From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oa1-f42.google.com (mail-oa1-f42.google.com [209.85.160.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7D345396D2E for ; Wed, 25 Mar 2026 10:59:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=209.85.160.42 ARC-Seal:i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774436379; cv=pass; b=FqqdNliulhg/PhcfiQ3Crhy+r/MQiM3Jo3R5kxU0MPS5/YexoHBSyF1DKJdQDFILGGgn3EN38o0manFZyTFBU1sRwzo5yZLcenTNOPVtg1lRUQUq+AA2A0EHCpldm1HRD9ZoRHXBfIIPRhtxdvWOgejcQTBmoq5+GmODr+DHiT8= ARC-Message-Signature:i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774436379; c=relaxed/simple; bh=6OarUN5/S8KW9TtgegaCy/h6lb+LwPoIPD0hOhnuUbA=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=flnhdldzDLGbhxwbVqbTnN/m4ljOFQb9vKbuE+eJW9acJ0JxWRkkN+LIpLAtbGZ3cmVLc7TlBFbpoSvKKEdWkXB3qG8HLtS8B/6qV030z30ziAXin1lAiOLtEu5YbRBpQALPqz/f/9w4lip3N+RDpQn/p9DKZ62u5tFFfFW8Q+g= ARC-Authentication-Results:i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kW5uaG+B; arc=pass smtp.client-ip=209.85.160.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kW5uaG+B" Received: by mail-oa1-f42.google.com with SMTP id 586e51a60fabf-41576c5c01cso1337764fac.3 for ; Wed, 25 Mar 2026 03:59:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1774436377; cv=none; d=google.com; s=arc-20240605; b=eRfHOdNJFF23DUNSvsZ7TPBBriI4hYkNppJGMaIYTJ4KTwP6UvMO1qfl76OROI7imn amyk/ZH0W5hp7E1zKGJwKPjC7S5ALRtuS57bO6y3lRfXxGIzqzRQjFeyNojuNYhLaW/g DY1vd3HtPrcojgvbcyR++uJtAMerGl7bjhBBbdIOA3k2jHwwZhfpnwzIs+ecJgYMSGrh x50vh9SGhpwz4BP+2l2D6+UiFJcCcUu4JOYVMJQO6n0rb0vH8sBTTSj3CW+q12kYkiDU YvEFuGsLN+57fpYvnH9ZG4vcb7F+lnJ7CKJD72Yqn+m/GP5c1UdnS53/NWzZiJiJo6kH mGhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=CRbV2+ZkI9Qv4tonWef15Wk6xuibNUPgwYnA9gQ8ovY=; fh=odk6wcgU59tTcZVQUX3fjpgJEJWcJOMwVy+1M/+OOcw=; b=W2eDOx94u7gfPGAWjbBp67TjJLpx/O+v6ChEsJUPl5mp1Amn8jFPG7RFCqd3+Ft7+P Muc9JlYoJ7ju7XfHCZGLwkBRlzKrBpFuySIQRQXTi3Y+vmUM3I+7pFcnLUxkLRGbKTu0 kUpK0q6otGgW/DK2UiYsQ7E08IGSBLyacix1bnZtv+G+/qmAP+e3/azG2W4fqvd4l9Ea kY+PGTMY6hCre+F4s6QQUpj9MedcG6UQBDkAr/rEHZwgE8YHYB0Y+g5C2H9kNwSk5RU4 0XO+066X4ZoLckfYlq/YcM7kfWyVkLllUaHGbyygWEdG5YMUBgDWesIci0SLRlZPBJ2S a0rA==; darn=vger.kernel.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774436377; x=1775041177; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=CRbV2+ZkI9Qv4tonWef15Wk6xuibNUPgwYnA9gQ8ovY=; b=kW5uaG+BLT9rKi4RFt6pShm6cAbISE6BcLdvqvJhA2EOh226+HM+rJyirBqoN0fvUV fcZI+qOEWh1xNSt6iRJ4AjEUvbMHPJN1aNGrc+sv2HHlBkyzIZg3IaZlAcGzSc5l2iAo w/FqaH777cvCZVIiljtQm5ZbPxD3ByCNghBIEdqNBiibghsvp8zABTTMg07zVuxZVv+h G8orzlusxwr6uAaDgcH5UCT3asts1OBfHyhpfviRMH2Ss5yGNCMvrn+30mKI6N8cIvRU rtM7oHVF3ZcaMD/8RLuLFcSUsSle2rEPlGRu9wzo/UcBK2ettbKC73EX2umEE9DWCbkf