-
-- if (!elems.sec_chan_offs) {
-+ if (!elems->sec_chan_offs) {
- chan_type = NL80211_CHAN_HT20;
- } else {
-- switch (elems.sec_chan_offs->sec_chan_offs) {
-+ switch (elems->sec_chan_offs->sec_chan_offs) {
- case IEEE80211_HT_PARAM_CHA_SEC_ABOVE:
- chan_type = NL80211_CHAN_HT40PLUS;
- break;
-@@ -1865,7 +1875,8 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
- if (!cfg80211_reg_can_beacon_relax(sdata->local->hw.wiphy, &chandef,
- sdata->wdev.iftype)) {
- tdls_dbg(sdata, "TDLS chan switch to forbidden channel\n");
-- return -EINVAL;
-+ ret = -EINVAL;
-+ goto free;
- }
-
- mutex_lock(&local->sta_mtx);
-@@ -1881,7 +1892,7 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
-
- /* validate the initiator is set correctly */
- local_initiator =
-- !memcmp(elems.lnk_id->init_sta, sdata->vif.addr, ETH_ALEN);
-+ !memcmp(elems->lnk_id->init_sta, sdata->vif.addr, ETH_ALEN);
- if (local_initiator == sta->sta.tdls_initiator) {
- tdls_dbg(sdata, "TDLS chan switch invalid lnk-id initiator\n");
- ret = -EINVAL;
-@@ -1889,16 +1900,16 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
- }
-
- /* peer should have known better */
-- if (!sta->sta.ht_cap.ht_supported && elems.sec_chan_offs &&
-- elems.sec_chan_offs->sec_chan_offs) {
-+ if (!sta->sta.ht_cap.ht_supported && elems->sec_chan_offs &&
-+ elems->sec_chan_offs->sec_chan_offs) {
- tdls_dbg(sdata, "TDLS chan switch - wide chan unsupported\n");
- ret = -ENOTSUPP;
- goto out;
- }
-
- params.chandef = &chandef;
-- params.switch_time = le16_to_cpu(elems.ch_sw_timing->switch_time);
-- params.switch_timeout = le16_to_cpu(elems.ch_sw_timing->switch_timeout);
-+ params.switch_time = le16_to_cpu(elems->ch_sw_timing->switch_time);
-+ params.switch_timeout = le16_to_cpu(elems->ch_sw_timing->switch_timeout);
-
- params.tmpl_skb =
- ieee80211_tdls_ch_sw_resp_tmpl_get(sta,
-@@ -1917,6 +1928,8 @@ ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
- out:
- mutex_unlock(&local->sta_mtx);
- dev_kfree_skb_any(params.tmpl_skb);
-+free:
-+ kfree(elems);
- return ret;
- }
-
-diff --git a/net/mac80211/util.c b/net/mac80211/util.c
-index 664c32b6db19..2ac61e68b6b4 100644
---- a/net/mac80211/util.c
-+++ b/net/mac80211/util.c
-@@ -1396,8 +1396,8 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
-
- static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
- struct ieee802_11_elems *elems,
-- u8 *transmitter_bssid,
-- u8 *bss_bssid,
-+ const u8 *transmitter_bssid,
-+ const u8 *bss_bssid,
- u8 *nontransmitted_profile)
- {
- const struct element *elem, *sub;
-@@ -1464,16 +1464,20 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
- return found ? profile_len : 0;
- }
-
--void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
-- struct ieee802_11_elems *elems,
-- u64 filter, u32 crc, u8 *transmitter_bssid,
-- u8 *bss_bssid)
-+struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,
-+ bool action, u64 filter,
-+ u32 crc,
-+ const u8 *transmitter_bssid,
-+ const u8 *bss_bssid)
- {
-+ struct ieee802_11_elems *elems;
- const struct element *non_inherit = NULL;
- u8 *nontransmitted_profile;
- int nontransmitted_profile_len = 0;
-
-- memset(elems, 0, sizeof(*elems));
-+ elems = kzalloc(sizeof(*elems), GFP_ATOMIC);
-+ if (!elems)
-+ return NULL;
- elems->ie_start = start;
- elems->total_len = len;
-
-@@ -1520,6 +1524,8 @@ void ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
- kfree(nontransmitted_profile);
-
- elems->crc = crc;
-+
-+ return elems;
- }
-
- void ieee80211_regulatory_limit_wmm_params(struct ieee80211_sub_if_data *sdata,
-2.30.2
-
deleted file mode 100644
@@ -1,130 +0,0 @@
-From 7d998f6b7365d50a9905bf57fd28b41c7ebe8e9d Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Thu, 13 Oct 2022 20:16:00 +0200
-Subject: [PATCH] mac80211: fix memory leaks with element parsing
-
-commit 8223ac199a3849257e86ec27865dc63f034b1cf1 upstream.
