From: Dhyan K Prajapati <dhyan19022009@gmail.com>
To: johannes@sipsolutions.net
Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
Dhyan K Prajapati <dhyan19022009@gmail.com>
Subject: [PATCH] mac80211: fix NULL pointer dereference when switching to monitor mode
Date: Thu, 5 Feb 2026 09:22:23 +0530 [thread overview]
Message-ID: <20260205035223.20411-1-dhyan19022009@gmail.com> (raw)
When switching an interface to monitor mode, ieee80211_link_info_change_notify()
incorrectly sends BSS change notifications to drivers, even though monitor
interfaces have no associated BSS context. This causes NULL pointer dereferences
in drivers like iwldvm.
The bug occurs because the current code only returns early for monitor interfaces
when WANT_MONITOR_VIF is NOT set. When WANT_MONITOR_VIF IS set, execution breaks
from the switch statement and falls through to drv_link_info_changed(), which
triggers the crash when the driver attempts to dereference link->conf->bss.
Crash trace:
RIP: iwlagn_bss_info_changed+0x19d/0x640 [iwldvm]
Code: 49 8b 46 10 <8b> 10
RAX: 0000000000000000 (NULL link->conf->bss)
Fix by unconditionally returning early for IFTYPE_MONITOR, consistent with
IFTYPE_AP_VLAN handling. Also simplify by merging both cases.
Device: Intel Centrino Advanced-N 6205
Signed-off-by: Dhyan K Prajapati <dhyan19022009@gmail.com>
---
net/mac80211/main.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index b05e313c7..bc93df21e 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -412,11 +412,8 @@ void ieee80211_link_info_change_notify(struct ieee80211_sub_if_data *sdata,
switch (sdata->vif.type) {
case NL80211_IFTYPE_AP_VLAN:
- return;
case NL80211_IFTYPE_MONITOR:
- if (!ieee80211_hw_check(&local->hw, WANT_MONITOR_VIF))
- return;
- break;
+ return;
default:
break;
}
--
2.43.0
reply other threads:[~2026-02-05 3:52 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260205035223.20411-1-dhyan19022009@gmail.com \
--to=dhyan19022009@gmail.com \
--cc=johannes@sipsolutions.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox