lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20260205035223.20411-1-dhyan19022009@gmail.com>
Date: Thu,  5 Feb 2026 09:22:23 +0530
From: Dhyan K Prajapati <dhyan19022009@...il.com>
To: johannes@...solutions.net
Cc: linux-wireless@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Dhyan K Prajapati <dhyan19022009@...il.com>
Subject: [PATCH] mac80211: fix NULL pointer dereference when switching to monitor mode

When switching an interface to monitor mode, ieee80211_link_info_change_notify()
incorrectly sends BSS change notifications to drivers, even though monitor
interfaces have no associated BSS context. This causes NULL pointer dereferences
in drivers like iwldvm.

The bug occurs because the current code only returns early for monitor interfaces
when WANT_MONITOR_VIF is NOT set. When WANT_MONITOR_VIF IS set, execution breaks
from the switch statement and falls through to drv_link_info_changed(), which
triggers the crash when the driver attempts to dereference link->conf->bss.

Crash trace:
  RIP: iwlagn_bss_info_changed+0x19d/0x640 [iwldvm]
  Code: 49 8b 46 10 <8b> 10
  RAX: 0000000000000000 (NULL link->conf->bss)

Fix by unconditionally returning early for IFTYPE_MONITOR, consistent with
IFTYPE_AP_VLAN handling. Also simplify by merging both cases.

Device: Intel Centrino Advanced-N 6205

Signed-off-by: Dhyan K Prajapati <dhyan19022009@...il.com>
---
 net/mac80211/main.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index b05e313c7..bc93df21e 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -412,11 +412,8 @@ void ieee80211_link_info_change_notify(struct ieee80211_sub_if_data *sdata,
 
 	switch (sdata->vif.type) {
 	case NL80211_IFTYPE_AP_VLAN:
-		return;
 	case NL80211_IFTYPE_MONITOR:
-		if (!ieee80211_hw_check(&local->hw, WANT_MONITOR_VIF))
-			return;
-		break;
+		return;
 	default:
 		break;
 	}
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