-
-My previous commit 5d24828d05f3 ("mac80211: always allocate
-struct ieee802_11_elems") had a few bugs and leaked the new
-allocated struct in a few error cases, fix that.
-
-Fixes: 5d24828d05f3 ("mac80211: always allocate struct ieee802_11_elems")
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Link: https://lore.kernel.org/r/20211001211108.9839928e42e0.Ib81ca187d3d3af7ed1bfeac2e00d08a4637c8025@changeid
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Cc: Felix Fietkau <nbd@nbd.name>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/mac80211/agg-rx.c | 3 ++-
- net/mac80211/ibss.c | 10 +++++-----
- net/mac80211/mlme.c | 36 ++++++++++++++++++------------------
- 3 files changed, 25 insertions(+), 24 deletions(-)
-
-diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
-index ffa4f31f6c2b..0d2bab9d351c 100644
---- a/net/mac80211/agg-rx.c
-+++ b/net/mac80211/agg-rx.c
-@@ -499,13 +499,14 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
- elems = ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable,
- ies_len, true, mgmt->bssid, NULL);
- if (!elems || elems->parse_error)
-- return;
-+ goto free;
- }
-
- __ieee80211_start_rx_ba_session(sta, dialog_token, timeout,
- start_seq_num, ba_policy, tid,
- buf_size, true, false,
- elems ? elems->addba_ext_ie : NULL);
-+free:
- kfree(elems);
- }
-
-diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
-index 4b721b48f86a..48e0260f3424 100644
---- a/net/mac80211/ibss.c
-+++ b/net/mac80211/ibss.c
-@@ -1663,11 +1663,11 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
- mgmt->u.action.u.chan_switch.variable,
- ies_len, true, mgmt->bssid, NULL);
-
-- if (!elems || elems->parse_error)
-- break;
--
-- ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt, skb->len,
-- rx_status, elems);
-+ if (elems && !elems->parse_error)
-+ ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt,
-+ skb->len,
-+ rx_status,
-+ elems);
- kfree(elems);
- break;
- }
-diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
-index 45efa1d1c550..cc6d38a2e6d5 100644
---- a/net/mac80211/mlme.c
-+++ b/net/mac80211/mlme.c
-@@ -3374,8 +3374,10 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
- bss_ies = kmemdup(ies, sizeof(*ies) + ies->len,
- GFP_ATOMIC);
- rcu_read_unlock();
-- if (!bss_ies)
-- return false;
-+ if (!bss_ies) {
-+ ret = false;
-+ goto out;
-+ }
-
- bss_elems = ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
- false, mgmt->bssid,
-@@ -4358,13 +4360,11 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
- mgmt->u.action.u.chan_switch.variable,
- ies_len, true, mgmt->bssid, NULL);
-
-- if (!elems || elems->parse_error)
-- break;
--
-- ieee80211_sta_process_chanswitch(sdata,
-- rx_status->mactime,
-- rx_status->device_timestamp,
-- elems, false);
-+ if (elems && !elems->parse_error)
-+ ieee80211_sta_process_chanswitch(sdata,
-+ rx_status->mactime,
-+ rx_status->device_timestamp,
-+ elems, false);
- kfree(elems);
- } else if (mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) {
- struct ieee802_11_elems *elems;
-@@ -4384,17 +4384,17 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
- mgmt->u.action.u.ext_chan_switch.variable,
- ies_len, true, mgmt->bssid, NULL);
-
-- if (!elems || elems->parse_error)
-- break;
-+ if (elems && !elems->parse_error) {
-+ /* for the handling code pretend it was an IE */
-+ elems->ext_chansw_ie =
-+ &mgmt->u.action.u.ext_chan_switch.data;
-
-- /* for the handling code pretend this was also an IE */
-- elems->ext_chansw_ie =
-- &mgmt->u.action.u.ext_chan_switch.data;
-+ ieee80211_sta_process_chanswitch(sdata,
-+ rx_status->mactime,
-+ rx_status->device_timestamp,
-+ elems, false);
-+ }
-
-- ieee80211_sta_process_chanswitch(sdata,
-- rx_status->mactime,
-- rx_status->device_timestamp,
-- elems, false);
- kfree(elems);
- }
- break;
-2.30.2
-
deleted file mode 100644
@@ -1,107 +0,0 @@
-From de124365a7d2deed22cf706583930f28d537ff0f Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Thu, 13 Oct 2022 20:16:01 +0200
-Subject: [PATCH] wifi: mac80211: fix MBSSID parsing use-after-free
-
-commit ff05d4b45dd89b922578dac497dcabf57cf771c6
-
-When we parse a multi-BSSID element, we might point some
-element pointers into the allocated nontransmitted_profile.
