[PATCH wireless 2/2] wifi: mac80211: add KUnit coverage for negotiated TTLM parser

[Michael Bommarito]

Add KUnit coverage for ieee80211_parse_neg_ttlm() to lock the sparse
link_map_presence layout against future regressions.

The sparse_presence_no_oob_read case crafts a negotiated TTLM element
with link_map_presence = BIT(0) | BIT(7) and bm_size = 2 in a buffer
sized exactly to the validated element length.  Without the parser
fix this would read 14 bytes past the buffer when processing TID 7;
under KASAN that is a slab-out-of-bounds report.

The dense_presence_baseline case crafts a fully populated
link_map_presence = 0xff element to confirm that the cursor-advance
fix does not regress the path that was already correct.

Export ieee80211_parse_neg_ttlm via VISIBLE_IF_MAC80211_KUNIT so the
test can call it directly.

Assisted-by: Claude:claude-sonnet-4-6
Signed-off-by: Michael Bommarito <michael.bommarito@xxxxxxxxx>
---
 net/mac80211/ieee80211_i.h      |   4 +
 net/mac80211/mlme.c             |   3 +-
 net/mac80211/tests/.kunitconfig |   4 +
 net/mac80211/tests/Makefile     |   2 +-
 net/mac80211/tests/ttlm.c       | 175 ++++++++++++++++++++++++++++++++
 5 files changed, 186 insertions(+), 2 deletions(-)
 create mode 100644 net/mac80211/tests/.kunitconfig
 create mode 100644 net/mac80211/tests/ttlm.c

diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 2a693406294bc..aa9c9781db92e 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -2948,6 +2948,10 @@ ieee80211_determine_chan_mode(struct ieee80211_sub_if_data *sdata,
 			      struct ieee80211_chan_req *chanreq,
 			      struct cfg80211_chan_def *ap_chandef,
 			      unsigned long *userspace_selectors);
+int ieee80211_parse_neg_ttlm(struct ieee80211_sub_if_data *sdata,
+			     const struct ieee80211_ttlm_elem *ttlm,
+			     struct ieee80211_neg_ttlm *neg_ttlm,
+			     u8 *direction);
 #else
 #define EXPORT_SYMBOL_IF_MAC80211_KUNIT(sym)
 #define VISIBLE_IF_MAC80211_KUNIT static
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index c3a2844740a14..9a51870a818da 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -8096,7 +8096,7 @@ ieee80211_send_neg_ttlm_res(struct ieee80211_sub_if_data *sdata,
 	ieee80211_tx_skb(sdata, skb);
 }
 
-static int
+VISIBLE_IF_MAC80211_KUNIT int
 ieee80211_parse_neg_ttlm(struct ieee80211_sub_if_data *sdata,
 			 const struct ieee80211_ttlm_elem *ttlm,
 			 struct ieee80211_neg_ttlm *neg_ttlm,
@@ -8177,6 +8177,7 @@ ieee80211_parse_neg_ttlm(struct ieee80211_sub_if_data *sdata,
 	}
 	return 0;
 }
+EXPORT_SYMBOL_IF_MAC80211_KUNIT(ieee80211_parse_neg_ttlm);
 
 void ieee80211_process_neg_ttlm_req(struct ieee80211_sub_if_data *sdata,
 				    struct ieee80211_mgmt *mgmt, size_t len)
diff --git a/net/mac80211/tests/.kunitconfig b/net/mac80211/tests/.kunitconfig
new file mode 100644
index 0000000000000..ab2cc5cfc1f5c
--- /dev/null
+++ b/net/mac80211/tests/.kunitconfig
@@ -0,0 +1,4 @@
+CONFIG_KUNIT=y
+CONFIG_CFG80211=y
+CONFIG_MAC80211=y
+CONFIG_MAC80211_KUNIT_TEST=y
diff --git a/net/mac80211/tests/Makefile b/net/mac80211/tests/Makefile
index 3c7f874e5c412..2e9ade90f7b63 100644
--- a/net/mac80211/tests/Makefile
+++ b/net/mac80211/tests/Makefile
@@ -1,3 +1,3 @@
-mac80211-tests-y += module.o util.o elems.o mfp.o tpe.o chan-mode.o s1g_tim.o
+mac80211-tests-y += module.o util.o elems.o mfp.o tpe.o chan-mode.o s1g_tim.o ttlm.o
 
