Commit 804809ae authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'wireless-2026-01-08' of... 

Merge tag 'wireless-2026-01-08' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless

Johannes Berg says:

====================
Couple of fixes:
 - mac80211:
   - long-standing injection bug due to chanctx rework
   - more recent interface iteration issue
   - collect statistics before removing stations
 - hwsim:
   - fix NAN frequency typo (potential NULL ptr deref)
   - fix locking of radio lock (needs softirqs disabled)
 - wext:
   - ancient issue with compat and events copying some
     uninitialized stack data to userspace

* tag 'wireless-2026-01-08' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:
  wifi: mac80211: collect station statistics earlier when disconnect
  wifi: mac80211: restore non-chanctx injection behaviour
  wifi: mac80211_hwsim: disable BHs for hwsim_radio_lock
  wifi: mac80211: don't iterate not running interfaces
  wifi: mac80211_hwsim: fix typo in frequency notification
  wifi: avoid kernel-infoleak from struct iw_point
====================

Link: https://patch.msgid.link/20260108140141.139687-3-johannes@sipsolutions.net


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 4d984b05 a203dbee

drivers/net/wireless/virtual/mac80211_hwsim.c

+3 −3
Original line number Diff line number Diff line
@@ -4040,7 +4040,7 @@ mac80211_hwsim_nan_dw_start(struct hrtimer *timer) 
			ieee80211_vif_to_wdev(data->nan_device_vif);



		if (data->nan_curr_dw_band == NL80211_BAND_5GHZ)

			ch = ieee80211_get_channel(hw->wiphy, 5475);

			ch = ieee80211_get_channel(hw->wiphy, 5745);

		else

			ch = ieee80211_get_channel(hw->wiphy, 2437);
@@ -4112,14 +4112,14 @@ static int mac80211_hwsim_stop_nan(struct ieee80211_hw *hw, 
	hrtimer_cancel(&data->nan_timer);

	data->nan_device_vif = NULL;



	spin_lock(&hwsim_radio_lock);

	spin_lock_bh(&hwsim_radio_lock);

	list_for_each_entry(data2, &hwsim_radios, list) {

		if (data2->nan_device_vif) {

			nan_cluster_running = true;

			break;

		}

	}

	spin_unlock(&hwsim_radio_lock);

	spin_unlock_bh(&hwsim_radio_lock);



	if (!nan_cluster_running)

		memset(hwsim_nan_cluster_id, 0, ETH_ALEN);

net/mac80211/chan.c

+3 −0
Original line number Diff line number Diff line
@@ -90,6 +90,9 @@ static void ieee80211_chanctx_user_iter_next(struct ieee80211_local *local, 
	/* next (or first) interface */

	iter->sdata = list_prepare_entry(iter->sdata, &local->interfaces, list);

	list_for_each_entry_continue(iter->sdata, &local->interfaces, list) {

		if (!ieee80211_sdata_running(iter->sdata))

			continue;



		/* AP_VLAN has a chanctx pointer but follows AP */

		if (iter->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)

			continue;

net/mac80211/sta_info.c

+4 −3
Original line number Diff line number Diff line
@@ -1533,6 +1533,10 @@ static void __sta_info_destroy_part2(struct sta_info *sta, bool recalc) 
		}

	}



	sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL);

	if (sinfo)

		sta_set_sinfo(sta, sinfo, true);



	if (sta->uploaded) {

		ret = drv_sta_state(local, sdata, sta, IEEE80211_STA_NONE,

				    IEEE80211_STA_NOTEXIST);
@@ -1541,9 +1545,6 @@ static void __sta_info_destroy_part2(struct sta_info *sta, bool recalc) 


	sta_dbg(sdata, "Removed STA %pM\n", sta->sta.addr);



	sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL);

	if (sinfo)

		sta_set_sinfo(sta, sinfo, true);

	cfg80211_del_sta_sinfo(sdata->dev, sta->sta.addr, sinfo, GFP_KERNEL);

	kfree(sinfo);

net/mac80211/tx.c

+2 −0
Original line number Diff line number Diff line
@@ -2397,6 +2397,8 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb, 


	if (chanctx_conf)

		chandef = &chanctx_conf->def;

	else if (local->emulate_chanctx)

		chandef = &local->hw.conf.chandef;

	else

		goto fail_rcu;

net/wireless/wext-core.c

+4 −0
Original line number Diff line number Diff line
@@ -1101,6 +1101,10 @@ static int compat_standard_call(struct net_device *dev, 
		return ioctl_standard_call(dev, iwr, cmd, info, handler);



	iwp_compat = (struct compat_iw_point *) &iwr->u.data;



	/* struct iw_point has a 32bit hole on 64bit arches. */

	memset(&iwp, 0, sizeof(iwp));



	iwp.pointer = compat_ptr(iwp_compat->pointer);

	iwp.length = iwp_compat->length;

	iwp.flags = iwp_compat->flags;