From nobody Tue Apr 7 13:09:34 2026 Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D0C113822AD for ; Fri, 13 Mar 2026 09:24:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773393865; cv=none; b=EYfSbFVwD5ilRkpNQS7rZcEHSJjz4m5+3MPMkJxIYAWCPrF3eXXfC04oQPBU7gXXHoyS775dw1lsIeT/uyG0FNfAVWYapJYroxH6PqK+E03ezwjcZ2TDhpR8SfLrYVLqY3c0joLPE7Nf0iLj1QWBuGxavNrNsEbSgViPoASfLs8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773393865; c=relaxed/simple; bh=bJtZp/g1t5aRXKT40egBlv1Iw5I5veOn/a0XPTXdUNg=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=terwbZqTOnnJv/rebpZwJ2dRxm+NTrRec/Jiw8zc8fYq7feEqtvYEZWjUn0b06fUHArd4CRo09NYNgdEXjs6ig0I02ZLpF0w7XrGFlKLOHk9qr9Pe2w0vSPpgF4kYzWPZKDEp64jfyC7AQOT7vegSWIafAphIA0ALkg+0uS/MxQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=nRHQxG3L; arc=none smtp.client-ip=209.85.216.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="nRHQxG3L" Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-359f35dfef6so1097162a91.2 for ; Fri, 13 Mar 2026 02:24:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773393863; x=1773998663; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=R+BldRy3ZbXzdECIRaixOoHSFInvXcQLoOU0Hapl1bs=; b=nRHQxG3LPk28jGoBWdrlSPoPgkhnAUvegNhHDDdm6YhnmDVAc5JcJaC12XfPgEpwBh LOEFGSzkHfCqNOqwnVInTTXPB+Q9/oMBaekC9hQh+/eV/yWeITpWtYuEVR07V6V+ky1C y0c87XqBIH7u5p8hNPmlnAvw8UIXaUS+ve1EhueqTfFMvx5psN7LDrMLKriVkO+/YaZr i7Innlop+uLZgW5hoyqcDDIFMrh7r4J3JmZqmBcLMW/2kUJ4i7R//YxdsTG44i8FFiLz MGvsQF09/hIQeN8ehHKCqlyJpKX/lybzstmO2VAE2XCcJuP0mHUUkMbJ/yvwlmMQbjFK Nlpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773393863; x=1773998663; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=R+BldRy3ZbXzdECIRaixOoHSFInvXcQLoOU0Hapl1bs=; b=FkktACAjUdWXZVDxWk6LzOZ4Ms31SxhAeCFOgzrMschAqXij50eDoQPeickoWObpqV rFiAGPzxBFkIFfDbuv1yrljFMLtGvCAylHy/ajKwXPDOYlkgIST99Jpcr2HV7Bxq3R2P VP/XJDgUnUjPUSV92f9XjAJegMn42THyMjmDZ8kxGq2Gzu2XqVnjCI9dM7liuAUBwJ3y tpAexVjW2YNcstisXZe4J8Rm3LLj/LKuTRnqYFzmrsH8xI/PibWmdldNwveMSjbvuE7+ QVQddX7gioMt84U7scwkaIpFwa88Ky8NAT2xk0+UmclMlYqLRBKOYldVXwc2hhKkHSRV 2V2g== X-Forwarded-Encrypted: i=1; AJvYcCVlRWizfeMea3/jP8Yg0mcadhCprLEYRqoen6uq2KNK94W6YSlshY3Tjt3nzJRBZ6OKu9f9oNcJF065rvY=@vger.kernel.org X-Gm-Message-State: AOJu0YzW+5nKJofsfOIzAsVfExbmDSbv9d5J4iqLrc/AHVI84bn80dVo 2ripr3AHZPBHOxQXDIjwc+ZyYGXoIuTvT9v9hFhC82A5QTwGBWAQlpxE0s47eQ== X-Gm-Gg: ATEYQzyIACi7jpQMXvzrRJ7jZ31kEaO4m3eMrPwpMpi4jqTawrIDatdciTx4daBjoEX 2DO559LJNtkAghUc92YyhKzQMyf9WsW/6CGM+JDUJkCV6GR54I4TW/NaecDoo5ivQg26PnIAFe5 XKiNr9QD6pCliQYrIWkHmsdG6cFuiv0VnZQXW7Ml2Zq2ECllBTuewmgeUcLGgrcjZywO8i3H1o6 ZNmDMLiOOscRl1KSy8PJfsemIGpsV0yLgZXzBem9ZwmnHVc/CkwOTTzPDXueRADxgOjGYTk4655 fZ0xaYXyyPpKdVUNNXLgXvDNwr+2FEzipc/lHbEZ4Ov5+Npv6uNhy502WU00q27p91bRNK+3J98 E/o7qji37YZT4Cv02Go1aGJ0X+mrUafgpjo+QFnr6RcQBEU5vLHs8jMY9uhjIqfna66TsQKjhKq K7XsEBL+LYNpELNRpT5c9g4cP8k62LeQ30ndqgc3Ta8U8AsaT1WDF0mZ618HbAWFR4aGm/rFL/L 4tgZN+gwGBr2uEzGw== X-Received: by 2002:a17:90b:498d:b0:34a:8c77:d37b with SMTP id 98e67ed59e1d1-35a21fed5f1mr2440302a91.16.1773393863101; Fri, 13 Mar 2026 02:24:23 -0700 (PDT) Received: from deepanshu-kernel-hacker.. ([2405:201:682f:389d:e777:51d4:3ebd:b21d]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35a0f6d190csm6196259a91.14.2026.03.13.02.24.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Mar 2026 02:24:22 -0700 (PDT) From: Deepanshu Kartikey To: johannes@sipsolutions.net Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Deepanshu Kartikey , syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com Subject: [PATCH v2] wifi: mac80211: check tdls flag in ieee80211_tdls_oper Date: Fri, 13 Mar 2026 14:54:17 +0530 Message-ID: <20260313092417.520807-1-kartikey406@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When NL80211_TDLS_ENABLE_LINK is called, the code only checks if the station exists but not whether it is actually a TDLS station. This allows the operation to proceed for non-TDLS stations, causing unintended side effects like modifying channel context and HT protection before failing. Add a check for sta->sta.tdls early in the ENABLE_LINK case, before any side effects occur, to ensure the operation is only allowed for actual TDLS peers. Reported-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D56b6a844a4ea74487b7b Tested-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com Suggested-by: Johannes Berg Signed-off-by: Deepanshu Kartikey --- v2: Instead of replacing WARN_ON_ONCE with tdls_peer address check, add early check for sta->sta.tdls flag before any side effects occur, as suggested by Johannes Berg. --- net/mac80211/tdls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c index dbbfe2d6842f..1dca2fae05a5 100644 --- a/net/mac80211/tdls.c +++ b/net/mac80211/tdls.c @@ -1449,7 +1449,7 @@ int ieee80211_tdls_oper(struct wiphy *wiphy, struct n= et_device *dev, } =20 sta =3D sta_info_get(sdata, peer); - if (!sta) + if (!sta || !sta->sta.tdls) return -ENOLINK; =20 iee80211_tdls_recalc_chanctx(sdata, sta); --=20 2.43.0