From: Sasha Levin <sashal@kernel.org>
To: patches@lists.linux.dev, stable@vger.kernel.org
Cc: Deepanshu Kartikey <kartikey406@gmail.com>,
syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com,
Johannes Berg <johannes@sipsolutions.net>,
Johannes Berg <johannes.berg@intel.com>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH AUTOSEL 6.19-6.12] wifi: mac80211: check tdls flag in ieee80211_tdls_oper
Date: Tue, 24 Mar 2026 07:19:21 -0400 [thread overview]
Message-ID: <20260324111931.3257972-12-sashal@kernel.org> (raw)
In-Reply-To: <20260324111931.3257972-1-sashal@kernel.org>
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit 7d73872d949c488a1d7c308031d6a9d89b5e0a8b ]
When NL80211_TDLS_ENABLE_LINK is called, the code only checks if the
station exists but not whether it is actually a TDLS station. This
allows the operation to proceed for non-TDLS stations, causing
unintended side effects like modifying channel context and HT
protection before failing.
Add a check for sta->sta.tdls early in the ENABLE_LINK case, before
any side effects occur, to ensure the operation is only allowed for
actual TDLS peers.
Reported-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=56b6a844a4ea74487b7b
Tested-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com
Suggested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Link: https://patch.msgid.link/20260313092417.520807-1-kartikey406@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
LLM Generated explanations, may be completely bogus:
Before commit `076fc8775dafe` (2023), the check was `if (!sta) { ret =
-ENOLINK; break; }`. In older stable trees (5.15, 5.10, 5.4), the fix
would need to be adapted to this older pattern, but it's still trivial:
change `if (!sta)` to `if (!sta || !sta->sta.tdls)`. The logic is
identical.
## PHASE 7: SUBSYSTEM AND MAINTAINER CONTEXT
### Step 7.1: Subsystem Criticality
- **Subsystem**: wifi/mac80211 — core wireless networking stack
- **Criticality**: IMPORTANT — used by all Linux systems with WiFi
hardware
- TDLS (Tunneled Direct Link Setup) is a standard WiFi feature used for
direct device-to-device communication
### Step 7.2: Subsystem Activity
mac80211/tdls.c has moderate activity, with both bug fixes and ongoing
development.
## PHASE 8: IMPACT AND RISK ASSESSMENT
### Step 8.1: Affected Users
All Linux users with WiFi hardware that supports TDLS (most modern WiFi
devices). Reachable from userspace via netlink.
### Step 8.2: Trigger Conditions
- Triggered via `NL80211_CMD_TDLS_OPER` with `NL80211_TDLS_ENABLE_LINK`
for a non-TDLS station
- Can be triggered by an **unprivileged local user** with appropriate
netlink access (or by a local attacker)
- syzbot found and reproduced this reliably
### Step 8.3: Failure Mode Severity
- **WARN_ON_ONCE** triggered at tdls.c:1460 — kernel warning
- **Unintended side effects**: channel context and HT protection
modified for non-TDLS station — this could corrupt WiFi connection
state
- Severity: **MEDIUM-HIGH** (WARN + potential state corruption via
userspace-reachable path)
### Step 8.4: Risk-Benefit
- **Benefit**: HIGH — prevents userspace-triggerable WARN and state
corruption in WiFi subsystem; affects all stable trees
- **Risk**: VERY LOW — single additional boolean check, obviously
correct, maintainer-suggested
- **Ratio**: Excellent — minimal risk, clear benefit
## PHASE 9: FINAL SYNTHESIS
### Step 9.1: Evidence Compilation
**FOR backporting:**
- Fixes a syzbot-reported, reproducible bug reachable from userspace
- Bug exists in ALL active stable trees (since 2014)
- Single-line, obviously correct fix
- Suggested by subsystem maintainer (Johannes Berg)
- Tested by syzbot (confirmed fix)
- Prevents WARN_ON_ONCE and unintended WiFi state modification
- Zero regression risk
- Clean apply expected (trivial adaptation for older trees)
**AGAINST backporting:**
- (None significant)
### Step 9.2: Stable Rules Checklist
1. **Obviously correct and tested?** YES — one additional condition,
tested by syzbot
2. **Fixes a real bug?** YES — syzbot-reported, WARN + state corruption
3. **Important issue?** YES — userspace-reachable, affects WiFi state
4. **Small and contained?** YES — 1 line changed
5. **No new features/APIs?** Correct — pure validation fix
6. **Can apply to stable?** YES — trivial adaptation needed for pre-6.6
trees
### Step 9.3: Exception Categories
Not an exception category — this is a straightforward bug fix that meets
standard stable criteria.
### Step 9.4: Decision
Clear YES. This is a textbook stable backport candidate.
