[PATCH AUTOSEL 6.18-5.10] wifi: mac80211: ocb: skip rx_no_sta when interface is not joined

[Sasha Levin <sashal@kernel.org>]

From: Moon Hee Lee <moonhee.lee.ca@gmail.com>

[ Upstream commit ff4071c60018a668249dc6a2df7d16330543540e ]

ieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only
present after JOIN_OCB.

RX may run before JOIN_OCB is executed, in which case the OCB interface
is not operational. Skip RX peer handling when the interface is not
joined to avoid warnings in the RX path.

Reported-by: syzbot+b364457b2d1d4e4a3054@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b364457b2d1d4e4a3054
Tested-by: syzbot+b364457b2d1d4e4a3054@syzkaller.appspotmail.com
Signed-off-by: Moon Hee Lee <moonhee.lee.ca@gmail.com>
Link: https://patch.msgid.link/20251216035932.18332-1-moonhee.lee.ca@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

OCB support has been in the kernel since 2014 - it exists in all
supported stable trees.

## 3. CLASSIFICATION

- **Type:** Bug fix - fixes kernel warnings triggered by a race
  condition
- **Category:** Not an exception category - straightforward bug fix
- **Security:** Not directly security-related, but the WARN_ON_ONCE
  could trigger panic on systems with `panic_on_warn=1`

## 4. SCOPE AND RISK ASSESSMENT

- **Size:** Minimal - 3 lines added (one check + early return)
- **Files:** 1 file (net/mac80211/ocb.c)
- **Complexity:** Very low - simple flag check before proceeding
- **Risk:** Extremely low
  - Uses existing `joined` flag already used elsewhere in the same file
  - Follows established pattern (identical check exists at line 126)
  - Cannot break existing functionality - before join, nothing should
    happen anyway

## 5. USER IMPACT

- **Affected users:** OCB mode users (vehicle-to-vehicle communications,
  IEEE 802.11p)
- **Severity:** Medium - causes kernel warnings in RX path
- **Systems with `panic_on_warn=1`:** This could cause system crashes
- **Reproducibility:** Confirmed reproducible by syzkaller

## 6. STABILITY INDICATORS

- **Tested-by: syzbot** - Fix verified by the same fuzzer that found the
  bug
- **Maintainer sign-off:** Johannes Berg (mac80211 maintainer)
- **Pattern established:** Same check pattern already used in
  `ieee80211_ocb_work()`

## 7. DEPENDENCY CHECK

- No dependencies on other commits
- Uses existing `joined` flag (in kernel since 2014)
- Will apply cleanly to any stable tree with OCB support

## SUMMARY

This is an ideal stable backport candidate:

1. **Obviously correct:** Simple early-return check using existing flag,
   follows pattern already in the code
2. **Fixes real bug:** Syzbot-reported, reproducible kernel warnings
3. **Small and contained:** 3 lines, single file, no side effects
4. **No new features:** Just adds a defensive check
5. **Low risk:** Cannot break anything - OCB shouldn't process RX before
   joining anyway
6. **Tested:** Verified by syzbot

The fix prevents kernel warnings (and potential crashes on
`panic_on_warn` systems) when RX frames arrive on an OCB interface
before it has finished the join operation. It's a simple, surgical fix
with no risk of regression.

**YES**

 net/mac80211/ocb.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/mac80211/ocb.c b/net/mac80211/ocb.c
index a5d4358f122a..ebb4f4d88c23 100644
--- a/net/mac80211/ocb.c
+++ b/net/mac80211/ocb.c
@@ -47,6 +47,9 @@ void ieee80211_ocb_rx_no_sta(struct ieee80211_sub_if_data *sdata,
 	struct sta_info *sta;
 	int band;
 
+	if (!ifocb->joined)
+		return;
+
 	/* XXX: Consider removing the least recently used entry and
 	 *      allow new one to be added.
 	 */
-- 
2.51.0