kernel/linux.git/net/wireless/scan.c, branch v6.12.80

wifi: cfg80211: Fix use_for flag update on BSS refresh

2026-03-04T12:19:58+00:00

[ Upstream commit 4073ea516106e5f98ed0476f89cdede8baa98d37 ] Userspace may fail to connect to certain BSS that were initially marked as unusable due to regulatory restrictions (use_for = 0, e.g., 6 GHz power type mismatch). Even after these restrictions are removed and the BSS becomes usable, connection attempts still fail. The issue occurs in cfg80211_update_known_bss() where the use_for flag is updated using bitwise AND (&=) instead of direct assignment. Once a BSS is marked with use_for = 0, the AND operation masks out any subsequent non-zero values, permanently keeping the flag at 0. This causes __cfg80211_get_bss(), invoked by nl80211_assoc_bss(), to fail the check "(bss->pub.use_for & use_for) != use_for", thereby blocking association. Replace the bitwise AND operation with direct assignment so the use_for flag accurately reflects the current BSS state. Fixes: d02a12b8e4bb ("wifi: cfg80211: add BSS usage reporting") Signed-off-by: Huang Chenming Link: https://patch.msgid.link/20251209025733.2098456-1-chenming.huang@oss.qualcomm.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin

wifi: cfg80211: fix use-after-free in cmp_bss()

2025-09-09T16:58:05+00:00

[ Upstream commit 26e84445f02ce6b2fe5f3e0e28ff7add77f35e08 ] Following bss_free() quirk introduced in commit 776b3580178f ("cfg80211: track hidden SSID networks properly"), adjust cfg80211_update_known_bss() to free the last beacon frame elements only if they're not shared via the corresponding 'hidden_beacon_bss' pointer. Reported-by: syzbot+30754ca335e6fb7e3092@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=30754ca335e6fb7e3092 Fixes: 3ab8227d3e7d ("cfg80211: refactor cfg80211_bss_update") Signed-off-by: Dmitry Antipov Link: https://patch.msgid.link/20250813135236.799384-1-dmantipov@yandex.ru Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin

wifi: cfg80211/mac80211: correctly parse S1G beacon optional elements

2025-06-19T13:32:19+00:00

[ Upstream commit 1e1f706fc2ce90eaaf3480b3d5f27885960d751c ] S1G beacons are not traditional beacons but a type of extension frame. Extension frames contain the frame control and duration fields, followed by zero or more optional fields before the frame body. These optional fields are distinct from the variable length elements. The presence of optional fields is indicated in the frame control field. To correctly locate the elements offset, the frame control must be parsed to identify which optional fields are present. Currently, mac80211 parses S1G beacons based on fixed assumptions about the frame layout, without inspecting the frame control field. This can result in incorrect offsets to the "variable" portion of the frame. Properly parse S1G beacon frames by using the field lengths defined in IEEE 802.11-2024, section 9.3.4.3, ensuring that the elements offset is calculated accurately. Fixes: 9eaffe5078ca ("cfg80211: convert S1G beacon to scan results") Fixes: cd418ba63f0c ("mac80211: convert S1G beacon to scan results") Signed-off-by: Lachlan Hodges Link: https://patch.msgid.link/20250603053538.468562-1-lachlan.hodges@morsemicro.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin

wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation

2025-05-18T06:24:47+00:00

commit 023c1f2f0609218103cbcb48e0104b144d4a16dc upstream. Currently during the multi-link element defragmentation process, the multi-link element length added to the total IEs length when calculating the length of remaining IEs after the multi-link element in cfg80211_defrag_mle(). This could lead to out-of-bounds access if the multi-link element or its corresponding fragment elements are the last elements in the IEs buffer. To address this issue, correctly calculate the remaining IEs length by deducting the multi-link element end offset from total IEs end offset. Cc: stable@vger.kernel.org Fixes: 2481b5da9c6b ("wifi: cfg80211: handle BSS data contained in ML probe responses") Signed-off-by: Veerendranath Jakkam Link: https://patch.msgid.link/20250424-fix_mle_defragmentation_oob_access-v1-1-84412a1743fa@quicinc.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman

wifi: cfg80211: adjust allocation of colocated AP data

2025-02-08T08:57:22+00:00

[ Upstream commit 1a0d24775cdee2b8dc14bfa4f4418c930ab1ac57 ] In 'cfg80211_scan_6ghz()', an instances of 'struct cfg80211_colocated_ap' are allocated as if they would have 'ssid' as trailing VLA member. Since this is not so, extra IEEE80211_MAX_SSID_LEN bytes are not needed. Briefly tested with KUnit. Fixes: c8cb5b854b40 ("nl80211/cfg80211: support 6 GHz scanning") Signed-off-by: Dmitry Antipov Link: https://patch.msgid.link/20250113155417.552587-1-dmantipov@yandex.ru Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin

wifi: cfg80211: Move cfg80211_scan_req_add_chan() n_channels increment earlier

2025-02-08T08:57:14+00:00

[ Upstream commit 3a0168626c138734490bc52c4105ce8e79d2f923 ] Since adding __counted_by(n_channels) to struct cfg80211_scan_request, anything adding to the channels array must increment n_channels first. Move n_channels increment earlier. Reported-by: John Rowley Closes: https://lore.kernel.org/stable/1815535c709ba9d9.156c6a5c9cdf6e59.b249b6b6a5ee4634@localhost.localdomain/ Fixes: aa4ec06c455d ("wifi: cfg80211: use __counted_by where appropriate") Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Link: https://patch.msgid.link/20241230183610.work.680-kees@kernel.org Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin

wifi: cfg80211: Do not create BSS entries for unsupported channels

2024-10-08T19:15:51+00:00

Currently, in cfg80211_parse_ml_elem_sta_data(), when RNR element indicates a BSS that operates in a channel that current regulatory domain doesn't support, a NULL value is returned by ieee80211_get_channel_khz() and assigned to this BSS entry's channel field. Later in cfg80211_inform_single_bss_data(), the reported BSS entry's channel will be wrongly overridden by transmitted BSS's. This could result in connection failure that when wpa_supplicant tries to select this reported BSS entry while it actually resides in an unsupported channel. Since this channel is not supported, it is reasonable to skip such entries instead of reporting wrong information. Signed-off-by: Chenming Huang Link: https://patch.msgid.link/20240923021644.12885-1-quic_chenhuan@quicinc.com Signed-off-by: Johannes Berg

wifi: cfg80211: avoid overriding direct/MBSSID BSS with per-STA profile BSS

2024-09-06T10:56:33+00:00

Avoid overriding BSS information generated from MBSSID or direct source with BSS information generated from per-STA profile source to avoid losing actual signal strength and information elements such as RNR and Basic ML elements. Signed-off-by: Veerendranath Jakkam Link: https://patch.msgid.link/20240904030917.3602369-4-quic_vjakkam@quicinc.com Signed-off-by: Johannes Berg

wifi: cfg80211: skip indicating signal for per-STA profile BSSs

2024-09-06T10:56:33+00:00

Currently signal of the BSS entry generated from the per-STA profile indicated as zero, but userspace may consider it as high signal strength since 0 dBm is a valid RSSI value. To avoid this don't report the signal to userspace when the BSS entry created from a per-STA profile. Signed-off-by: Veerendranath Jakkam Link: https://patch.msgid.link/20240904030917.3602369-3-quic_vjakkam@quicinc.com Signed-off-by: Johannes Berg

wifi: cfg80211: make BSS source types public

2024-09-06T10:56:33+00:00

Define public enum with BSS source types in core.h. Upcoming patches need this to store BSS source type in struct cfg80211_internal_bss. Signed-off-by: Veerendranath Jakkam Link: https://patch.msgid.link/20240904030917.3602369-2-quic_vjakkam@quicinc.com Signed-off-by: Johannes Berg