From nobody Tue Apr  7 12:52:10 2026
Received: from mail-oo1-f71.google.com (mail-oo1-f71.google.com
 [209.85.161.71])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D64EC370D52
	for <linux-kernel@vger.kernel.org>; Fri, 13 Mar 2026 07:59:25 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.71
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773388767; cv=none;
 b=Yn4EacZDkim2+3wQdtyqV8Y8PVW7TUv51DQDraOku36YDc1bEAvMCaPpnVRY7Kn9nCmeagfA0KBscFNUeT9G0bkQR+TymUra+wCWjIYdg7dErEuwtQzeK+dJ+J7dA6P+OjoK14YgoJfaLaMzi/Cqr2OCI4icZhe2BAooqfHX7aA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773388767; c=relaxed/simple;
	bh=pv4txYoeVfLCqzLLufFOi6b+6mDDdI3klwxeGJkSx0U=;
	h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:
	 Content-Type;
 b=NGCNGR2dKhcubuoodjAovdm6C4Wtkvn+IvTWTZEofwb2UyH5NO2amp/rX0SekgjNd5rQsFz2upJdAo+xdeGpp2yd1nScnbOS/0LVosvCoE54ywARTPEgx19bKx7eStawkes/wDXDWbX1PF1AsiINXBpJfdvL4dPPV/HwZ7pIBVE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com;
 arc=none smtp.client-ip=209.85.161.71
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com
Received: by mail-oo1-f71.google.com with SMTP id
 006d021491bc7-67bc657f0f3so29522272eaf.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 13 Mar 2026 00:59:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773388765; x=1773993565;
        h=to:from:subject:message-id:in-reply-to:date:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=OfcWHfqCYDqYXVo31PJvmmA/hMpJPKgmwGdhJzQwJqY=;
        b=TDckcTdFgx2mEhn3+3b+hjhddAxsU0KOKFFyquNJhERHZAAV+XEiwzqvv199KkXkVy
         yfFA/GaHx1QtLsxJQERnDE7sb4wreUWoPvH+iNrt1AjiE+SCdeHH0AUahgRilVf7RvT7
         KuZ21qIhvi7MSbnwSwUmBlsPwYQe1g0vkUU5rS/pt/QiRrg+mkUKIXfByXKSXi/aK0jo
         FWw5zchTrucySAec+hDmDsM2yEqfCxe4YVWkqiXEwluZ03K9crO0GmXJm20Mge1dMVqS
         EV/6iN8ebSrohERZTi4OnAp3YbrcsPe1ZU1kKSsxie1k7bMcUnk4FlowQKe6F7A8L6WH
         bESg==
X-Gm-Message-State: AOJu0YyVuF0w6Ck03iXfMSjvgo4BycPC+hnpzz7p7jqba3oX1yHT/OPt
	0Q7t2B2ogWczTpkUNud1fp6sxdkS9bFLImIYF8MOp+zszbYeFxgSPCqHmoG19yFxecN0XBIR1M1
	eOe5gx4SGKiIRSag7t+CWzDXXdch4TkvcEzFexlkhXUgqmnm5FvOIY8Bg3sw=
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Received: by 2002:a05:6820:4b0d:b0:67b:b790:f5dd with SMTP id
 006d021491bc7-67bdaa9371dmr1484907eaf.74.1773388764897; Fri, 13 Mar 2026
 00:59:24 -0700 (PDT)
Date: Fri, 13 Mar 2026 00:59:24 -0700
In-Reply-To: <69af0a04.050a0220.310d8.002e.GAE@google.com>
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <69b3c3dc.a00a0220.3b25d1.0006.GAE@google.com>
Subject: Forwarded: [PATCH] wifi: mac80211: check tdls flag in
 ieee80211_tdls_oper
From: syzbot <syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] wifi: mac80211: check tdls flag in ieee80211_tdls_oper
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git=
 master


When NL80211_TDLS_ENABLE_LINK is called, the code only checks if the
station exists but not whether it is actually a TDLS station. This
allows the operation to proceed for non-TDLS stations, causing
unintended side effects like modifying channel context and HT
protection before failing.

Add a check for sta->sta.tdls early in the ENABLE_LINK case, before
any side effects occur, to ensure the operation is only allowed for
actual TDLS peers.

Reported-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D56b6a844a4ea74487b7b
Suggested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
v2: Instead of replacing WARN_ON_ONCE with tdls_peer address check,
    add early check for sta->sta.tdls flag before any side effects
    occur, as suggested by Johannes Berg.
---
 net/mac80211/tdls.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
index dbbfe2d6842f..1dca2fae05a5 100644
--- a/net/mac80211/tdls.c
+++ b/net/mac80211/tdls.c
@@ -1449,7 +1449,7 @@ int ieee80211_tdls_oper(struct wiphy *wiphy, struct n=
et_device *dev,
 		}
=20
 		sta =3D sta_info_get(sdata, peer);
-		if (!sta)
+		if (!sta || !sta->sta.tdls)
 			return -ENOLINK;
=20
 		iee80211_tdls_recalc_chanctx(sdata, sta);
--=20
2.43.0