Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: drop stray 'static' from fast-RX rx_result ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res. That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued. Make res an automatic variable so each invocation keeps its own result.
Product status
3468e1e0c639032a603450f0830ccabfa76f5806 (git) before 03584528bfffb195e384698af9148b94e42e3f14
3468e1e0c639032a603450f0830ccabfa76f5806 (git) before 1739fc31b4de06c5c78ce0741182770fb079091e
3468e1e0c639032a603450f0830ccabfa76f5806 (git) before e131562d6f2b958148c35c98831b007f47f0e3d3
3468e1e0c639032a603450f0830ccabfa76f5806 (git) before 3ef44f96ccc3e06e059dec57842e366f0c4b1893
3468e1e0c639032a603450f0830ccabfa76f5806 (git) before 7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba
6.4
Any version before 6.4
6.6.140 (semver)
6.12.88 (semver)
6.18.30 (semver)
7.0.7 (semver)
7.1-rc3 (original_commit_for_fix)
References
git.kernel.org/...c/03584528bfffb195e384698af9148b94e42e3f14
git.kernel.org/...c/1739fc31b4de06c5c78ce0741182770fb079091e
git.kernel.org/...c/e131562d6f2b958148c35c98831b007f47f0e3d3
git.kernel.org/...c/3ef44f96ccc3e06e059dec57842e366f0c4b1893
git.kernel.org/...c/7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba