Commit 283fc9e4 authored May 05, 2026 by Johannes Berg

wifi: mac80211: remove station if connection prep fails

If connection preparation fails for MLO connections, then the
interface is completely reset to non-MLD. In this case, we must
not keep the station since it's related to the link of the vif
being removed. Delete an existing station. Any "new_sta" is
already being removed, so that doesn't need changes.

This fixes a use-after-free/double-free in debugfs if that's
enabled, because a vif going from MLD (and to MLD, but that's
not relevant here) recreates its entire debugfs.

Cc: stable@vger.kernel.org
Fixes: 81151ce4 ("wifi: mac80211: support MLO authentication/association with one link")
Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260505151533.c4e52deb06ad.Iafe56cec7de8512626169496b134bce3a6c17010@changeid

Signed-off-by: Johannes Berg <johannes.berg@intel.com>

parent ac8eb3e1

net/mac80211/mlme.c

+4 −5

Original line number	Diff line number	Diff line
		@@ -9149,7 +9149,7 @@ static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata,
		struct ieee80211_bss bss = (void )cbss->priv;
		struct sta_info *new_sta = NULL;
		struct ieee80211_link_data *link;
		bool have_sta = false;
		struct sta_info *have_sta = NULL;
		bool mlo;
		int err;
		u16 new_links;
		@@ -9168,11 +9168,8 @@ static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata,
		mlo = false;
		}

		if (assoc) {
		rcu_read_lock();
		if (assoc)
		have_sta = sta_info_get(sdata, ap_mld_addr);
		rcu_read_unlock();
		}

		if (mlo && !have_sta &&
		WARN_ON(sdata->vif.valid_links \|\| sdata->vif.active_links))
		@@ -9336,6 +9333,8 @@ static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata,
		out_release_chan:
		ieee80211_link_release_channel(link);
		out_err:
		if (mlo && have_sta)
		WARN_ON(__sta_info_destroy(have_sta));
		ieee80211_vif_set_links(sdata, 0, 0);
		return err;
		}