-However, we free this before returning, causing UAF when the
-relevant pointers in the parsed elements are accessed.
-
-Fix this by not allocating the scratch buffer separately but
-as part of the returned structure instead, that way, there
-are no lifetime issues with it.
-
-The scratch buffer introduction as part of the returned data
-here is taken from MLO feature work done by Ilan.
-
-This fixes CVE-2022-42719.
-
-Fixes: 5023b14cf4df ("mac80211: support profile split between elements")
-Co-developed-by: Ilan Peer <ilan.peer@intel.com>
-Signed-off-by: Ilan Peer <ilan.peer@intel.com>
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Cc: Felix Fietkau <nbd@nbd.name>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/mac80211/ieee80211_i.h | 8 ++++++++
- net/mac80211/util.c | 29 ++++++++++++++---------------
- 2 files changed, 22 insertions(+), 15 deletions(-)
-
-diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
-index 3633e49239c7..21549a440b38 100644
---- a/net/mac80211/ieee80211_i.h
-+++ b/net/mac80211/ieee80211_i.h
-@@ -1613,6 +1613,14 @@ struct ieee802_11_elems {
-
- /* whether a parse error occurred while retrieving these elements */
- bool parse_error;
-+
-+ /*
-+ * scratch buffer that can be used for various element parsing related
-+ * tasks, e.g., element de-fragmentation etc.
-+ */
-+ size_t scratch_len;
-+ u8 *scratch_pos;
-+ u8 scratch[];
- };
-
- static inline struct ieee80211_local *hw_to_local(
-diff --git a/net/mac80211/util.c b/net/mac80211/util.c
-index 2ac61e68b6b4..354badd32793 100644
---- a/net/mac80211/util.c
-+++ b/net/mac80211/util.c
-@@ -1475,24 +1475,25 @@ struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,
- u8 *nontransmitted_profile;
- int nontransmitted_profile_len = 0;
-
-- elems = kzalloc(sizeof(*elems), GFP_ATOMIC);
-+ elems = kzalloc(sizeof(*elems) + len, GFP_ATOMIC);
- if (!elems)
- return NULL;
- elems->ie_start = start;
- elems->total_len = len;
-
-- nontransmitted_profile = kmalloc(len, GFP_ATOMIC);
-- if (nontransmitted_profile) {
-- nontransmitted_profile_len =
-- ieee802_11_find_bssid_profile(start, len, elems,
-- transmitter_bssid,
-- bss_bssid,
-- nontransmitted_profile);
-- non_inherit =
-- cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
-- nontransmitted_profile,
-- nontransmitted_profile_len);
-- }
-+ elems->scratch_len = len;
-+ elems->scratch_pos = elems->scratch;
-+
-+ nontransmitted_profile = elems->scratch_pos;
-+ nontransmitted_profile_len =
-+ ieee802_11_find_bssid_profile(start, len, elems,
-+ transmitter_bssid,
-+ bss_bssid,
-+ nontransmitted_profile);
-+ non_inherit =
-+ cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
-+ nontransmitted_profile,
-+ nontransmitted_profile_len);
-
- crc = _ieee802_11_parse_elems_crc(start, len, action, elems, filter,
- crc, non_inherit);
-@@ -1521,8 +1522,6 @@ struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,
- offsetofend(struct ieee80211_bssid_index, dtim_count))
- elems->dtim_count = elems->bssid_index->dtim_count;
-
-- kfree(nontransmitted_profile);
--
- elems->crc = crc;
-
- return elems;
-2.30.2
-
deleted file mode 100644
@@ -1,59 +0,0 @@
-From 0a861bd25dad508e492c48169509d8c6b9246895 Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Wed, 28 Sep 2022 22:01:37 +0200
-Subject: [PATCH] wifi: cfg80211/mac80211: reject bad MBSSID elements
-
-commit 8f033d2becc24aa6bfd2a5c104407963560caabc upstream.
