[PATCH 5.10] wifi: mac80211: check tdls flag in ieee80211_tdls

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 5.10] wifi: mac80211: check tdls flag in ieee80211_tdls_oper
@ 2026-06-09 18:11 Alexey Panov
  2026-06-11  0:45 ` Sasha Levin
  0 siblings, 1 reply; 2+ messages in thread
From: Alexey Panov @ 2026-06-09 18:11 UTC (permalink / raw)
  To: stable, Greg Kroah-Hartman
  Cc: Alexey Panov, Johannes Berg, David S. Miller, Jakub Kicinski,
	linux-wireless, netdev, linux-kernel, lvc-project,
	syzbot+56b6a844a4ea74487b7b, Deepanshu Kartikey, Johannes Berg

From: Deepanshu Kartikey <kartikey406@gmail.com>

commit 7d73872d949c488a1d7c308031d6a9d89b5e0a8b upstream.

When NL80211_TDLS_ENABLE_LINK is called, the code only checks if the
station exists but not whether it is actually a TDLS station. This
allows the operation to proceed for non-TDLS stations, causing
unintended side effects like modifying channel context and HT
protection before failing.

Add a check for sta->sta.tdls early in the ENABLE_LINK case, before
any side effects occur, to ensure the operation is only allowed for
actual TDLS peers.

Reported-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=56b6a844a4ea74487b7b
Tested-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com
Suggested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Link: https://patch.msgid.link/20260313092417.520807-1-kartikey406@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[ Alexey: Adapted to the older sta_mtx locking and error-handling flow. ]
Signed-off-by: Alexey Panov <apanov@astralinux.ru>
---
Backport fix for CVE-2026-43052
 net/mac80211/tdls.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
index e01e4daeb8cd..66e32f1d0a98 100644
--- a/net/mac80211/tdls.c
+++ b/net/mac80211/tdls.c
@@ -1380,7 +1380,7 @@ int ieee80211_tdls_oper(struct wiphy *wiphy, struct net_device *dev,
 
 		mutex_lock(&local->sta_mtx);
 		sta = sta_info_get(sdata, peer);
-		if (!sta) {
+		if (!sta || !sta->sta.tdls) {
 			mutex_unlock(&local->sta_mtx);
 			ret = -ENOLINK;
 			break;
-- 
2.47.3

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH 5.10] wifi: mac80211: check tdls flag in ieee80211_tdls_oper
  2026-06-09 18:11 [PATCH 5.10] wifi: mac80211: check tdls flag in ieee80211_tdls_oper Alexey Panov
@ 2026-06-11  0:45 ` Sasha Levin
  0 siblings, 0 replies; 2+ messages in thread
From: Sasha Levin @ 2026-06-11  0:45 UTC (permalink / raw)
  To: stable, Greg Kroah-Hartman
  Cc: Sasha Levin, Alexey Panov, Johannes Berg, David S. Miller,
	Jakub Kicinski, linux-wireless, netdev, linux-kernel, lvc-project,
	syzbot+56b6a844a4ea74487b7b, Deepanshu Kartikey, Johannes Berg

On Mon, Jun 09, 2026 at 09:11:08PM +0300, Alexey Panov wrote:
> [PATCH 5.10] wifi: mac80211: check tdls flag in ieee80211_tdls_oper

Queued for 5.10, thanks.

--
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-11  0:45 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-09 18:11 [PATCH 5.10] wifi: mac80211: check tdls flag in ieee80211_tdls_oper Alexey Panov
2026-06-11  0:45 ` Sasha Levin

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.