 obj-$(CONFIG_MAC80211_KUNIT_TEST) += mac80211-tests.o
diff --git a/net/mac80211/tests/ttlm.c b/net/mac80211/tests/ttlm.c
new file mode 100644
index 0000000000000..18d0592b13d9e
--- /dev/null
+++ b/net/mac80211/tests/ttlm.c
@@ -0,0 +1,175 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * KUnit tests for negotiated TTLM (TID-To-Link Mapping) parsing
+ *
+ * Copyright (C) 2026 Michael Bommarito <michael.bommarito@xxxxxxxxx>
+ */
+#include <kunit/test.h>
+#include <linux/ieee80211.h>
+#include "../ieee80211_i.h"
+
+MODULE_IMPORT_NS("EXPORTED_FOR_KUNIT_TESTING");
+
+/*
+ * Build a negotiated TTLM element in caller-supplied buffer.
+ *
+ * @buf:       destination buffer (must be at least elem_size bytes)
+ * @elem_size: sizeof(ttlm_elem) + 1 (presence byte) + npresent * bm_size
+ * @presence:  link_map_presence bitmask; each set bit => one map follows
+ * @bm_size:   bytes per map (1 or 2); 2 => LINK_MAP_SIZE bit clear
+ * @maps:      array of npresent u16 maps, one per set bit in presence
+ *
+ * Control field encodes direction=BOTH; no switch-time, no expected-dur,
+ * no DEF_LINK_MAP.  LINK_MAP_SIZE bit is set iff bm_size==1.
+ *
+ * Returns pointer to the ieee80211_ttlm_elem at buf.
+ */
+static const struct ieee80211_ttlm_elem *
+build_neg_ttlm_elem(u8 *buf, size_t elem_size,
+		    u8 presence, u8 bm_size, const u16 *maps)
+{
+	struct ieee80211_ttlm_elem *t = (void *)buf;
+	u8 control;
+	u8 *pos;
+	int i, tid;
+
+	memset(buf, 0, elem_size);
+
+	control = IEEE80211_TTLM_DIRECTION_BOTH; /* bits [1:0] = 2 */
+	if (bm_size == 1)
+		control |= IEEE80211_TTLM_CONTROL_LINK_MAP_SIZE;
+
+	t->control = control;
+
+	pos = (u8 *)t->optional;
+	*pos++ = presence;
+
+	i = 0;
+	for (tid = 0; tid < IEEE80211_TTLM_NUM_TIDS; tid++) {
+		if (!(presence & BIT(tid)))
+			continue;
+		if (bm_size == 1)
+			*pos = (u8)maps[i];
+		else
+			put_unaligned_le16(maps[i], pos);
+		pos += bm_size;
+		i++;
+	}
+
+	return t;
+}
+
+/*
+ * sparse_presence_no_oob_read - BIT(0)|BIT(7) presence, bm_size=2
+ *
+ * Only TID 0 and TID 7 have maps; TIDs 1-6 are absent.  Element length
+ * is exactly 6 bytes (1 control + 1 presence + 2 * 2-byte maps).
+ *
+ * Pre-fix the parser advanced pos by bm_size AFTER the switch() block
+ * (i.e. unconditionally for every TID), so when processing TID 7 it
+ * had already advanced 6 * bm_size = 12 bytes past the presence byte
+ * for the absent TIDs before reading the TID-7 map - 14 bytes past the
+ * end of the 2-byte TID-7 map.  Under KASAN that is a slab-out-of-bounds.
+ *
+ * After the fix pos is advanced only inside the presence-bit branch so
+ * the cursor lands exactly at end-of-element after processing TID 7.
+ */
+static void sparse_presence_no_oob_read(struct kunit *test)
+{
+	/*
+	 * presence = BIT(0)|BIT(7): 2 maps present.
+	 * elem_size = sizeof(ttlm_elem) + 1 (presence) + 2*2 (maps) = 6.
+	 */
+	const u8 presence = BIT(0) | BIT(7);
+	const u8 bm_size = 2;
+	const int npresent = 2;
+	const size_t elem_size = sizeof(struct ieee80211_ttlm_elem)
+				 + 1 + npresent * bm_size;
+	/*
