[PATCH AUTOSEL 6.19-6.12] wifi: mac80211: check tdls flag in ieee80211_tdls_oper

[PATCH AUTOSEL 6.19-6.12] wifi: mac80211: check tdls flag in ieee80211_tdls_oper

[Sasha Levin]

From: Deepanshu Kartikey <kartikey406@gmail.com>

[ Upstream commit 7d73872d949c488a1d7c308031d6a9d89b5e0a8b ]

When NL80211_TDLS_ENABLE_LINK is called, the code only checks if the
station exists but not whether it is actually a TDLS station. This
allows the operation to proceed for non-TDLS stations, causing
unintended side effects like modifying channel context and HT
protection before failing.

Add a check for sta->sta.tdls early in the ENABLE_LINK case, before
any side effects occur, to ensure the operation is only allowed for
actual TDLS peers.

Reported-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=56b6a844a4ea74487b7b
Tested-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com
Suggested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Link: https://patch.msgid.link/20260313092417.520807-1-kartikey406@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

Before commit `076fc8775dafe` (2023), the check was `if (!sta) { ret =
-ENOLINK; break; }`. In older stable trees (5.15, 5.10, 5.4), the fix
would need to be adapted to this older pattern, but it's still trivial:
change `if (!sta)` to `if (!sta || !sta->sta.tdls)`. The logic is
identical.

## PHASE 7: SUBSYSTEM AND MAINTAINER CONTEXT

### Step 7.1: Subsystem Criticality
- **Subsystem**: wifi/mac80211 — core wireless networking stack
- **Criticality**: IMPORTANT — used by all Linux systems with WiFi
  hardware
- TDLS (Tunneled Direct Link Setup) is a standard WiFi feature used for
  direct device-to-device communication

### Step 7.2: Subsystem Activity
mac80211/tdls.c has moderate activity, with both bug fixes and ongoing
development.

## PHASE 8: IMPACT AND RISK ASSESSMENT

### Step 8.1: Affected Users
All Linux users with WiFi hardware that supports TDLS (most modern WiFi
devices). Reachable from userspace via netlink.

### Step 8.2: Trigger Conditions
- Triggered via `NL80211_CMD_TDLS_OPER` with `NL80211_TDLS_ENABLE_LINK`
  for a non-TDLS station
- Can be triggered by an **unprivileged local user** with appropriate
  netlink access (or by a local attacker)
- syzbot found and reproduced this reliably

### Step 8.3: Failure Mode Severity
- **WARN_ON_ONCE** triggered at tdls.c:1460 — kernel warning
- **Unintended side effects**: channel context and HT protection
  modified for non-TDLS station — this could corrupt WiFi connection
  state
- Severity: **MEDIUM-HIGH** (WARN + potential state corruption via
  userspace-reachable path)

### Step 8.4: Risk-Benefit
- **Benefit**: HIGH — prevents userspace-triggerable WARN and state
  corruption in WiFi subsystem; affects all stable trees
- **Risk**: VERY LOW — single additional boolean check, obviously
  correct, maintainer-suggested
- **Ratio**: Excellent — minimal risk, clear benefit

## PHASE 9: FINAL SYNTHESIS

### Step 9.1: Evidence Compilation

**FOR backporting:**
- Fixes a syzbot-reported, reproducible bug reachable from userspace
- Bug exists in ALL active stable trees (since 2014)
- Single-line, obviously correct fix
- Suggested by subsystem maintainer (Johannes Berg)
- Tested by syzbot (confirmed fix)
- Prevents WARN_ON_ONCE and unintended WiFi state modification
- Zero regression risk
- Clean apply expected (trivial adaptation for older trees)

**AGAINST backporting:**
- (None significant)

### Step 9.2: Stable Rules Checklist
1. **Obviously correct and tested?** YES — one additional condition,
   tested by syzbot
2. **Fixes a real bug?** YES — syzbot-reported, WARN + state corruption
3. **Important issue?** YES — userspace-reachable, affects WiFi state
4. **Small and contained?** YES — 1 line changed
5. **No new features/APIs?** Correct — pure validation fix
6. **Can apply to stable?** YES — trivial adaptation needed for pre-6.6
   trees

### Step 9.3: Exception Categories
Not an exception category — this is a straightforward bug fix that meets
standard stable criteria.

### Step 9.4: Decision
Clear YES. This is a textbook stable backport candidate.

## Verification

- **[Phase 1]** Parsed tags: Reported-by syzbot, Tested-by syzbot,
  Suggested-by Johannes Berg (maintainer), Signed-off-by Johannes Berg
- **[Phase 2]** Diff analysis: 1 line modified — added `||
  !sta->sta.tdls` to existing NULL check in `ieee80211_tdls_oper()`
  ENABLE_LINK case
- **[Phase 3]** git blame: buggy code introduced in commit
  `95224fe83e5e78` (2014, v3.16 era), present in all stable trees
- **[Phase 3]** git show `076fc8775dafe`: confirmed older trees have
  slightly different code structure (`if (!sta) { ret = -ENOLINK; break;
  }`) but fix is trivially adaptable
- **[Phase 3]** Related commit `16ecdab5446f1`: another syzbot-reported
  TDLS validation fix, independent of this one
- **[Phase 4]** Syzbot bug report: confirmed affects Linux 5.4, 5.10,
  5.15, 6.1, 6.6; crash is WARN_ON_ONCE in ieee80211_tdls_oper
- **[Phase 4]** Lore: v2 patch, approach suggested by Johannes Berg; no
  NAKs or concerns found
- **[Phase 5]** `ieee80211_tdls_oper` registered via `.tdls_oper` in
  cfg.c:5598, reachable from userspace via NL80211_CMD_TDLS_OPER netlink
- **[Phase 6]** Code exists in all active stable trees (bug from 2014)
- **[Phase 6]** Backport: clean apply on 6.x trees; trivial context
  adaptation needed for 5.x trees
- **[Phase 8]** Failure mode: WARN_ON_ONCE + unintended channel/HT
  protection state modification; severity MEDIUM-HIGH; userspace-
  triggerable

**YES**

 net/mac80211/tdls.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
index dbbfe2d6842fb..1dca2fae05a52 100644
--- a/net/mac80211/tdls.c
+++ b/net/mac80211/tdls.c
@@ -1449,7 +1449,7 @@ int ieee80211_tdls_oper(struct wiphy *wiphy, struct net_device *dev,
 		}
 
 		sta = sta_info_get(sdata, peer);
-		if (!sta)
+		if (!sta || !sta->sta.tdls)
 			return -ENOLINK;
 
 		iee80211_tdls_recalc_chanctx(sdata, sta);
-- 
2.51.0