-
-Per spec, the maximum value for the MaxBSSID ('n') indicator is 8,
-and the minimum is 1 since a multiple BSSID set with just one BSSID
-doesn't make sense (the # of BSSIDs is limited by 2^n).
-
-Limit this in the parsing in both cfg80211 and mac80211, rejecting
-any elements with an invalid value.
-
-This fixes potentially bad shifts in the processing of these inside
-the cfg80211_gen_new_bssid() function later.
-
-I found this during the investigation of CVE-2022-41674 fixed by the
-previous patch.
-
-Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
-Fixes: 78ac51f81532 ("mac80211: support multi-bssid")
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/mac80211/util.c | 2 ++
- net/wireless/scan.c | 2 ++
- 2 files changed, 4 insertions(+)
-
-diff --git a/net/mac80211/util.c b/net/mac80211/util.c
-index be1911d8089f..00543ea9c6b5 100644
---- a/net/mac80211/util.c
-+++ b/net/mac80211/util.c
-@@ -1414,6 +1414,8 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
- for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) {
- if (elem->datalen < 2)
- continue;
-+ if (elem->data[0] < 1 || elem->data[0] > 8)
-+ continue;
-
- for_each_element(sub, elem->data + 1, elem->datalen - 1) {
- u8 new_bssid[ETH_ALEN];
-diff --git a/net/wireless/scan.c b/net/wireless/scan.c
-index d9ab37a798f4..84c642eae4d8 100644
---- a/net/wireless/scan.c
-+++ b/net/wireless/scan.c
-@@ -2103,6 +2103,8 @@ static void cfg80211_parse_mbssid_data(struct wiphy *wiphy,
- for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) {
- if (elem->datalen < 4)
- continue;
-+ if (elem->data[0] < 1 || (int)elem->data[0] > 8)
-+ continue;
- for_each_element(sub, elem->data + 1, elem->datalen - 1) {
- u8 profile_len;
-
-2.30.2
-
deleted file mode 100644
@@ -1,49 +0,0 @@
-From 9e99ca59ed3976921f8891c103d503b6da3e78af Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Thu, 29 Sep 2022 21:50:44 +0200
-Subject: [PATCH] wifi: cfg80211: ensure length byte is present before access
-
-commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream.
-
-When iterating the elements here, ensure the length byte is
-present before checking it to see if the entire element will
-fit into the buffer.
-
-Longer term, we should rewrite this code using the type-safe
-element iteration macros that check all of this.
-
-Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
-Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/wireless/scan.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/net/wireless/scan.c b/net/wireless/scan.c
-index 84c642eae4d8..04c9b78b3fec 100644
---- a/net/wireless/scan.c
-+++ b/net/wireless/scan.c
-@@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
- tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen);
- tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie;
-
-- while (tmp_old + tmp_old[1] + 2 - ie <= ielen) {
-+ while (tmp_old + 2 - ie <= ielen &&
-+ tmp_old + tmp_old[1] + 2 - ie <= ielen) {
- if (tmp_old[0] == 0) {
- tmp_old++;
- continue;
-@@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
- * copied to new ie, skip ssid, capability, bssid-index ie
- */
- tmp_new = sub_copy;
-- while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
-+ while (tmp_new + 2 - sub_copy <= subie_len &&
-+ tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
- if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP ||
- tmp_new[0] == WLAN_EID_SSID)) {
- memcpy(pos, tmp_new, tmp_new[1] + 2);
-2.30.2
-
deleted file mode 100644
@@ -1,96 +0,0 @@
-From bfe29873454f38eb1a511a76144ad1a4848ca176 Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Fri, 30 Sep 2022 23:44:23 +0200
-Subject: [PATCH] wifi: cfg80211: fix BSS refcounting bugs
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-commit 0b7808818cb9df6680f98996b8e9a439fa7bcc2f upstream.
