net/wireless/sme.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
When I attempted to connect to a virt_wifi device using iw on 6.17-rc5,
a page fault occurred in __cfg80211_connect_result(), preventing successful
connection.
The page fault is triggered because virt_wifi_connect_complete() sets
requested_bss to NULL when no BSSID is specified.
This patch fixes the bug by adding a check for a NULL connected_addr
before calling ether_addr_copy() in __cfg80211_connect_result().
Reproduction:
root@host:~# modprobe virt_wifi
root@host:~# ip tuntap add tap0 mode tap
root@host:~# ip link set tap0 up
root@host:~# ip link add link tap0 name wlan0 type virt_wifi
root@host:~# iw dev wlan0 scan
root@host:~# iw dev wlan0 connect "VirtWifi"
Kernel panic occurred after running the connect command.
Below is panic messages from kernel:
[ 150.197544] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 150.199333] #PF: supervisor read access in kernel mode
[ 150.199787] #PF: error_code(0x0000) - not-present page
[ 150.200148] PGD 0 P4D 0
[ 150.200339] Oops: Oops: 0000 [#1] SMP NOPTI
[ 150.200641] CPU: 0 UID: 0 PID: 78 Comm: kworker/u4:5 Not tainted 6.17.0-rc5 #5 PREEMPT(voluntary)
[ 150.201264] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 150.202056] Workqueue: cfg80211 cfg80211_event_work [cfg80211]
[ 150.202528] RIP: 0010:__cfg80211_connect_result+0x35d/0xa40 [cfg80211]
[ 150.203032] Code: 8d 14 db 49 89 84 d6 00 04 00 00 41 0f b7 44 24 68 41 83 c5 01 44 89 eb 66 85 c0 75 b6 48 85 db 74 c0 41 80 8e a4 00 00 00 01 <41> 8b 07c
[ 150.204305] RSP: 0018:ffffc9000069bd10 EFLAGS: 00010202
[ 150.204670] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
[ 150.205169] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888110e1f830
[ 150.205666] RBP: ffffc9000069bd90 R08: ffffffff0000afd4 R09: 0000000000000003
[ 150.206169] R10: 0000000000000001 R11: 0000000000000000 R12: ffff8881065e4c18
[ 150.206670] R13: 0000000000000001 R14: ffff888110e1f000 R15: 0000000000000000
[ 150.207165] FS: 0000000000000000(0000) GS:ffff8881f7c3e000(0000) knlGS:0000000000000000
[ 150.207723] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 150.208129] CR2: 0000000000000000 CR3: 000000010577d004 CR4: 0000000000372ef0
[ 150.208627] Call Trace:
[ 150.208811] <TASK>
[ 150.208972] ? wakeup_preempt+0x74/0x80
[ 150.209262] cfg80211_process_wdev_events+0x13c/0x1b0 [cfg80211]
[ 150.209738] ? cfg80211_process_wdev_events+0x13c/0x1b0 [cfg80211]
[ 150.210219] cfg80211_process_rdev_events+0x2f/0x50 [cfg80211]
[ 150.210766] cfg80211_event_work+0x3a/0x60 [cfg80211]
[ 150.211323] process_scheduled_works+0xa3/0x420
[ 150.211806] worker_thread+0x12a/0x270
[ 150.212170] kthread+0x10d/0x230
[ 150.212460] ? __pfx_worker_thread+0x10/0x10
[ 150.212770] ? __pfx_kthread+0x10/0x10
[ 150.213043] ret_from_fork+0x8c/0x100
[ 150.213322] ? __pfx_kthread+0x10/0x10
[ 150.213595] ret_from_fork_asm+0x1a/0x30
[ 150.213911] </TASK>
[ 150.214076] Modules linked in: virt_wifi cfg80211 intel_rapl_msr intel_rapl_common intel_uncore_frequency_common kvm_intel kvm bochs drm_client_lib drm_sh4
[ 150.216925] CR2: 0000000000000000
[ 150.217176] ---[ end trace 0000000000000000 ]---
[ 150.217526] RIP: 0010:__cfg80211_connect_result+0x35d/0xa40 [cfg80211]
[ 150.218120] Code: 8d 14 db 49 89 84 d6 00 04 00 00 41 0f b7 44 24 68 41 83 c5 01 44 89 eb 66 85 c0 75 b6 48 85 db 74 c0 41 80 8e a4 00 00 00 01 <41> 8b 07c
[ 150.219483] RSP: 0018:ffffc9000069bd10 EFLAGS: 00010202
[ 150.219863] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
[ 150.220372] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888110e1f830
[ 150.220874] RBP: ffffc9000069bd90 R08: ffffffff0000afd4 R09: 0000000000000003
[ 150.221379] R10: 0000000000000001 R11: 0000000000000000 R12: ffff8881065e4c18
[ 150.221899] R13: 0000000000000001 R14: ffff888110e1f000 R15: 0000000000000000
[ 150.222433] FS: 0000000000000000(0000) GS:ffff8881f7c3e000(0000) knlGS:0000000000000000
[ 150.223192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 150.223728] CR2: 0000000000000000 CR3: 000000010577d004 CR4: 0000000000372ef0
[ 150.224373] note: kworker/u4:5[78] exited with irqs disabled
Signed-off-by: James Guan <guan_yufei@163.com>
---
net/wireless/sme.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index 3a028ff287fb..6014d71d2845 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -863,7 +863,8 @@ void __cfg80211_connect_result(struct net_device *dev,
wdev->links[link].client.current_bss =
bss_from_pub(cr->links[link].bss);
wdev->connected = true;
- ether_addr_copy(wdev->u.client.connected_addr, connected_addr);
+ if (connected_addr)
+ ether_addr_copy(wdev->u.client.connected_addr, connected_addr);
if (cr->valid_links) {
for_each_valid_link(cr, link)
memcpy(wdev->links[link].addr, cr->links[link].addr,
--
2.25.1On Tue, 2025-09-09 at 14:32 +0800, James Guan wrote: > When I attempted to connect to a virt_wifi device using iw on 6.17-rc5, > a page fault occurred in __cfg80211_connect_result(), preventing successful > connection. > > The page fault is triggered because virt_wifi_connect_complete() sets > requested_bss to NULL when no BSSID is specified. > > This patch fixes the bug by adding a check for a NULL connected_addr > before calling ether_addr_copy() in __cfg80211_connect_result(). That might fix the bug, but it makes no sense to have a connection without an address of the AP that you connected to ... johannes
© 2016 - 2025 Red Hat, Inc.