Couple of fixes:

- mac80211: - long-standing injection bug due to chanctx rework - more recent interface iteration issue - collect statistics before removing stations - hwsim: - fix NAN frequency typo (potential NULL ptr deref) - fix locking of radio lock (needs softirqs disabled) - wext: - ancient issue with compat and events copying some uninitialized stack data to userspace -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEpeA8sTs3M8SN2hR410qiO8sPaAAFAmlfuIgACgkQ10qiO8sP aABFOQ/9Fgkpncx7+iA7Als75L4DkVz94k/PE+VCN8gmBQp7PwQLEHyLhm+EgK1d sSdRcgJAJ6P7sdyZ4foZlZszAEPdLLfb0JaYLEQ6h4+g6cVmaFzOSE2/6mUDE2OO SlYxWjF1wnzpL5InVE54UBGvfLEZyoO80xqQhSW5J6v2pBsovDsve1KMtT8a4myi zId7tpCpOTGuP9jtPJZWeBXZlLLIkvpTOyCAPQ57WJKCVflwxHVTpCFMEoDLbT8v KV6af8zns57Tu+VTLAD4CmBTXyWsVnOsLmRdB7a2S5X6zYoqiep0JMOnmVPcLwmm WhxIWgoquGHFKJxbCNp7tyG641Pa39ZfeBErqfZY0FTUgxVjj7tLdvwm1gxg5SAW gjv2TlnyrPhRhcD3ocjbudn7H+76rqPSZC7FwGhrmPi0CfrEgfYmS0S+g3Jng0x0 KrX1ej4/dSR6KTjvmZ62skLPq6HzRQVbOPuZhcYq9Gqt9yMQ57W3kHoDbiwaAwYi 0iTZo7W8JcyN3cbWVNKf4ZHDSywL+YNGVuY0o/umNQk0A+SXvk73HrhDVH2sj9h2 haP7+uOpN90YM1c+Zjfe3uxL0M3MPquGBojJZVDzMApRNczd/pSOvuIO7txhqy9B H9rjlHNyxYtsj4CZhML/GUSKYX551aO6WjyzgAxq/gSIfYxcb0k= =KKD4 -----END PGP SIGNATURE----- Merge tag 'wireless-2026-01-08' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless Johannes Berg says: ==================== Couple of fixes: - mac80211: - long-standing injection bug due to chanctx rework - more recent interface iteration issue - collect statistics before removing stations - hwsim: - fix NAN frequency typo (potential NULL ptr deref) - fix locking of radio lock (needs softirqs disabled) - wext: - ancient issue with compat and events copying some uninitialized stack data to userspace * tag 'wireless-2026-01-08' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless: wifi: mac80211: collect station statistics earlier when disconnect wifi: mac80211: restore non-chanctx injection behaviour wifi: mac80211_hwsim: disable BHs for hwsim_radio_lock wifi: mac80211: don't iterate not running interfaces wifi: mac80211_hwsim: fix typo in frequency notification wifi: avoid kernel-infoleak from struct iw_point ==================== Link: https://patch.msgid.link/20260108140141.139687-3-johannes@sipsolutions.net Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-01-11 09:00:12 +00:00 · 2026-01-08 08:49:24 -08:00 · 2026-01-08 08:49:24 -08:00 · 804809ae40
commit 804809ae40
parent 4d984b0574 a203dbeeca
6 changed files with 20 additions and 6 deletions
--- a/drivers/net/wireless/virtual/mac80211_hwsim.c
+++ b/drivers/net/wireless/virtual/mac80211_hwsim.c
@ -4040,7 +4040,7 @@ mac80211_hwsim_nan_dw_start(struct hrtimer *timer)
 			ieee80211_vif_to_wdev(data->nan_device_vif);

 		if (data->nan_curr_dw_band == NL80211_BAND_5GHZ)
-			ch = ieee80211_get_channel(hw->wiphy, 5475);
+			ch = ieee80211_get_channel(hw->wiphy, 5745);
 		else
 			ch = ieee80211_get_channel(hw->wiphy, 2437);

@ -4112,14 +4112,14 @@ static int mac80211_hwsim_stop_nan(struct ieee80211_hw *hw,
 	hrtimer_cancel(&data->nan_timer);
 	data->nan_device_vif = NULL;

-	spin_lock(&hwsim_radio_lock);
+	spin_lock_bh(&hwsim_radio_lock);
 	list_for_each_entry(data2, &hwsim_radios, list) {
 		if (data2->nan_device_vif) {
 			nan_cluster_running = true;
 			break;
 		}
 	}
-	spin_unlock(&hwsim_radio_lock);
+	spin_unlock_bh(&hwsim_radio_lock);

 	if (!nan_cluster_running)
 		memset(hwsim_nan_cluster_id, 0, ETH_ALEN);
--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@ -90,6 +90,9 @@ next_interface:
 	/* next (or first) interface */
 	iter->sdata = list_prepare_entry(iter->sdata, &local->interfaces, list);
 	list_for_each_entry_continue(iter->sdata, &local->interfaces, list) {
+		if (!ieee80211_sdata_running(iter->sdata))
+			continue;
+
 		/* AP_VLAN has a chanctx pointer but follows AP */
 		if (iter->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
 			continue;
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@ -1533,6 +1533,10 @@ static void __sta_info_destroy_part2(struct sta_info *sta, bool recalc)
 		}
 	}

+	sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL);
+	if (sinfo)
+		sta_set_sinfo(sta, sinfo, true);
+
 	if (sta->uploaded) {
 		ret = drv_sta_state(local, sdata, sta, IEEE80211_STA_NONE,
 				    IEEE80211_STA_NOTEXIST);
@ -1541,9 +1545,6 @@ static void __sta_info_destroy_part2(struct sta_info *sta, bool recalc)

 	sta_dbg(sdata, "Removed STA %pM\n", sta->sta.addr);

-	sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL);
-	if (sinfo)
-		sta_set_sinfo(sta, sinfo, true);
 	cfg80211_del_sta_sinfo(sdata->dev, sta->sta.addr, sinfo, GFP_KERNEL);
 	kfree(sinfo);

--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@ -2397,6 +2397,8 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb,

 	if (chanctx_conf)
 		chandef = &chanctx_conf->def;
+	else if (local->emulate_chanctx)
+		chandef = &local->hw.conf.chandef;
 	else
 		goto fail_rcu;

--- a/net/wireless/wext-core.c
+++ b/net/wireless/wext-core.c
@ -1101,6 +1101,10 @@ static int compat_standard_call(struct net_device	*dev,
 		return ioctl_standard_call(dev, iwr, cmd, info, handler);

 	iwp_compat = (struct compat_iw_point *) &iwr->u.data;
+
+	/* struct iw_point has a 32bit hole on 64bit arches. */
+	memset(&iwp, 0, sizeof(iwp));
+
 	iwp.pointer = compat_ptr(iwp_compat->pointer);
 	iwp.length = iwp_compat->length;
 	iwp.flags = iwp_compat->flags;
--- a/net/wireless/wext-priv.c
+++ b/net/wireless/wext-priv.c
@ -228,6 +228,10 @@ int compat_private_call(struct net_device *dev, struct iwreq *iwr,
 		struct iw_point iwp;

 		iwp_compat = (struct compat_iw_point *) &iwr->u.data;
+
+		/* struct iw_point has a 32bit hole on 64bit arches. */
+		memset(&iwp, 0, sizeof(iwp));
+
 		iwp.pointer = compat_ptr(iwp_compat->pointer);
 		iwp.length = iwp_compat->length;
 		iwp.flags = iwp_compat->flags;