-
-There are multiple refcounting bugs related to multi-BSSID:
- - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then
- the bss pointer is overwritten before checking for the
- transmitted BSS, which is clearly wrong. Fix this by using
- the bss_from_pub() macro.
-
- - In cfg80211_bss_update() we copy the transmitted_bss pointer
- from tmp into new, but then if we release new, we'll unref
- it erroneously. We already set the pointer and ref it, but
- need to NULL it since it was copied from the tmp data.
-
- - In cfg80211_inform_single_bss_data(), if adding to the non-
- transmitted list fails, we unlink the BSS and yet still we
- return it, but this results in returning an entry without
- a reference. We shouldn't return it anyway if it was broken
- enough to not get added there.
-
-This fixes CVE-2022-42720.
-
-Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
-Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
-Fixes: a3584f56de1c ("cfg80211: Properly track transmitting and non-transmitting BSS")
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/wireless/scan.c | 27 ++++++++++++++-------------
- 1 file changed, 14 insertions(+), 13 deletions(-)
-
-diff --git a/net/wireless/scan.c b/net/wireless/scan.c
-index 04c9b78b3fec..2e576714e989 100644
---- a/net/wireless/scan.c
-+++ b/net/wireless/scan.c
-@@ -143,18 +143,12 @@ static inline void bss_ref_get(struct cfg80211_registered_device *rdev,
- lockdep_assert_held(&rdev->bss_lock);
-
- bss->refcount++;
-- if (bss->pub.hidden_beacon_bss) {
-- bss = container_of(bss->pub.hidden_beacon_bss,
-- struct cfg80211_internal_bss,
-- pub);
-- bss->refcount++;
-- }
-- if (bss->pub.transmitted_bss) {
-- bss = container_of(bss->pub.transmitted_bss,
-- struct cfg80211_internal_bss,
-- pub);
-- bss->refcount++;
-- }
-+
-+ if (bss->pub.hidden_beacon_bss)
-+ bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++;
-+
-+ if (bss->pub.transmitted_bss)
-+ bss_from_pub(bss->pub.transmitted_bss)->refcount++;
- }
-
- static inline void bss_ref_put(struct cfg80211_registered_device *rdev,
-@@ -1743,6 +1737,8 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev,
- new->refcount = 1;
- INIT_LIST_HEAD(&new->hidden_list);
- INIT_LIST_HEAD(&new->pub.nontrans_list);
-+ /* we'll set this later if it was non-NULL */
-+ new->pub.transmitted_bss = NULL;
-
- if (rcu_access_pointer(tmp->pub.proberesp_ies)) {
- hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN);
-@@ -1983,10 +1979,15 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy,
- spin_lock_bh(&rdev->bss_lock);
- if (cfg80211_add_nontrans_list(non_tx_data->tx_bss,
- &res->pub)) {
-- if (__cfg80211_unlink_bss(rdev, res))
-+ if (__cfg80211_unlink_bss(rdev, res)) {
- rdev->bss_generation++;
-+ res = NULL;
-+ }
- }
- spin_unlock_bh(&rdev->bss_lock);
-+
-+ if (!res)
-+ return NULL;
- }
-
- trace_cfg80211_return_bss(&res->pub);
-2.30.2
-
deleted file mode 100644
@@ -1,56 +0,0 @@
-From 0a8ee682e4f992eccce226b012bba600bb2251e2 Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Sat, 1 Oct 2022 00:01:44 +0200
-Subject: [PATCH] wifi: cfg80211: avoid nontransmitted BSS list corruption
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-commit bcca852027e5878aec911a347407ecc88d6fff7f upstream.
-
-If a non-transmitted BSS shares enough information (both
-SSID and BSSID!) with another non-transmitted BSS of a
-different AP, then we can find and update it, and then
-try to add it to the non-transmitted BSS list. We do a
-search for it on the transmitted BSS, but if it's not
-there (but belongs to another transmitted BSS), the list
-gets corrupted.
-
-Since this is an erroneous situation, simply fail the
-list insertion in this case and free the non-transmitted
-BSS.
-
-This fixes CVE-2022-42721.
-
-Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
-Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
-Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/wireless/scan.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/net/wireless/scan.c b/net/wireless/scan.c
-index 2e576714e989..a21baf7b3612 100644
---- a/net/wireless/scan.c
-+++ b/net/wireless/scan.c
-@@ -425,6 +425,15 @@ cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss,
-
- rcu_read_unlock();
-
-+ /*
-+ * This is a bit weird - it's not on the list, but already on another
-+ * one! The only way that could happen is if there's some BSSID/SSID
-+ * shared by multiple APs in their multi-BSSID profiles, potentially
-+ * with hidden SSID mixed in ... ignore it.
