Commit 7d73872d authored Mar 13, 2026 by Deepanshu Kartikey Committed by Johannes Berg Mar 13, 2026

wifi: mac80211: check tdls flag in ieee80211_tdls_oper



When NL80211_TDLS_ENABLE_LINK is called, the code only checks if the
station exists but not whether it is actually a TDLS station. This
allows the operation to proceed for non-TDLS stations, causing
unintended side effects like modifying channel context and HT
protection before failing.

Add a check for sta->sta.tdls early in the ENABLE_LINK case, before
any side effects occur, to ensure the operation is only allowed for
actual TDLS peers.

Reported-by:  <syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=56b6a844a4ea74487b7b


Tested-by:  <syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com>
Suggested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Link: https://patch.msgid.link/20260313092417.520807-1-kartikey406@gmail.com


Signed-off-by: Johannes Berg <johannes.berg@intel.com>

parent 6dccbc9f

net/mac80211/tdls.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1449,7 +1449,7 @@ int ieee80211_tdls_oper(struct wiphy wiphy, struct net_device dev,
		}

		sta = sta_info_get(sdata, peer);
		if (!sta)
		if (!sta \|\| !sta->sta.tdls)
		return -ENOLINK;

		iee80211_tdls_recalc_chanctx(sdata, sta);