+	 * Allocate exact-size buffer so a pre-fix OOB read walks into the
+	 * KASAN red zone immediately after the allocation.
+	 */
+	u8 *buf = kunit_kzalloc(test, elem_size, GFP_KERNEL);
+	const struct ieee80211_ttlm_elem *ttlm;
+	struct ieee80211_neg_ttlm neg_ttlm = {};
+	/* Non-zero maps so the parser does not reject with -EINVAL. */
+	const u16 maps[2] = { 0x0001, 0x0001 };
+	u8 direction = 0;
+	int ret;
+
+	KUNIT_ASSERT_NOT_NULL(test, buf);
+
+	ttlm = build_neg_ttlm_elem(buf, elem_size, presence, bm_size, maps);
+
+	/*
+	 * Pass NULL for sdata: the only sdata dereference in this code path
+	 * is inside mlme_dbg() on error returns, which are guarded by
+	 * MAC80211_MLME_DEBUG == 0 in non-debug builds and by the dead-code
+	 * eliminator in KUnit builds.  The success path does not touch sdata.
+	 */
+	ret = ieee80211_parse_neg_ttlm(NULL, ttlm, &neg_ttlm, &direction);
+
+	KUNIT_EXPECT_EQ(test, ret, 0);
+	KUNIT_EXPECT_EQ(test, (int)direction, IEEE80211_TTLM_DIRECTION_BOTH);
+	/* TID 0: map present */
+	KUNIT_EXPECT_EQ(test, (int)neg_ttlm.downlink[0], 0x0001);
+	KUNIT_EXPECT_EQ(test, (int)neg_ttlm.uplink[0],   0x0001);
+	/* TID 3: absent => map should be 0 */
+	KUNIT_EXPECT_EQ(test, (int)neg_ttlm.downlink[3], 0);
+	KUNIT_EXPECT_EQ(test, (int)neg_ttlm.uplink[3],   0);
+	/* TID 7: map present */
+	KUNIT_EXPECT_EQ(test, (int)neg_ttlm.downlink[7], 0x0001);
+	KUNIT_EXPECT_EQ(test, (int)neg_ttlm.uplink[7],   0x0001);
+}
+
+/*
+ * dense_presence_baseline - presence=0xff (all 8 TIDs), bm_size=2
+ *
+ * Every TID has a map; this is the dense layout the parser handled
+ * correctly even before the fix.  Confirms the cursor-advance fix
+ * does not regress the already-correct path.
+ */
+static void dense_presence_baseline(struct kunit *test)
+{
+	const u8 presence = 0xff;
+	const u8 bm_size = 2;
+	const int npresent = 8;
+	const size_t elem_size = sizeof(struct ieee80211_ttlm_elem)
+				 + 1 + npresent * bm_size;
+	u8 *buf = kunit_kzalloc(test, elem_size, GFP_KERNEL);
+	const struct ieee80211_ttlm_elem *ttlm;
+	struct ieee80211_neg_ttlm neg_ttlm = {};
+	const u16 maps[8] = {
+		0x0003, 0x0003, 0x0003, 0x0003,
+		0x0003, 0x0003, 0x0003, 0x0003,
+	};
+	u8 direction = 0;
+	int ret;
+
+	KUNIT_ASSERT_NOT_NULL(test, buf);
+
+	ttlm = build_neg_ttlm_elem(buf, elem_size, presence, bm_size, maps);
+
+	ret = ieee80211_parse_neg_ttlm(NULL, ttlm, &neg_ttlm, &direction);
+
+	KUNIT_EXPECT_EQ(test, ret, 0);
+	KUNIT_EXPECT_EQ(test, (int)direction, IEEE80211_TTLM_DIRECTION_BOTH);
+	/* All TIDs present: every downlink/uplink entry must be 0x0003. */
+	for (int tid = 0; tid < IEEE80211_TTLM_NUM_TIDS; tid++) {
+		KUNIT_EXPECT_EQ(test, (int)neg_ttlm.downlink[tid], 0x0003);
+		KUNIT_EXPECT_EQ(test, (int)neg_ttlm.uplink[tid],   0x0003);
+	}
+}
+
+static struct kunit_case mac80211_ttlm_test_cases[] = {
+	KUNIT_CASE(sparse_presence_no_oob_read),
+	KUNIT_CASE(dense_presence_baseline),
+	{}
+};
+
+static struct kunit_suite mac80211_ttlm = {
+	.name = "mac80211-ttlm",
+	.test_cases = mac80211_ttlm_test_cases,
+};
+
+kunit_test_suite(mac80211_ttlm);
-- 
2.53.0