-+ */
-+ if (!list_empty(&nontrans_bss->nontrans_list))
-+ return -EINVAL;
-+
- /* add to the list */
- list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list);
- return 0;
-2.30.2
-
deleted file mode 100644
@@ -1,39 +0,0 @@
-From fff244e9171b2ca692469d41c68b36607bd73ab0 Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Wed, 5 Oct 2022 15:10:09 +0200
-Subject: [PATCH] wifi: mac80211_hwsim: avoid mac80211 warning on bad rate
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-commit 1833b6f46d7e2830251a063935ab464256defe22 upstream.
-
-If the tool on the other side (e.g. wmediumd) gets confused
-about the rate, we hit a warning in mac80211. Silence that
-by effectively duplicating the check here and dropping the
-frame silently (in mac80211 it's dropped with the warning).
-
-Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
-Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/wireless/mac80211_hwsim.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
-index 52a2574b7d13..b228567b2a73 100644
---- a/drivers/net/wireless/mac80211_hwsim.c
-+++ b/drivers/net/wireless/mac80211_hwsim.c
-@@ -3749,6 +3749,8 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
-
- rx_status.band = channel->band;
- rx_status.rate_idx = nla_get_u32(info->attrs[HWSIM_ATTR_RX_RATE]);
-+ if (rx_status.rate_idx >= data2->hw->wiphy->bands[rx_status.band]->n_bitrates)
-+ goto out;
- rx_status.signal = nla_get_u32(info->attrs[HWSIM_ATTR_SIGNAL]);
-
- hdr = (void *)skb->data;
-2.30.2
-
deleted file mode 100644
@@ -1,60 +0,0 @@
-From 93a3a32554079432b49cf87f326607b2a2fab4f2 Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Wed, 5 Oct 2022 21:24:10 +0200
-Subject: [PATCH] wifi: mac80211: fix crash in beacon protection for P2P-device
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-commit b2d03cabe2b2e150ff5a381731ea0355459be09f upstream.
-
-If beacon protection is active but the beacon cannot be
-decrypted or is otherwise malformed, we call the cfg80211
-API to report this to userspace, but that uses a netdev
-pointer, which isn't present for P2P-Device. Fix this to
-call it only conditionally to ensure cfg80211 won't crash
-in the case of P2P-Device.
-
-This fixes CVE-2022-42722.
-
-Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
-Fixes: 9eaf183af741 ("mac80211: Report beacon protection failures to user space")
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/mac80211/rx.c | 12 +++++++-----
- 1 file changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
-index 743e97ba352c..175ead6b19cb 100644
---- a/net/mac80211/rx.c
-+++ b/net/mac80211/rx.c
-@@ -1982,10 +1982,11 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
-
- if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS ||
- mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS +
-- NUM_DEFAULT_BEACON_KEYS) {
-- cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
-- skb->data,
-- skb->len);
-+ NUM_DEFAULT_BEACON_KEYS) {
-+ if (rx->sdata->dev)
-+ cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
-+ skb->data,
-+ skb->len);
- return RX_DROP_MONITOR; /* unexpected BIP keyidx */
- }
-
-@@ -2133,7 +2134,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
- /* either the frame has been decrypted or will be dropped */
- status->flag |= RX_FLAG_DECRYPTED;
-
-- if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE))
-+ if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE &&
-+ rx->sdata->dev))
- cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
- skb->data, skb->len);
-
-2.30.2
-
deleted file mode 100644
@@ -1,94 +0,0 @@
-From d15bb1f6dabe1d2a4155958111bea47db72b599c Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Wed, 5 Oct 2022 23:11:43 +0200
-Subject: [PATCH] wifi: cfg80211: update hidden BSSes to avoid WARN_ON
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-commit c90b93b5b782891ebfda49d4e5da36632fefd5d1 upstream.
-
-When updating beacon elements in a non-transmitted BSS,
-also update the hidden sub-entries to the same beacon
-elements, so that a future update through other paths
-won't trigger a WARN_ON().
-
-The warning is triggered because the beacon elements in
-the hidden BSSes that are children of the BSS should
-always be the same as in the parent.
