#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git
main
From 60bcef6c67edf66ff96367e03aaa70422585ea4a Mon Sep 17 00:00:00 2001
From: Moon Hee Lee <moonhee.lee.ca@xxxxxxxxx>
Date: Mon, 14 Jul 2025 19:02:10 -0700
Subject: [PATCH] mac80211: reject TDLS operations when station is not
associated
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
TDLS can be established only after the STA is connected to an AP.
If userspace (or fuzzers) issues NL80211_TDLS_* commands before
association is complete, internal state such as sdata->u.mgd.tdls_peer
remains uninitialised and ieee80211_tdls_oper() raises WARN_ON().
Add an “associated” check in ieee80211_tdls_oper() so the function
returns -EINVAL whenever the interface is not both in station mode
and already associated.
Signed-off-by: Moon Hee Lee <moonhee.lee.ca@xxxxxxxxx>
---
net/mac80211/tdls.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
index 94714f8ffd22..ba5fbacbeeda 100644
--- a/net/mac80211/tdls.c
+++ b/net/mac80211/tdls.c
@@ -1422,7 +1422,7 @@ int ieee80211_tdls_oper(struct wiphy *wiphy, struct net_device *dev,
if (!(wiphy->flags & WIPHY_FLAG_SUPPORTS_TDLS))
return -EOPNOTSUPP;
- if (sdata->vif.type != NL80211_IFTYPE_STATION)
+ if (sdata->vif.type != NL80211_IFTYPE_STATION || !sdata->vif.cfg.assoc)
return -EINVAL;
switch (oper) {
--
2.43.0
