wifi: mac80211: Avoid address calculations via out of bounds array indexing

jira LE-3201
cve CVE-2024-41071
Rebuild_History Non-Buildable kernel-rt-4.18.0-553.22.1.rt7.363.el8_10
commit-author Kenton Groombridge <[email protected]>
commit 2663d04
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
Will be included in final tarball splat. Ref for failed cherry-pick at:
ciq/ciq_backports/kernel-rt-4.18.0-553.22.1.rt7.363.el8_10/2663d046.failed

req->n_channels must be set before req->channels[] can be used.

This patch fixes one of the issues encountered in [1].

[   83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4
[   83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]'
[...]
[   83.964264] Call Trace:
[   83.964267]  <TASK>
[   83.964269]  dump_stack_lvl+0x3f/0xc0
[   83.964274]  __ubsan_handle_out_of_bounds+0xec/0x110
[   83.964278]  ieee80211_prep_hw_scan+0x2db/0x4b0
[   83.964281]  __ieee80211_start_scan+0x601/0x990
[   83.964291]  nl80211_trigger_scan+0x874/0x980
[   83.964295]  genl_family_rcv_msg_doit+0xe8/0x160
[   83.964298]  genl_rcv_msg+0x240/0x270
[...]

[1] https://bugzilla.kernel.org/show_bug.cgi?id=218810

Co-authored-by: Kees Cook <[email protected]>
	Signed-off-by: Kees Cook <[email protected]>
	Signed-off-by: Kenton Groombridge <[email protected]>
Link: https://msgid.link/[email protected]
	Signed-off-by: Johannes Berg <[email protected]>
(cherry picked from commit 2663d04)
	Signed-off-by: Jonathan Maple <[email protected]>

# Conflicts:
#	net/mac80211/scan.c

Author: PlaidCat

ciq/ciq_backports/kernel-rt-4.18.0-553.22.1.rt7.363.el8_10/2663d046.failed

@@ -0,0 +1,63 @@
+wifi: mac80211: Avoid address calculations via out of bounds array indexing
+
+jira LE-3201
+cve CVE-2024-41071
+Rebuild_History Non-Buildable kernel-rt-4.18.0-553.22.1.rt7.363.el8_10
+commit-author Kenton Groombridge <[email protected]>
+commit 2663d0462eb32ae7c9b035300ab6b1523886c718
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-rt-4.18.0-553.22.1.rt7.363.el8_10/2663d046.failed
+
+req->n_channels must be set before req->channels[] can be used.
+
+This patch fixes one of the issues encountered in [1].
+
+[   83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4
+[   83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]'
+[...]
+[   83.964264] Call Trace:
+[   83.964267]  <TASK>
+[   83.964269]  dump_stack_lvl+0x3f/0xc0
+[   83.964274]  __ubsan_handle_out_of_bounds+0xec/0x110
+[   83.964278]  ieee80211_prep_hw_scan+0x2db/0x4b0
+[   83.964281]  __ieee80211_start_scan+0x601/0x990
+[   83.964291]  nl80211_trigger_scan+0x874/0x980
+[   83.964295]  genl_family_rcv_msg_doit+0xe8/0x160
+[   83.964298]  genl_rcv_msg+0x240/0x270
+[...]
+
+[1] https://bugzilla.kernel.org/show_bug.cgi?id=218810
+
+Co-authored-by: Kees Cook <[email protected]>
+	Signed-off-by: Kees Cook <[email protected]>
+	Signed-off-by: Kenton Groombridge <[email protected]>
+Link: https://msgid.link/[email protected]
+	Signed-off-by: Johannes Berg <[email protected]>
+(cherry picked from commit 2663d0462eb32ae7c9b035300ab6b1523886c718)
+	Signed-off-by: Jonathan Maple <[email protected]>
+
+# Conflicts:
+#	net/mac80211/scan.c
+diff --cc net/mac80211/scan.c
+index 8428841d4760,b5f2df61c7f6..000000000000
+--- a/net/mac80211/scan.c
++++ b/net/mac80211/scan.c
+@@@ -391,11 -394,10 +393,15 @@@ static bool ieee80211_prep_hw_scan(stru
+  			}
+  
+  			local->hw_scan_band++;
+- 		} while (!n_chans);
++ 		} while (!*n_chans);
+  	}
+  
+++<<<<<<< HEAD
+ +	local->hw_scan_req->req.n_channels = n_chans;
+ +	ieee80211_prepare_scan_chandef(&chandef, req->scan_width);
+++=======
++ 	ieee80211_prepare_scan_chandef(&chandef);
+++>>>>>>> 2663d0462eb3 (wifi: mac80211: Avoid address calculations via out of bounds array indexing)
+  
+  	if (req->flags & NL80211_SCAN_FLAG_MIN_PREQ_CONTENT)
+  		flags |= IEEE80211_PROBE_FLAG_MIN_CONTENT;
+* Unmerged path net/mac80211/scan.c