n2tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774436377; x=1775041177; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=CRbV2+ZkI9Qv4tonWef15Wk6xuibNUPgwYnA9gQ8ovY=; b=d2h38bAPFueYJFCUG7ZucKGDWS4VLSMT0u8Pi34OfgKdBr7eZXhC86810H7tZyglK+ APo4Im+vmqzjT5FSSIrq5+rUupag+xNRrDaMSE6Qx5QgkEcN2swBo/JeFkwUIbinX6k9 /LzTQMTCzGcPbnKG6MT85ruhtrJIgGSD+7xa9jHLwqraT276Pie/rDlXzsUa51ky7jXU uPWax3S6o7497GCrPoOSm4uMrCTQh0FOhCHEdfrem7mzrjXWIP4xTeLYzVXQpvx4xB0l R1YViPlYjACNSmxXfDEuVzIqDgwc3/vZP6OVp8jupLIdy9nMRttt5/v/X53kz8BovbxC 1TGA== X-Forwarded-Encrypted: i=1; AJvYcCVFZ6r+fp/1FBpwzoQ2/6GBjOhiLpbyx3qYqNTdUd2CvMRLiQRbNPZHbEkeK1bx2OkmlN9yVbA=@vger.kernel.org X-Gm-Message-State: AOJu0YywE7BBtAwH0Pc9fqN3AOasQ96P7/vw8cLGUNHtmkkWEiSIdvl3 6AZXRlaSRnNSFC3iu+Ez9tVg3XeweUkiJ63KBVXbAQTt/oxu9a+PXD6rBBqNS3H63EXWoWGenno xYmHcYMltA98elHW+vhtAOWdgYRvv7pE= X-Gm-Gg: ATEYQzwccKp6pBtWaxRIEQzPWeqsonvtZjK22gERHIZFOrH+2TxNLhAFVm0lm0oDcEv wcUblJioyUSEpcrQxuSUsVHxJXE6fIlgOnScFGTcj8mfxS/3rTtLc5BkeO+0ExSrGUrCW9LbCzX p+VDBRGBPq4VryWxV5rwp4uBzHqEjteughLjiMdPLtBXhBum05aIC21Rm2qCA+DkOIr7NpFCLB2 2ZTxy4amnefbgyIHZ3hgAqm5BDwwDKMkHd7+O69NsvN39/GTa0T7Qbj1j0l6lzuzZVIr6xsYQkL W53PVQ== X-Received: by 2002:a05:6871:5f09:b0:41b:f7f5:e88c with SMTP id 586e51a60fabf-41ca6fd777fmr1829748fac.23.1774436377431; Wed, 25 Mar 2026 03:59:37 -0700 (PDT) Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20260325001513.1303-1-fjhhz1997@gmail.com> In-Reply-To: <20260325001513.1303-1-fjhhz1997@gmail.com> From: =?UTF-8?B?w5NzY2FyIEFsZm9uc28gRMOtYXo=?= Date: Wed, 25 Mar 2026 11:59:27 +0100 X-Gm-Features: AQROBzA2ShJuxo-ZuIgKycJxBGuFiWvCSCV0YHbexP8wyZK7UX0A9LeKEvpe0G4 Message-ID: Subject: Re: [PATCH] wifi: mac80211: fix monitor mode frame capture for real chanctx drivers To: =?UTF-8?B?5YKF57un5pmX?= Cc: johannes@sipsolutions.net, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello everybody. I've tested this patch and I'm sorry to say this... but, bad news. Same behaviour. I mean, as soon as the DoS window appears during the evil twin attack, the VM is completely frozen. I put the full report including screenshots on the github thread: https://github.com/morrownr/USB-WiFi/issues/682 If you are interested in reproducing what I do, it is pretty simple. You just need linux, one wireless adapter using an affected by the bug Mediatek chipset (in my case chipset is MT7921U, also tested on MT7921AUN), a wireless network and a client connected (your mobile phone is enough). Use the airgeddon tool and launch the most simple evil twin attack over it: git clone https://github.com/v1s1t0r1sh3r3/airgeddon cd airgeddon bash airgeddon.sh Navigate through menus selecting the Mediatek adapter, then evil twin menu (option 7) and then scan for your target network (option 4). After selecting it, Just launch the "Evil Twin attack just AP" (option 5) and wait until all the 4 windows of the attack appear, then check if your client (mobile phone) is disconnected