## Verification
- **[Phase 1]** Parsed tags: Reported-by syzbot, Tested-by syzbot,
Suggested-by Johannes Berg (maintainer), Signed-off-by Johannes Berg
- **[Phase 2]** Diff analysis: 1 line modified — added `||
!sta->sta.tdls` to existing NULL check in `ieee80211_tdls_oper()`
ENABLE_LINK case
- **[Phase 3]** git blame: buggy code introduced in commit
`95224fe83e5e78` (2014, v3.16 era), present in all stable trees
- **[Phase 3]** git show `076fc8775dafe`: confirmed older trees have
slightly different code structure (`if (!sta) { ret = -ENOLINK; break;
}`) but fix is trivially adaptable
- **[Phase 3]** Related commit `16ecdab5446f1`: another syzbot-reported
TDLS validation fix, independent of this one
- **[Phase 4]** Syzbot bug report: confirmed affects Linux 5.4, 5.10,
5.15, 6.1, 6.6; crash is WARN_ON_ONCE in ieee80211_tdls_oper
- **[Phase 4]** Lore: v2 patch, approach suggested by Johannes Berg; no
NAKs or concerns found
- **[Phase 5]** `ieee80211_tdls_oper` registered via `.tdls_oper` in
cfg.c:5598, reachable from userspace via NL80211_CMD_TDLS_OPER netlink
- **[Phase 6]** Code exists in all active stable trees (bug from 2014)
- **[Phase 6]** Backport: clean apply on 6.x trees; trivial context
adaptation needed for 5.x trees
- **[Phase 8]** Failure mode: WARN_ON_ONCE + unintended channel/HT
protection state modification; severity MEDIUM-HIGH; userspace-
triggerable
**YES**
net/mac80211/tdls.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
index dbbfe2d6842fb..1dca2fae05a52 100644
--- a/net/mac80211/tdls.c
+++ b/net/mac80211/tdls.c
@@ -1449,7 +1449,7 @@ int ieee80211_tdls_oper(struct wiphy *wiphy, struct net_device *dev,
}
sta = sta_info_get(sdata, peer);
- if (!sta)
+ if (!sta || !sta->sta.tdls)
return -ENOLINK;
iee80211_tdls_recalc_chanctx(sdata, sta);
--
2.51.0
next prev parent reply other threads:[~2026-03-24 11:19 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-24 11:19 [PATCH AUTOSEL 6.19] drm/amd/display: Fix gamma 2.2 colorop TFs Sasha Levin
2026-03-24 11:19 ` [PATCH AUTOSEL 6.19] mshv: Fix error handling in mshv_region_pin Sasha Levin
2026-03-24 11:19 ` [PATCH AUTOSEL 6.19-6.1] tg3: replace placeholder MAC address with device property Sasha Levin
2026-03-24 11:19 ` [PATCH AUTOSEL 6.19-6.12] btrfs: reserve enough transaction items for qgroup ioctls Sasha Levin
2026-03-24 11:19 ` [PATCH AUTOSEL 6.19-5.10] objtool: Fix Clang jump table detection Sasha Levin
2026-03-24 11:19 ` [PATCH AUTOSEL 6.19-6.12] HID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure Sasha Levin
2026-03-24 11:19 ` [PATCH AUTOSEL 6.19-6.1] i2c: tegra: Don't mark devices with pins as IRQ safe Sasha Levin
2026-03-24 11:19 ` [PATCH AUTOSEL 6.19-6.18] smb: client: fix generic/694 due to wrong ->i_blocks Sasha Levin
2026-03-24 11:19 ` [PATCH AUTOSEL 6.19-5.10] atm: lec: fix use-after-free in sock_def_readable() Sasha Levin
2026-03-24 11:19 ` [PATCH AUTOSEL 6.19-5.10] HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq Sasha Levin
2026-03-24 11:19 ` [PATCH AUTOSEL 6.19-6.6] spi: geni-qcom: Check DMA interrupts early in ISR Sasha Levin
2026-03-24 11:19 ` Sasha Levin [this message]
2026-03-24 11:19 ` [PATCH AUTOSEL 6.19] objtool/klp: fix mkstemp() failure with long paths Sasha Levin
2026-03-24 11:19 ` [PATCH AUTOSEL 6.19-6.6] arm64/scs: Fix handling of advance_loc4 Sasha Levin
2026-03-24 11:19 ` [PATCH AUTOSEL 6.19-6.12] HID: logitech-hidpp: Enable MX Master 4 over bluetooth Sasha Levin
2026-03-24 11:19 ` [PATCH AUTOSEL 6.19-5.15] btrfs: reject root items with drop_progress and zero drop_level Sasha Levin
2026-03-24 11:19 ` [PATCH AUTOSEL 6.19-5.15] btrfs: don't take device_list_mutex when querying zone info Sasha Levin
2026-03-24 11:19 ` [PATCH AUTOSEL 6.19-6.18] HID: core: Mitigate potential OOB by removing bogus memset() Sasha Levin
2026-03-24 11:19 ` [PATCH AUTOSEL 6.19-5.10] HID: multitouch: Check to ensure report responses match the request Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260324111931.3257972-12-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=johannes.berg@intel.com \
--cc=johannes@sipsolutions.net \
--cc=kartikey406@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox