[BUGFIX] wifi: mac80211: fix MLD ID for cross-link CSA

The elems currently passed to ieee80211_sta_process_chanswitch()
are the CSA elements, so the STA profile in cross-link scenarios.
In this case, 'elems' may even be NULL if the profile disappeared
from the multi-link element (due to CSA elements no longer being
there), and static checkers reported that it may be dereferenced.
This is true, but the underlying cause is that we attempt to use
the wrong set of elements to find the MLD ID and look at the RNR,
for this purpose we must use the full outer elements.

Pass the right pointer to get the correct MLD ID and iterate the
correct RNR elements in ieee80211_sta_other_link_csa_disappeared.

type=bugfix
fixes=Ie8453979f5805873a8411c99346bcc3810cd6476
ticket=none

Change-Id: Iad5f645a9589b6324cf32d081cc8c4d812b62cf4
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Reviewed-on: https://gerritwcs.ir.intel.com/c/iwlwifi-stack-dev/+/104386
automatic-review: iil_jenkins iil_jenkins <EC.GER.UNIX.IIL.JENKINS@INTEL.COM>
tested: iil_jenkins iil_jenkins <EC.GER.UNIX.IIL.JENKINS@INTEL.COM>
Tested-by: iil_jenkins iil_jenkins <EC.GER.UNIX.IIL.JENKINS@INTEL.COM>
Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
Reviewed-on: https://gerritwcs.ir.intel.com/c/iwlwifi-stack-dev/+/104593
x-iwlwifi-stack-dev: c868f082d47c5845652cac1902ef124ad864856c

2 files changed, 14 insertions, 10 deletions

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 3f1ff2e84a..749f37b7ef 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -2142,7 +2142,8 @@ enum ieee80211_csa_source {
 static void
 ieee80211_sta_process_chanswitch(struct ieee80211_link_data *link,
 				 u64 timestamp, u32 device_timestamp,
-				 struct ieee802_11_elems *elems,
+				 struct ieee802_11_elems *full_elems,
+				 struct ieee802_11_elems *csa_elems,
 				 enum ieee80211_csa_source source)
 {
 	struct ieee80211_sub_if_data *sdata = link->sdata;
@@ -2161,7 +2162,7 @@ ieee80211_sta_process_chanswitch(struct ieee80211_link_data *link,
 
 	lockdep_assert_wiphy(local->hw.wiphy);
 
-	if (elems) {
+	if (csa_elems) {
 		struct cfg80211_bss *cbss = link->conf->bss;
 		enum nl80211_band current_band;
 		struct ieee80211_bss *bss;
@@ -2172,7 +2173,8 @@ ieee80211_sta_process_chanswitch(struct ieee80211_link_data *link,
 		current_band = cbss->channel->band;
 		bss = (void *)cbss->priv;
 
-		res = ieee80211_parse_ch_switch_ie(sdata, elems, current_band,
+		res = ieee80211_parse_ch_switch_ie(sdata, csa_elems,
+						   current_band,
 						   bss->vht_cap_info,
 						   &link->u.mgd.conn,
 						   link->u.mgd.bssid, &csa_ie);
@@ -2185,7 +2187,7 @@ ieee80211_sta_process_chanswitch(struct ieee80211_link_data *link,
 	} else {
 		/*
 		 * If there was no per-STA profile for this link, we
-		 * get called with elems == NULL. This of course means
+		 * get called with csa_elems == NULL. This of course means
 		 * there are no CSA elements, so set res=1 indicating
 		 * no more CSA.
 		 */
@@ -2240,7 +2242,8 @@ ieee80211_sta_process_chanswitch(struct ieee80211_link_data *link,
 				return;
 
 			/* check in the RNR if the CSA aborted */
-			ieee80211_sta_other_link_csa_disappeared(link, elems);
+			ieee80211_sta_other_link_csa_disappeared(link,
+								 full_elems);
 			return;
 		}
 	}
@@ -6424,7 +6427,7 @@ handle:
 		 * TSF offset etc. The device_timestamp is still
 		 * correct, of course.
 		 */
-		ieee80211_sta_process_chanswitch(link, 0, 0, prof_elems,
+		ieee80211_sta_process_chanswitch(link, 0, 0, elems, prof_elems,
 						 IEEE80211_CSA_SOURCE_OTHER_LINK);
 		kfree(prof_elems);
 	}
@@ -6653,7 +6656,8 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_link_data *link,
 
 	ieee80211_sta_process_chanswitch(link, rx_status->mactime,
 					 rx_status->device_timestamp,
-					 elems, IEEE80211_CSA_SOURCE_BEACON);
+					 elems, elems,
+					 IEEE80211_CSA_SOURCE_BEACON);
 
 	/* note that after this elems->ml_basic can no longer be used fully */
 	ieee80211_mgd_check_cross_link_csa(sdata, rx_status->link_id, elems);
@@ -7198,7 +7202,7 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
 				ieee80211_sta_process_chanswitch(link,
 								 rx_status->mactime,
 								 rx_status->device_timestamp,
-								 elems,
+								 elems, elems,
 								 IEEE80211_CSA_SOURCE_ACTION);
 			kfree(elems);
 		} else if (mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) {
@@ -7227,7 +7231,7 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
 				ieee80211_sta_process_chanswitch(link,
 								 rx_status->mactime,
 								 rx_status->device_timestamp,
-								 elems,
+								 elems, elems,
 								 IEEE80211_CSA_SOURCE_ACTION);
 			}
 
diff --git a/versions b/versions
index 01bc076c83..9c1922fcd7 100644
--- a/versions
+++ b/versions
@@ -2,5 +2,5 @@ BACKPORTS_VERSION="(see git)"
 BACKPORTED_KERNEL_VERSION="(see git)"
 BACKPORTED_KERNEL_NAME="iwlwifi"
 BACKPORTS_BUILD_TSTAMP=__DATE__ \" \" __TIME__
-BACKPORTS_GIT_TRACKED="iwlwifi-stack-public:release/core87:12058:dba7032f"
+BACKPORTS_GIT_TRACKED="iwlwifi-stack-public:release/core87:12059:c868f082"
 BACKPORTS_BRANCH_TSTAMP="Apr 17 2024 13:11:40"