-
-Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
-Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
-Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/wireless/scan.c | 31 ++++++++++++++++++++-----------
- 1 file changed, 20 insertions(+), 11 deletions(-)
-
-diff --git a/net/wireless/scan.c b/net/wireless/scan.c
-index a21baf7b3612..f0de22a6caf7 100644
---- a/net/wireless/scan.c
-+++ b/net/wireless/scan.c
-@@ -1609,6 +1609,23 @@ struct cfg80211_non_tx_bss {
- u8 bssid_index;
- };
-
-+static void cfg80211_update_hidden_bsses(struct cfg80211_internal_bss *known,
-+ const struct cfg80211_bss_ies *new_ies,
-+ const struct cfg80211_bss_ies *old_ies)
-+{
-+ struct cfg80211_internal_bss *bss;
-+
-+ /* Assign beacon IEs to all sub entries */
-+ list_for_each_entry(bss, &known->hidden_list, hidden_list) {
-+ const struct cfg80211_bss_ies *ies;
-+
-+ ies = rcu_access_pointer(bss->pub.beacon_ies);
-+ WARN_ON(ies != old_ies);
-+
-+ rcu_assign_pointer(bss->pub.beacon_ies, new_ies);
-+ }
-+}
-+
- static bool
- cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
- struct cfg80211_internal_bss *known,
-@@ -1632,7 +1649,6 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
- kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head);
- } else if (rcu_access_pointer(new->pub.beacon_ies)) {
- const struct cfg80211_bss_ies *old;
-- struct cfg80211_internal_bss *bss;
-
- if (known->pub.hidden_beacon_bss &&
- !list_empty(&known->hidden_list)) {
-@@ -1660,16 +1676,7 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
- if (old == rcu_access_pointer(known->pub.ies))
- rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies);
-
-- /* Assign beacon IEs to all sub entries */
-- list_for_each_entry(bss, &known->hidden_list, hidden_list) {
-- const struct cfg80211_bss_ies *ies;
--
-- ies = rcu_access_pointer(bss->pub.beacon_ies);
-- WARN_ON(ies != old);
--
-- rcu_assign_pointer(bss->pub.beacon_ies,
-- new->pub.beacon_ies);
-- }
-+ cfg80211_update_hidden_bsses(known, new->pub.beacon_ies, old);
-
- if (old)
- kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head);
-@@ -2319,6 +2326,8 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
- } else {
- old = rcu_access_pointer(nontrans_bss->beacon_ies);
- rcu_assign_pointer(nontrans_bss->beacon_ies, new_ies);
-+ cfg80211_update_hidden_bsses(bss_from_pub(nontrans_bss),
-+ new_ies, old);
- rcu_assign_pointer(nontrans_bss->ies, new_ies);
- if (old)
- kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head);
-2.30.2
-
deleted file mode 100644
@@ -1,126 +0,0 @@
-From 864f2d3482f4bd0c62b355e35ee8300be8ef488e Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Thu, 13 Oct 2022 20:15:56 +0200
-Subject: [PATCH] mac80211: mesh: clean up rx_bcn_presp API
-
-commit a5b983c6073140b624f64e79fea6d33c3e4315a0 upstream.
-
-We currently pass the entire elements to the rx_bcn_presp()
-method, but only need mesh_config. Additionally, we use the
-length of the elements to calculate back the entire frame's
-length, but that's confusing - just pass the length of the
-frame instead.
