wifi: mac80211: fix WARN_ON_ONCE in ieee80211_tdls_oper

[PATCH] wifi: mac80211: fix WARN_ON_ONCE in ieee80211_tdls_oper

Posted by Deepanshu Kartikey 4 weeks ago

NL80211_TDLS_ENABLE_LINK can be called without completing the TDLS
setup handshake, or after the TDLS_PEER_SETUP_TIMEOUT (15 seconds)
has expired and tdls_peer_del_work has zeroed out the peer address.
In both cases the WARN_ON_ONCE triggers because tdls_peer is either
zero or mismatched with the requested peer.

Replace the WARN_ON_ONCE with a proper check that returns -ENOLINK
to enforce that ENABLE_LINK can only proceed after a successful TDLS
handshake.

Reported-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=56b6a844a4ea74487b7b
Tested-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 net/mac80211/tdls.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
index dbbfe2d6842f..d7d8b2fcc3ee 100644
--- a/net/mac80211/tdls.c
+++ b/net/mac80211/tdls.c
@@ -1457,8 +1457,9 @@ int ieee80211_tdls_oper(struct wiphy *wiphy, struct net_device *dev,
 
 		set_sta_flag(sta, WLAN_STA_TDLS_PEER_AUTH);
 
-		WARN_ON_ONCE(is_zero_ether_addr(sdata->u.mgd.tdls_peer) ||
-			     !ether_addr_equal(sdata->u.mgd.tdls_peer, peer));
+		if (is_zero_ether_addr(sdata->u.mgd.tdls_peer) ||
+		    !ether_addr_equal(sdata->u.mgd.tdls_peer, peer))
+			return -ENOLINK;
 		break;
 	case NL80211_TDLS_DISABLE_LINK:
 		/*
-- 
2.43.0

Re: [PATCH] wifi: mac80211: fix WARN_ON_ONCE in ieee80211_tdls_oper

Posted by Johannes Berg 3 weeks, 4 days ago

On Tue, 2026-03-10 at 21:30 +0530, Deepanshu Kartikey wrote:
>  
> -		WARN_ON_ONCE(is_zero_ether_addr(sdata->u.mgd.tdls_peer) ||
> -			     !ether_addr_equal(sdata->u.mgd.tdls_peer, peer));
> +		if (is_zero_ether_addr(sdata->u.mgd.tdls_peer) ||
> +		    !ether_addr_equal(sdata->u.mgd.tdls_peer, peer))
> +			return -ENOLINK;
> 

I think that check needs to be earlier, otherwise side effects happen
(TDLS_PEER_AUTH flag).

Also, I'm a bit confused, how is it possible the sta_info_get() worked,
but there's no TDLS? Maybe really what it needs is

                sta = sta_info_get(sdata, peer);
-               if (!sta)
+               if (!sta || !sta->sta.tdls)
                        return -ENOLINK;

instead?

johannes

Re: [PATCH] wifi: mac80211: fix WARN_ON_ONCE in ieee80211_tdls_oper

Posted by Deepanshu Kartikey 3 weeks, 4 days ago

On Fri, Mar 13, 2026 at 12:42 PM Johannes Berg
<johannes@sipsolutions.net> wrote:

> On Tue, 2026-03-10 at 21:30 +0530, Deepanshu Kartikey wrote:
> I think that check needs to be earlier, otherwise side effects happen
> (TDLS_PEER_AUTH flag).
>
> Also, I'm a bit confused, how is it possible the sta_info_get() worked,
> but there's no TDLS? Maybe really what it needs is
>
>                 sta = sta_info_get(sdata, peer);
> -               if (!sta)
> +               if (!sta || !sta->sta.tdls)
>                         return -ENOLINK;
>
> instead?
>
> johannes

Thanks for the clarification. I have sent the v2 patch.

Deepanshu