from the network. That's it. In my case, just 3 windows opened... the first one is the Fake AP, the second is a DHCP server, the third one is the DoS window, and as I said, as soon as it appears, everything hangs... so no time for the 4th window to be opened (the control window). Kind regards. -- Oscar OpenPGP Key: DA9C60E9 || https://pgp.mit.edu/pks/lookup?op=3Dget&search=3D0x79B17260DA9C60E9 4F74 B302 354D 817D DE38 0A43 79B1 7260 DA9C 60E9 -- El mi=C3=A9, 25 mar 2026 a las 1:15, =E5=82=85=E7=BB=A7=E6=99=97 () escribi=C3=B3: > > Hi Oscar, > > Thank you for testing the v1 patch and reporting the VM hang -- your > report was critical in identifying the root cause. > > Lucid-Duck did extensive debugging and reproduction work on this. > The full discussion is here: > https://github.com/morrownr/USB-WiFi/issues/682#issuecomment-4120751621 > > Root cause of the crash: > > The v1 patch falls back to list_first_entry_or_null(&local->chanctx_list) > when the monitor vif has no chanctx. In your Evil Twin + DoS scenario, > the AP and monitor interfaces created multiple channel contexts. The > fallback blindly grabbed whichever chanctx was first on the list -- > which could be the AP's chanctx that the firmware wasn't expecting > monitor traffic on. Injecting frames on a chanctx where > mt7921_mcu_config_sniffer() was never called is the likely trigger > for the hard hang. > > The v2 patch adds a list_is_singular() guard: injection only proceeds > when there is exactly one chanctx (unambiguous), and is refused when > multiple chanctxs exist. This covers the common single-channel AP + > monitor case while preventing the dangerous multi-chanctx path that > caused your crash. > > Lucid-Duck tested v2 extensively on kernel 6.19.8 with the MT7921AU > (ALFA AWUS036AXML) -- single-channel AP + monitor + injection, > multi-chanctx via P2P-GO, heavy load injection floods (50k fps, > 1.8M packets) -- all stable with zero crashes or kernel warnings. > > The v2 diff against net/mac80211/tx.c: > > chanctx_conf =3D rcu_dereference(sdata->vif.bss_conf.chanctx_conf= ); > - if (chanctx_conf) > + if (chanctx_conf) { > chandef =3D &chanctx_conf->def; > - else if (local->emulate_chanctx) > + } else if (local->emulate_chanctx) { > chandef =3D &local->hw.conf.chandef; > - else > - goto fail_rcu; > + } else { > + struct ieee80211_chanctx *ctx; > + > + ctx =3D list_first_entry_or_null(&local->chanctx_list, > + struct ieee80211_chanctx, > + list); > + if (ctx && list_is_singular(&local->chanctx_list)) > + chandef =3D &ctx->conf.def; > + else > + goto fail_rcu; > + } > > If you have time, could you re-test with this v2 patch in your > original Evil Twin + DoS setup? That would help confirm the fix > before I send v2 to the list. > > Thanks again for your help! > > Best regards, > =E5=82=85=E7=BB=A7=E6=99=97