-
-Link: https://lore.kernel.org/r/20210920154009.a18ed3d2da6c.I1824b773a0fbae4453e1433c184678ca14e8df45@changeid
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Cc: Felix Fietkau <nbd@nbd.name>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/mac80211/ieee80211_i.h | 7 +++----
- net/mac80211/mesh.c | 4 ++--
- net/mac80211/mesh_sync.c | 26 ++++++++++++--------------
- 3 files changed, 17 insertions(+), 20 deletions(-)
-
-diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
-index f7bea4af2ddb..4bd55af184b2 100644
---- a/net/mac80211/ieee80211_i.h
-+++ b/net/mac80211/ieee80211_i.h
-@@ -631,10 +631,9 @@ struct ieee80211_if_ocb {
- */
- struct ieee802_11_elems;
- struct ieee80211_mesh_sync_ops {
-- void (*rx_bcn_presp)(struct ieee80211_sub_if_data *sdata,
-- u16 stype,
-- struct ieee80211_mgmt *mgmt,
-- struct ieee802_11_elems *elems,
-+ void (*rx_bcn_presp)(struct ieee80211_sub_if_data *sdata, u16 stype,
-+ struct ieee80211_mgmt *mgmt, unsigned int len,
-+ const struct ieee80211_meshconf_ie *mesh_cfg,
- struct ieee80211_rx_status *rx_status);
-
- /* should be called with beacon_data under RCU read lock */
-diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
-index 42bd81a30310..9f6414a68d71 100644
---- a/net/mac80211/mesh.c
-+++ b/net/mac80211/mesh.c
-@@ -1354,8 +1354,8 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
- }
-
- if (ifmsh->sync_ops)
-- ifmsh->sync_ops->rx_bcn_presp(sdata,
-- stype, mgmt, &elems, rx_status);
-+ ifmsh->sync_ops->rx_bcn_presp(sdata, stype, mgmt, len,
-+ elems.mesh_config, rx_status);
- }
-
- int ieee80211_mesh_finish_csa(struct ieee80211_sub_if_data *sdata)
-diff --git a/net/mac80211/mesh_sync.c b/net/mac80211/mesh_sync.c
-index fde93de2b80a..9e342cc2504c 100644
---- a/net/mac80211/mesh_sync.c
-+++ b/net/mac80211/mesh_sync.c
-@@ -3,6 +3,7 @@
- * Copyright 2011-2012, Pavel Zubarev <pavel.zubarev@gmail.com>
- * Copyright 2011-2012, Marco Porsch <marco.porsch@s2005.tu-chemnitz.de>
- * Copyright 2011-2012, cozybit Inc.
-+ * Copyright (C) 2021 Intel Corporation
- */
-
- #include "ieee80211_i.h"
-@@ -35,12 +36,12 @@ struct sync_method {
- /**
- * mesh_peer_tbtt_adjusting - check if an mp is currently adjusting its TBTT
- *
-- * @ie: information elements of a management frame from the mesh peer
-+ * @cfg: mesh config element from the mesh peer (or %NULL)
- */
--static bool mesh_peer_tbtt_adjusting(struct ieee802_11_elems *ie)
-+static bool mesh_peer_tbtt_adjusting(const struct ieee80211_meshconf_ie *cfg)
- {
-- return (ie->mesh_config->meshconf_cap &
-- IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING) != 0;
-+ return cfg &&
-+ (cfg->meshconf_cap & IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING);
- }
-
- void mesh_sync_adjust_tsf(struct ieee80211_sub_if_data *sdata)
-@@ -76,11 +77,11 @@ void mesh_sync_adjust_tsf(struct ieee80211_sub_if_data *sdata)
- }
- }
-
--static void mesh_sync_offset_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
-- u16 stype,
-- struct ieee80211_mgmt *mgmt,
-- struct ieee802_11_elems *elems,
-- struct ieee80211_rx_status *rx_status)
-+static void
-+mesh_sync_offset_rx_bcn_presp(struct ieee80211_sub_if_data *sdata, u16 stype,
-+ struct ieee80211_mgmt *mgmt, unsigned int len,
-+ const struct ieee80211_meshconf_ie *mesh_cfg,
-+ struct ieee80211_rx_status *rx_status)
- {
- struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
- struct ieee80211_local *local = sdata->local;
-@@ -101,10 +102,7 @@ static void mesh_sync_offset_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
- */
- if (ieee80211_have_rx_timestamp(rx_status))
- t_r = ieee80211_calculate_rx_timestamp(local, rx_status,
-- 24 + 12 +
-- elems->total_len +
-- FCS_LEN,
-- 24);
-+ len + FCS_LEN, 24);
- else
- t_r = drv_get_tsf(local, sdata);
-
-@@ -119,7 +117,7 @@ static void mesh_sync_offset_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
- * dot11MeshNbrOffsetMaxNeighbor non-peer non-MBSS neighbors
- */
-
-- if (elems->mesh_config && mesh_peer_tbtt_adjusting(elems)) {
-+ if (mesh_peer_tbtt_adjusting(mesh_cfg)) {
- msync_dbg(sdata, "STA %pM : is adjusting TBTT\n",
- sta->sta.addr);
- goto no_sync;
-2.30.2
-