From nobody Mon Jun 8 08:52:25 2026 Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C77373093D3 for ; Sun, 31 May 2026 06:40:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780209631; cv=none; b=SaL7oBZ+ZUpFBOd7WidimOCVzuRxHPlm0SeM0lYzGa2gQg5Lmtk+EFZFqprWvuWyQ/eUkGHuNBSafW1cxl9LlJVWJpFf2dQ3wkvhHdmYe3WpFGFT0joue6KILolHupzQeiSxEovVkhiSLDQZgttwNkFGi7WRSZqokNabCs7Az3Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780209631; c=relaxed/simple; bh=LZmZfkQmuN3VNRFDjIwDh3tNUudILrdJSAtZCAhlAWM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=JloaEkCZ0cpXtIuv4iBCFLab50DdKMS0hZcKgMCeqL8RNYomQP8QGOkw9Bf202gfG477MDs6yXaxqIyn7FfeChRTDgeB5xTj246cjOizmeW7yBl1fSHT9k1wyO7ffvV5gZLgicLo9VZUybGHKXxLqtE727n1cJAeeg9al9A9arU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mkwJipTZ; arc=none smtp.client-ip=209.85.216.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mkwJipTZ" Received: by mail-pj1-f46.google.com with SMTP id 98e67ed59e1d1-36ab8816a35so4183021a91.1 for ; Sat, 30 May 2026 23:40:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780209629; x=1780814429; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=fpBWqlx616rQwX3V1Lhl7OVg5XW9+mDzkeXGhG0RAsI=; b=mkwJipTZYvUMrJ2FPsKrLlZfjxDOICl9gGOvQMIuZLxiXxe9GeED9rVgrpere46/Gd rXZ1PGFnbmznDN+dHVYfUnMmj40ExoGN4GAcezLLaZF1w9K63WvoF1e3Gidcb+zhThBB sW8w3HdGvBvJYggjVOiRybLdL+xAixuT73lKX7+um/+qrYanmp93vUw27JwZNpahJtiu fd1qLDfQw6ZTJmI6Pd7LVJGHEGWAQZTnR8h8ebb1SA9GPQfD+uKAvEIaDSQReh3Am5mw OZ2z0Rc3p4aAXsMlDxlTURUoTqHSyQm0noeZ07jCYy2tOJR1LcHZx/sqhnBIqvVTBezi uMiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780209629; x=1780814429; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=fpBWqlx616rQwX3V1Lhl7OVg5XW9+mDzkeXGhG0RAsI=; b=p3r7BXm40GTkp2Xe8SPUyLMbWX85YDQIJCyDJIIdqNe4WcywqQfBTCQRsXHz5K+HU7 TzQi/VLGDnA9Ffgap2YLs6ALos35eMp+vEz1mD9NpX/8hJPf/w3esYLyPctNhLk+mqG/ ADqdvy3fVwsBdU9wCWhzqriKoVqJ3JAlWFHfqpmyExuq6ydipdsDsi42iLWiEpnkD/2u KCSAZsZK3XIIcADliEzuNlbDbqWKDmaE4eLY/GIERKhsYTWJ98PpGcZMXYVHg7SQ1lgh 4k+KkVJAaL7KH58HYMeeT6tJjkDKPGk3l4rbbQyQ9ntnzb5W19dfibCV1h5uauVgyQny GbNw== X-Forwarded-Encrypted: i=1; AFNElJ/FAvg93HFmLFj0c4A28MbeQVsY0MJJFftH+vMjUWbH79gd7yU5yB1ZBnN1LMg057IFTxthVbgufswKM0g=@vger.kernel.org X-Gm-Message-State: AOJu0Yx/baYPupPIo+d2CYo0BPh2IGD6SY84E4D5crd9j9rb7h1oS96S NlqeVRukpXIHeA2GcxlNZWRPFLSDY5iTeLXd6LBZYEmanoER53cCa7xn X-Gm-Gg: Acq92OEyTitnsNxOi00ru8LKoRgMcGY6BIUFeNalXpuyFLDKK4t444IZGycu71KK3zY kkq5oSXhSl5kz7zeUQJ8eFgO1Rpi4GLwytk/yimlUvqeNOf1HF6Wcz+xdS/Vsdc40KBLIYtT3eT tYOa3AshdfAhwfaSIC2VWDD99xmciYW1QkzMg5GJjs4a8T3HxHu7+9lGWv81VlD+tYrgctYw7BH dicOj/Vzpx4UBCp2DGGuYtf5RdGxuHTpZwuBYtsHPXeERlvRv4n9thSnK57aFq7mZj+/SgM+AZK 9zem4EuF905Z9Cr4Gi1LmZxqfcMqJ7VGevrV7J+QhvG0xSAK+nMG59k+WOS8mtzJxMDLwOcgEDW 3f9KheEKpHVJ2ZqrUoTAp47WSy+2oQKc33pKYfnvElgF0rhww8o899XtiJ6zl47fL9viGmYZ0aO rDxrps5dmhI75GE0T4dKrzXu1YKuAibL10gysCRmiUle9fSJdO95lnwi++BYC1BfHwEgo0gnxkt VPHvNkhaU1PfYj11mGXFKA= X-Received: by 2002:a17:90b:3d84:b0:369:7421:75cf with SMTP id 98e67ed59e1d1-36c501eb0a7mr6114475a91.16.1780209628871; Sat, 30 May 2026 23:40:28 -0700 (PDT) Received: from SLSGDTSWING002.tail0ac356.ts.net ([129.126.109.177]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c85771a789bsm6936271a12.4.2026.05.30.23.40.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 May 2026 23:40:28 -0700 (PDT) From: Weiming Shi To: Johannes Berg Cc: Mohan Kumar G , Dhanavandhana Kannan , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Xiang Mei , Weiming Yang , Weiming Shi Subject: [PATCH wifi] wifi: mac80211: fix NULL dereference of eht_oper in ieee80211_start_ap() Date: Sun, 31 May 2026 14:39:40 +0800 Message-ID: <20260531063939.2505982-2-bestswngs@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Weiming Yang ieee80211_start_ap() enters the EHT block when params->eht_cap is set, but its last statement unconditionally dereferences params->eht_oper. The two pointers are parsed from separate beacon-tail elements in nl80211_calculate_ap_params(), and an EHT Operation element is not required to be present when an EHT Capability element is. A beacon tail carrying an HE Capability and HE Operation element (so he_support is set) plus an EHT Capability element, but no EHT Operation element, thus dereferences a NULL params->eht_oper: KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:ieee80211_start_ap (net/mac80211/cfg.c:1599) Call Trace: nl80211_start_ap (net/wireless/nl80211.c:7177) genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114) genl_rcv_msg (net/netlink/genetlink.c:1209) netlink_rcv_skb (net/netlink/af_netlink.c:2550) genl_rcv (net/netlink/genetlink.c:1218) netlink_unicast (net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:2265) NL80211_CMD_START_AP uses GENL_UNS_ADMIN_PERM, so this is reachable by an unprivileged user in a user namespace. Guard the dereference on params->eht_oper, as the HE block above already does for params->he_oper. Fixes: 22c64f37e1d4 ("wifi: mac80211: Update MCS15 support in link_conf") Reported-by: Xiang Mei Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Weiming Shi --- net/mac80211/cfg.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 7b77d57c9f96f..5e8d4ccaa6be4 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -1595,9 +1595,10 @@ static int ieee80211_start_ap(struct wiphy *wiphy, s= truct net_device *dev, (IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_80MHZ | IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_160MHZ | IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_320MHZ); - link_conf->eht_disable_mcs15 =3D - u8_get_bits(params->eht_oper->params, - IEEE80211_EHT_OPER_MCS15_DISABLE); + if (params->eht_oper) + link_conf->eht_disable_mcs15 =3D + u8_get_bits(params->eht_oper->params, + IEEE80211_EHT_OPER_MCS15_DISABLE); } else { link_conf->eht_su_beamformer =3D false; link_conf->eht_su_beamformee =3D false; --=20 2.43.0